Lines 47-52
Link Here
|
47 |
apr_thread_mutex_t *lock; /* Lock for this config */ |
47 |
apr_thread_mutex_t *lock; /* Lock for this config */ |
48 |
#endif |
48 |
#endif |
49 |
int auth_authoritative; /* Is this auth method the one and only? */ |
49 |
int auth_authoritative; /* Is this auth method the one and only? */ |
|
|
50 |
int http_unauthorized; /* Error code to return in case of denied access */ |
50 |
/* int authz_enabled; Is ldap authorization enabled in this directory? */ |
51 |
/* int authz_enabled; Is ldap authorization enabled in this directory? */ |
51 |
|
52 |
|
52 |
|
53 |
|
Lines 297-302
Link Here
|
297 |
sec->deref = always; |
298 |
sec->deref = always; |
298 |
sec->group_attrib_is_dn = 1; |
299 |
sec->group_attrib_is_dn = 1; |
299 |
sec->auth_authoritative = 1; |
300 |
sec->auth_authoritative = 1; |
|
|
301 |
sec->http_unauthorized = HTTP_UNAUTHORIZED; |
300 |
|
302 |
|
301 |
/* |
303 |
/* |
302 |
sec->frontpage_hack = 0; |
304 |
sec->frontpage_hack = 0; |
Lines 548-554
Link Here
|
548 |
else { |
550 |
else { |
549 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
551 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
550 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: no sec->host - weird...?", getpid()); |
552 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: no sec->host - weird...?", getpid()); |
551 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
553 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
552 |
} |
554 |
} |
553 |
|
555 |
|
554 |
/* |
556 |
/* |
Lines 572-578
Link Here
|
572 |
if (!reqs_arr) { |
574 |
if (!reqs_arr) { |
573 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
575 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
574 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid()); |
576 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid()); |
575 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
577 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
576 |
} |
578 |
} |
577 |
|
579 |
|
578 |
/* |
580 |
/* |
Lines 603-609
Link Here
|
603 |
if(result != LDAP_SUCCESS) { |
605 |
if(result != LDAP_SUCCESS) { |
604 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
606 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
605 |
"auth_ldap authorise: User DN not found, %s", ldc->reason); |
607 |
"auth_ldap authorise: User DN not found, %s", ldc->reason); |
606 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
608 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
607 |
} |
609 |
} |
608 |
|
610 |
|
609 |
authnz_ldap_set_environment(r, sec, vals); |
611 |
authnz_ldap_set_environment(r, sec, vals); |
Lines 632-638
Link Here
|
632 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
634 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
633 |
"require user: user's DN has not been defined; failing authorisation", |
635 |
"require user: user's DN has not been defined; failing authorisation", |
634 |
getpid()); |
636 |
getpid()); |
635 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
637 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
636 |
} |
638 |
} |
637 |
/* |
639 |
/* |
638 |
* First do a whole-line compare, in case it's something like |
640 |
* First do a whole-line compare, in case it's something like |
Lines 682-688
Link Here
|
682 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
684 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
683 |
"require dn: user's DN has not been defined; failing authorisation", |
685 |
"require dn: user's DN has not been defined; failing authorisation", |
684 |
getpid()); |
686 |
getpid()); |
685 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
687 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
686 |
} |
688 |
} |
687 |
|
689 |
|
688 |
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); |
690 |
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); |
Lines 712-718
Link Here
|
712 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " |
714 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " |
713 |
"user's DN has not been defined; failing authorisation", |
715 |
"user's DN has not been defined; failing authorisation", |
714 |
getpid()); |
716 |
getpid()); |
715 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
717 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
716 |
} |
718 |
} |
717 |
} |
719 |
} |
718 |
else { |
720 |
else { |
Lines 760-766
Link Here
|
760 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
762 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
761 |
"require ldap-attribute: user's DN has not been defined; failing authorisation", |
763 |
"require ldap-attribute: user's DN has not been defined; failing authorisation", |
762 |
getpid()); |
764 |
getpid()); |
763 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
765 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
764 |
} |
766 |
} |
765 |
while (t[0]) { |
767 |
while (t[0]) { |
766 |
w = ap_getword(r->pool, &t, '='); |
768 |
w = ap_getword(r->pool, &t, '='); |
Lines 796-802
Link Here
|
796 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
798 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: " |
797 |
"require ldap-filter: user's DN has not been defined; failing authorisation", |
799 |
"require ldap-filter: user's DN has not been defined; failing authorisation", |
798 |
getpid()); |
800 |
getpid()); |
799 |
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; |
801 |
return sec->auth_authoritative? sec->http_unauthorized : DECLINED; |
800 |
} |
802 |
} |
801 |
if (t[0]) { |
803 |
if (t[0]) { |
802 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
804 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
Lines 864-870
Link Here
|
864 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); |
866 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); |
865 |
ap_note_basic_auth_failure (r); |
867 |
ap_note_basic_auth_failure (r); |
866 |
|
868 |
|
867 |
return HTTP_UNAUTHORIZED; |
869 |
return sec->http_unauthorized; |
868 |
} |
870 |
} |
869 |
|
871 |
|
870 |
|
872 |
|
Lines 1090-1095
Link Here
|
1090 |
"Set to 'off' to allow access control to be passed along to lower modules if " |
1092 |
"Set to 'off' to allow access control to be passed along to lower modules if " |
1091 |
"the UserID and/or group is not known to this module"), |
1093 |
"the UserID and/or group is not known to this module"), |
1092 |
|
1094 |
|
|
|
1095 |
AP_INIT_TAKE1("AuthzLDAPUnauthorized", ap_set_int_slot, |
1096 |
(void *)APR_OFFSETOF(authn_ldap_config_t, http_unauthorized), |
1097 |
OR_AUTHCFG, |
1098 |
"Override 401 code if user is not found in LDAP"), |
1099 |
|
1093 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, |
1100 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, |
1094 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, |
1101 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, |
1095 |
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " |
1102 |
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " |