|
Lines 47-52
Link Here
|
| 47 |
apr_thread_mutex_t *lock; /* Lock for this config */ |
47 |
apr_thread_mutex_t *lock; /* Lock for this config */ |
| 48 |
#endif |
48 |
#endif |
| 49 |
int auth_authoritative; /* Is this auth method the one and only? */ |
49 |
int auth_authoritative; /* Is this auth method the one and only? */ |
|
|
50 |
int http_unauthorized; /* Error code to return in case of denied access */ |
| 50 |
/* int authz_enabled; Is ldap authorization enabled in this directory? */ |
51 |
/* int authz_enabled; Is ldap authorization enabled in this directory? */ |
| 51 |
|
52 |
|
| 52 |
|
53 |
|
|
Lines 297-302
Link Here
|
| 297 |
sec->deref = always; |
298 |
sec->deref = always; |
| 298 |
sec->group_attrib_is_dn = 1; |
299 |
sec->group_attrib_is_dn = 1; |
| 299 |
sec->auth_authoritative = 1; |
300 |
sec->auth_authoritative = 1; |
|
|
301 |
sec->http_unauthorized = HTTP_UNAUTHORIZED; |
| 300 |
|
302 |
|
| 301 |
/* |
303 |
/* |
| 302 |
sec->frontpage_hack = 0; |
304 |
sec->frontpage_hack = 0; |
|
Lines 548-554
Link Here
|
| 548 |
else { |
550 |
else { |
| 549 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
551 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
| 550 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: no sec->host - weird...?", getpid()); |
552 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: no sec->host - weird...?", getpid()); |
| 551 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
553 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
| 552 |
} |
554 |
} |
| 553 |
|
555 |
|
| 554 |
/* |
556 |
/* |
|
Lines 572-578
Link Here
|
| 572 |
if (!reqs_arr) { |
574 |
if (!reqs_arr) { |
| 573 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
575 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
| 574 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid()); |
576 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid()); |
| 575 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
577 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
| 576 |
} |
578 |
} |
| 577 |
|
579 |
|
| 578 |
/* |
580 |
/* |
|
Lines 603-609
Link Here
|
| 603 |
if(result != LDAP_SUCCESS) { |
605 |
if(result != LDAP_SUCCESS) { |
| 604 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
606 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
| 605 |
"auth_ldap authorise: User DN not found, %s", ldc->reason); |
607 |
"auth_ldap authorise: User DN not found, %s", ldc->reason); |
| 606 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
608 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
| 607 |
} |
609 |
} |
| 608 |
|
610 |
|
| 609 |
authnz_ldap_set_environment(r, sec, vals); |
611 |
authnz_ldap_set_environment(r, sec, vals); |
|
Lines 632-638
Link Here
|
| 632 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
634 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
| 633 |
"require user: user's DN has not been defined; failing authorisation", |
635 |
"require user: user's DN has not been defined; failing authorisation", |
| 634 |
getpid()); |
636 |
getpid()); |
| 635 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
637 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
| 636 |
} |
638 |
} |
| 637 |
/* |
639 |
/* |
| 638 |
* First do a whole-line compare, in case it's something like |
640 |
* First do a whole-line compare, in case it's something like |
|
Lines 682-688
Link Here
|
| 682 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
684 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
| 683 |
"require dn: user's DN has not been defined; failing authorisation", |
685 |
"require dn: user's DN has not been defined; failing authorisation", |
| 684 |
getpid()); |
686 |
getpid()); |
| 685 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
687 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
| 686 |
} |
688 |
} |
| 687 |
|
689 |
|
| 688 |
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); |
690 |
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); |
|
Lines 712-718
Link Here
|
| 712 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " |
714 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " |
| 713 |
"user's DN has not been defined; failing authorisation", |
715 |
"user's DN has not been defined; failing authorisation", |
| 714 |
getpid()); |
716 |
getpid()); |
| 715 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
717 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
| 716 |
} |
718 |
} |
| 717 |
} |
719 |
} |
| 718 |
else { |
720 |
else { |
|
Lines 760-766
Link Here
|
| 760 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
762 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
| 761 |
"require ldap-attribute: user's DN has not been defined; failing authorisation", |
763 |
"require ldap-attribute: user's DN has not been defined; failing authorisation", |
| 762 |
getpid()); |
764 |
getpid()); |
| 763 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
765 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
| 764 |
} |
766 |
} |
| 765 |
while (t[0]) { |
767 |
while (t[0]) { |
| 766 |
w = ap_getword(r->pool, &t, '='); |
768 |
w = ap_getword(r->pool, &t, '='); |
|
Lines 796-802
Link Here
|
| 796 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
798 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
| 797 |
"require ldap-filter: user's DN has not been defined; failing authorisation", |
799 |
"require ldap-filter: user's DN has not been defined; failing authorisation", |
| 798 |
getpid()); |
800 |
getpid()); |
| 799 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
801 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
| 800 |
} |
802 |
} |
| 801 |
if (t[0]) { |
803 |
if (t[0]) { |
| 802 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
804 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
|
Lines 864-870
Link Here
|
| 864 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); |
866 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); |
| 865 |
ap_note_basic_auth_failure (r); |
867 |
ap_note_basic_auth_failure (r); |
| 866 |
|
868 |
|
| 867 |
return HTTP_UNAUTHORIZED; |
869 |
return sec->http_unauthorized; |
| 868 |
} |
870 |
} |
| 869 |
|
871 |
|
| 870 |
|
872 |
|
|
Lines 1090-1095
Link Here
|
| 1090 |
"Set to 'off' to allow access control to be passed along to lower modules if " |
1092 |
"Set to 'off' to allow access control to be passed along to lower modules if " |
| 1091 |
"the UserID and/or group is not known to this module"), |
1093 |
"the UserID and/or group is not known to this module"), |
| 1092 |
|
1094 |
|
|
|
1095 |
AP_INIT_TAKE1("AuthzLDAPUnauthorized", ap_set_int_slot, |
| 1096 |
(void *)APR_OFFSETOF(authn_ldap_config_t, http_unauthorized), |
| 1097 |
OR_AUTHCFG, |
| 1098 |
"Override 401 code if user is not found in LDAP"), |
| 1099 |
|
| 1093 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, |
1100 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, |
| 1094 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, |
1101 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, |
| 1095 |
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " |
1102 |
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " |