View | Details | Raw Unified | Return to bug 43792
Collapse All | Expand All

(-)mod_auth_ldap.c.orig (-3 / +84 lines)
Lines 20-25 Link Here
20
 * Original code from auth_ldap module for Apache v1.3:
20
 * Original code from auth_ldap module for Apache v1.3:
21
 * Copyright 1998, 1999 Enbridge Pipelines Inc. 
21
 * Copyright 1998, 1999 Enbridge Pipelines Inc. 
22
 * Copyright 1999-2001 Dave Carrigan
22
 * Copyright 1999-2001 Dave Carrigan
23
 *
24
 * Patched: Sun Nov  4 08:44:55 EET 2007
25
 * Added 2x more configuration directives:
26
 *
27
 * # controls whether to use the user supplied auth data when doing the initial bind
28
 * AuthLDAPBindUserSuppliedAuth On 
29
 * # an optional domain used to suffix the supplied user-id 
30
 * AuthLDAPBindSuffixDN xxx.com
31
 *
23
 */
32
 */
24
33
25
#include <apr_ldap.h>
34
#include <apr_ldap.h>
Lines 67-74 Link Here
67
    int scope;				/* Scope of the search */
76
    int scope;				/* Scope of the search */
68
    char *filter;			/* Filter to further limit the search  */
77
    char *filter;			/* Filter to further limit the search  */
69
    deref_options deref;		/* how to handle alias dereferening */
78
    deref_options deref;		/* how to handle alias dereferening */
79
70
    char *binddn;			/* DN to bind to server (can be NULL) */
80
    char *binddn;			/* DN to bind to server (can be NULL) */
71
    char *bindpw;			/* Password to bind to server (can be NULL) */
81
    char *bindpw;			/* Password to bind to server (can be NULL) */
82
    int binduseinputauth;		/* Whether to use the user supplied input for performing the first bind */
83
    char *bindsuffixdomain;		/* The domain used to append the user, when doing the initial bind */
72
84
73
    int frontpage_hack;			/* Hack for frontpage support */
85
    int frontpage_hack;			/* Hack for frontpage support */
74
    int user_is_dn;			/* If true, connection->user is DN instead of userid */
86
    int user_is_dn;			/* If true, connection->user is DN instead of userid */
Lines 322-332 Link Here
322
334
323
start_over:
335
start_over:
324
336
337
    // check whether to use the user supplied auth data for the initial bind 
338
    // get the password first, and re-use the status further below 
339
    result = ap_get_basic_auth_pw(r, &sent_pw);
340
325
    /* There is a good AuthLDAPURL, right? */
341
    /* There is a good AuthLDAPURL, right? */
326
    if (sec->host) {
342
    if (sec->host) {
327
        ldc = util_ldap_connection_find(r, sec->host, sec->port,
343
	// 
344
	if ( sec->binduseinputauth ) {
345
	        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, 
346
			      "[%d] auth_ldap authorise: "
347
			      "fallback to user supplied tokens for initial bind.",
348
			      getpid());
349
		// if we have a domain suffix, prepare it here 
350
		char *tmpuid = r->user;
351
		if ( sec->bindsuffixdomain != NULL ) {
352
			ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, 
353
					"[%d] auth_ldap authorise: "
354
					"Suffix the user id with the default domain: %s.",
355
					getpid(), sec->bindsuffixdomain);
356
			char *suffix = apr_palloc(r->pool, strlen(r->user) + strlen(sec->bindsuffixdomain) + 2);
357
			strcpy(suffix, r->user);
358
			strcat(suffix, "@");
359
			strcat(suffix, sec->bindsuffixdomain);
360
			tmpuid = suffix;
361
		}
362
	        ldc = util_ldap_connection_find(r, sec->host, sec->port,
363
                                       tmpuid, sent_pw, sec->deref,
364
                                       sec->secure);
365
	} else {
366
	        ldc = util_ldap_connection_find(r, sec->host, sec->port,
328
                                       sec->binddn, sec->bindpw, sec->deref,
367
                                       sec->binddn, sec->bindpw, sec->deref,
329
                                       sec->secure);
368
                                       sec->secure);
369
	}
330
    }
370
    }
331
    else {
371
    else {
332
        ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, 
372
        ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, 
Lines 338-344 Link Here
338
		  "[%d] auth_ldap authenticate: using URL %s", getpid(), sec->url);
378
		  "[%d] auth_ldap authenticate: using URL %s", getpid(), sec->url);
339
379
340
    /* Get the password that the client sent */
380
    /* Get the password that the client sent */
341
    if ((result = ap_get_basic_auth_pw(r, &sent_pw))) {
381
    if (result) {
342
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
382
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
343
		      "[%d] auth_ldap authenticate: "
383
		      "[%d] auth_ldap authenticate: "
344
		      "ap_get_basic_auth_pw() returns %d", getpid(), result);
384
		      "ap_get_basic_auth_pw() returns %d", getpid(), result);
Lines 460-465 Link Here
460
        return DECLINED;
500
        return DECLINED;
461
    }
501
    }
462
502
503
    // check whether to use the user supplied auth data for the initial bind 
504
    // get the password first, and re-use the status further below 
505
    const char *sent_pw;
506
    int result2 = 0;
507
    
508
    result2 = ap_get_basic_auth_pw(r, &sent_pw);
509
510
463
    /*
511
    /*
464
     * It is possible that we've skipped mod_auth_ldap's
512
     * It is possible that we've skipped mod_auth_ldap's
465
     * check_user_id hook, but still get here. In that
513
     * check_user_id hook, but still get here. In that
Lines 481-489 Link Here
481
    }
529
    }
482
530
483
    if (sec->host) {
531
    if (sec->host) {
484
        ldc = util_ldap_connection_find(r, sec->host, sec->port,
532
	if ( result2 && sec->binduseinputauth ) {
533
	        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, 
534
			      "[%d] auth_ldap authorise: "
535
			      "fallback to user supplied tokens for initial bind.",
536
			      getpid());
537
		// if we have a domain suffix, prepare it here 
538
		char *tmpuid = r->user;
539
		if ( sec->bindsuffixdomain != NULL ) {
540
			ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, 
541
					"[%d] auth_ldap authorise: "
542
					"Suffix the user id with the default domain: %s.",
543
					getpid(), sec->bindsuffixdomain);
544
			char *suffix = apr_palloc(r->pool, strlen(r->user) + strlen(sec->bindsuffixdomain) + 2);
545
			strcpy(suffix, r->user);
546
			strcat(suffix, "@");
547
			strcat(suffix, sec->bindsuffixdomain);
548
			tmpuid = suffix;
549
		}
550
        	ldc = util_ldap_connection_find(r, sec->host, sec->port,
551
                                       tmpuid, sent_pw, sec->deref,
552
                                       sec->secure);
553
	} else {
554
        	ldc = util_ldap_connection_find(r, sec->host, sec->port,
485
                                       sec->binddn, sec->bindpw, sec->deref,
555
                                       sec->binddn, sec->bindpw, sec->deref,
486
                                       sec->secure);
556
                                       sec->secure);
557
	}
487
        apr_pool_cleanup_register(r->pool, ldc,
558
        apr_pool_cleanup_register(r->pool, ldc,
488
                                  mod_auth_ldap_cleanup_connection_close,
559
                                  mod_auth_ldap_cleanup_connection_close,
489
                                  apr_pool_cleanup_null);
560
                                  apr_pool_cleanup_null);
Lines 757-762 Link Here
757
    sec->host = NULL;
828
    sec->host = NULL;
758
    sec->binddn = NULL;
829
    sec->binddn = NULL;
759
    sec->bindpw = NULL;
830
    sec->bindpw = NULL;
831
    sec->binduseinputauth = 0;
832
    sec->bindsuffixdomain = NULL;
760
    sec->deref = always;
833
    sec->deref = always;
761
    sec->group_attrib_is_dn = 1;
834
    sec->group_attrib_is_dn = 1;
762
835
Lines 968-973 Link Here
968
                  (void *)APR_OFFSETOF(mod_auth_ldap_config_t, bindpw), OR_AUTHCFG,
1041
                  (void *)APR_OFFSETOF(mod_auth_ldap_config_t, bindpw), OR_AUTHCFG,
969
                  "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
1042
                  "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
970
1043
1044
    AP_INIT_FLAG("AuthLDAPBindUserSuppliedAuth", ap_set_flag_slot,
1045
                 (void *)APR_OFFSETOF(mod_auth_ldap_config_t, binduseinputauth), OR_AUTHCFG,
1046
                 "Set to 'on' to use the user supplied data when performing the inital bind."),
1047
1048
    AP_INIT_TAKE1("AuthLDAPBindSuffixDN", ap_set_string_slot,
1049
                  (void *)APR_OFFSETOF(mod_auth_ldap_config_t, bindsuffixdomain), OR_AUTHCFG,
1050
                  "The domain used to suffix the supplied user id when doing the initial bind."),
1051
971
    AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
1052
    AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
972
                 (void *)APR_OFFSETOF(mod_auth_ldap_config_t, user_is_dn), OR_AUTHCFG,
1053
                 (void *)APR_OFFSETOF(mod_auth_ldap_config_t, user_is_dn), OR_AUTHCFG,
973
                 "Set to 'on' to set the REMOTE_USER environment variable to be the full "
1054
                 "Set to 'on' to set the REMOTE_USER environment variable to be the full "

Return to bug 43792