Lines 74-79
Link Here
|
74 |
int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise, |
74 |
int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise, |
75 |
it's the exact string passed by the HTTP client */ |
75 |
it's the exact string passed by the HTTP client */ |
76 |
|
76 |
|
|
|
77 |
int dynamic_groups; /* If true, dynamic group lookups are enabled. */ |
78 |
|
77 |
int secure; /* True if SSL connections are requested */ |
79 |
int secure; /* True if SSL connections are requested */ |
78 |
} authn_ldap_config_t; |
80 |
} authn_ldap_config_t; |
79 |
|
81 |
|
Lines 95-100
Link Here
|
95 |
static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find; |
97 |
static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find; |
96 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn; |
98 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn; |
97 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare; |
99 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare; |
|
|
100 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_getattrvals) *util_ldap_cache_getattrvals; |
98 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid; |
101 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid; |
99 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn; |
102 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn; |
100 |
static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported; |
103 |
static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported; |
Lines 102-107
Link Here
|
102 |
static apr_hash_t *charset_conversions = NULL; |
105 |
static apr_hash_t *charset_conversions = NULL; |
103 |
static char *to_charset = NULL; /* UTF-8 identifier derived from the charset.conv file */ |
106 |
static char *to_charset = NULL; /* UTF-8 identifier derived from the charset.conv file */ |
104 |
|
107 |
|
|
|
108 |
/* Evaluates to a string description of a scope integer. */ |
109 |
#define SCOPE_TO_STR(scope_) \ |
110 |
(scope_ == LDAP_SCOPE_SUBTREE? "subtree" : \ |
111 |
scope_ == LDAP_SCOPE_BASE? "base" : \ |
112 |
scope_ == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown") |
105 |
|
113 |
|
106 |
/* Derive a code page ID give a language name or ID */ |
114 |
/* Derive a code page ID give a language name or ID */ |
107 |
static char* derive_codepage_from_lang (apr_pool_t *p, char *language) |
115 |
static char* derive_codepage_from_lang (apr_pool_t *p, char *language) |
Lines 477-482
Link Here
|
477 |
return AUTH_GRANTED; |
485 |
return AUTH_GRANTED; |
478 |
} |
486 |
} |
479 |
|
487 |
|
|
|
488 |
/* Check whether user is a member of dynamic group groupDN. Returns |
489 |
* LDAP_COMPARE_TRUE on success or LDAP_COMPARE_FALSE otherwise. */ |
490 |
static int check_dynamic_groups(request_rec *r, util_ldap_connection_t *ldc, |
491 |
authn_ldap_config_t *sec, authn_ldap_request_t *req, |
492 |
const char *attrib, const char *groupDN) |
493 |
{ |
494 |
apr_ldap_url_desc_t *gurl; |
495 |
apr_ldap_err_t *err; |
496 |
const char **vals; |
497 |
int result, n; |
498 |
|
499 |
/* Retrieve the set of memberURL attribute values from the group |
500 |
* DN which specify the search URLs which define the group. */ |
501 |
result = util_ldap_cache_getattrvals(r, ldc, sec->url, groupDN, attrib, &vals); |
502 |
if (result != LDAP_SUCCESS) { |
503 |
return LDAP_COMPARE_FALSE; |
504 |
} |
505 |
|
506 |
/* Iterate through the returned search URLs attempting to match |
507 |
* the user's DN against the results of each search. */ |
508 |
for (n = 0, result = LDAP_COMPARE_FALSE; |
509 |
vals[n] && result != LDAP_COMPARE_TRUE; |
510 |
n++) { |
511 |
char filter[FILTER_LENGTH]; |
512 |
const char *dn; |
513 |
|
514 |
/* Parse the URL. */ |
515 |
result = apr_ldap_url_parse(r->pool, vals[n], &gurl, &err); |
516 |
if (result) { |
517 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
518 |
"auth_ldap authorise: could not parse URL %s for dynamic group", |
519 |
vals[n]); |
520 |
result = LDAP_COMPARE_FALSE; |
521 |
ldc->reason = "could not parse URL"; |
522 |
continue; |
523 |
} |
524 |
|
525 |
/* The host and attribute fields will be ignored so warn if |
526 |
* they are specified. */ |
527 |
if (gurl->lud_host || gurl->lud_attrs) { |
528 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, |
529 |
"auth_ldap authorise: attrib/host are ignored in dynamic group URL %s", |
530 |
vals[n]); |
531 |
} |
532 |
|
533 |
/* Build the search filter; a boolean AND of the group's |
534 |
* search filter and a search filter for the user. */ |
535 |
authn_ldap_build_filter(filter, r, req->user, gurl->lud_filter, sec); |
536 |
|
537 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
538 |
"auth_ldap authorise: checking dynamic group ldap:///%s?%s?%s", |
539 |
gurl->lud_dn, SCOPE_TO_STR(gurl->lud_scope), filter); |
540 |
|
541 |
/* Search for the user DN. */ |
542 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, |
543 |
gurl->lud_dn, gurl->lud_scope, NULL, |
544 |
filter, &dn, &vals); |
545 |
if (result == LDAP_SUCCESS) { |
546 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
547 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: checking " |
548 |
"DN %s match for dynamic group", |
549 |
getpid(), dn); |
550 |
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn, |
551 |
sec->compare_dn_on_server); |
552 |
} |
553 |
|
554 |
if (result != LDAP_COMPARE_TRUE) { |
555 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
556 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: failed to find user DN " |
557 |
"in dynamic group %s", |
558 |
getpid(), vals[n]); |
559 |
result = LDAP_COMPARE_FALSE; |
560 |
} |
561 |
} |
562 |
|
563 |
return result; |
564 |
} |
565 |
|
480 |
/* |
566 |
/* |
481 |
* Authorisation Phase |
567 |
* Authorisation Phase |
482 |
* ------------------- |
568 |
* ------------------- |
Lines 755-760
Link Here
|
755 |
} |
841 |
} |
756 |
} |
842 |
} |
757 |
} |
843 |
} |
|
|
844 |
|
845 |
if (sec->dynamic_groups) { |
846 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
847 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " |
848 |
"testing for dynamic group membership in \"%s\"", |
849 |
getpid(), t); |
850 |
result = check_dynamic_groups(r, ldc, sec, req, "memberURL", t); |
851 |
|
852 |
switch (result) { |
853 |
case LDAP_COMPARE_TRUE: |
854 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
855 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: require dynamic group: " |
856 |
"authorisation successful [%s][%s]", |
857 |
getpid(), ldc->reason, ldap_err2string(result)); |
858 |
return OK; |
859 |
default: |
860 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
861 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: require dynamic group \"%s\": " |
862 |
"authorisation failed [%s][%s]", |
863 |
getpid(), t, ldc->reason, ldap_err2string(result)); |
864 |
break; |
865 |
} |
866 |
} |
758 |
} |
867 |
} |
759 |
else if (strcmp(w, "ldap-attribute") == 0) { |
868 |
else if (strcmp(w, "ldap-attribute") == 0) { |
760 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
869 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
Lines 977-985
Link Here
|
977 |
urld->lud_port, |
1086 |
urld->lud_port, |
978 |
urld->lud_dn, |
1087 |
urld->lud_dn, |
979 |
urld->lud_attrs? urld->lud_attrs[0] : "(null)", |
1088 |
urld->lud_attrs? urld->lud_attrs[0] : "(null)", |
980 |
(urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" : |
1089 |
SCOPE_TO_STR(urld->lud_scope), |
981 |
urld->lud_scope == LDAP_SCOPE_BASE? "base" : |
|
|
982 |
urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown"), |
983 |
urld->lud_filter, |
1090 |
urld->lud_filter, |
984 |
sec->secure == APR_LDAP_SSL ? "using SSL": "not using SSL" |
1091 |
sec->secure == APR_LDAP_SSL ? "using SSL": "not using SSL" |
985 |
); |
1092 |
); |
Lines 1100-1105
Link Here
|
1100 |
"subsequent group comparisons. If set to 'off', auth_ldap uses the string" |
1207 |
"subsequent group comparisons. If set to 'off', auth_ldap uses the string" |
1101 |
"provided by the client directly. Defaults to 'on'."), |
1208 |
"provided by the client directly. Defaults to 'on'."), |
1102 |
|
1209 |
|
|
|
1210 |
AP_INIT_FLAG("AuthLDAPDynamicGroupLookup", ap_set_flag_slot, |
1211 |
(void *)APR_OFFSETOF(authn_ldap_config_t, dynamic_groups), OR_AUTHCFG, |
1212 |
"If set to 'on', auth_ldap will look for dynamic group URI in a group DN " |
1213 |
"and attempt to see if a user is part of a group defined by that URI " |
1214 |
"Defaults to 'off'."), |
1215 |
|
1103 |
AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, |
1216 |
AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, |
1104 |
"Determines how aliases are handled during a search. Can bo one of the" |
1217 |
"Determines how aliases are handled during a search. Can bo one of the" |
1105 |
"values \"never\", \"searching\", \"finding\", or \"always\". " |
1218 |
"values \"never\", \"searching\", \"finding\", or \"always\". " |
Lines 1212-1217
Link Here
|
1212 |
util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find); |
1325 |
util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find); |
1213 |
util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn); |
1326 |
util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn); |
1214 |
util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare); |
1327 |
util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare); |
|
|
1328 |
util_ldap_cache_getattrvals = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getattrvals); |
1215 |
util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid); |
1329 |
util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid); |
1216 |
util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn); |
1330 |
util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn); |
1217 |
util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported); |
1331 |
util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported); |