Lines 75-80
Link Here
|
75 |
it's the exact string passed by the HTTP client */ |
75 |
it's the exact string passed by the HTTP client */ |
76 |
|
76 |
|
77 |
int secure; /* True if SSL connections are requested */ |
77 |
int secure; /* True if SSL connections are requested */ |
|
|
78 |
int accept_ssl_auth /* True if existence of a matching LDAP entry is sufficient authentication */ |
78 |
} authn_ldap_config_t; |
79 |
} authn_ldap_config_t; |
79 |
|
80 |
|
80 |
typedef struct { |
81 |
typedef struct { |
Lines 307-312
Link Here
|
307 |
sec->user_is_dn = 0; |
308 |
sec->user_is_dn = 0; |
308 |
sec->remote_user_attribute = NULL; |
309 |
sec->remote_user_attribute = NULL; |
309 |
sec->compare_dn_on_server = 0; |
310 |
sec->compare_dn_on_server = 0; |
|
|
311 |
sec->accept_ssl_auth = 0; |
310 |
|
312 |
|
311 |
return sec; |
313 |
return sec; |
312 |
} |
314 |
} |
Lines 378-384
Link Here
|
378 |
"[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url); |
380 |
"[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url); |
379 |
|
381 |
|
380 |
/* Get the password that the client sent */ |
382 |
/* Get the password that the client sent */ |
381 |
if (password == NULL) { |
383 |
if (!sec->accept_ssl_auth && password == NULL) { |
382 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
384 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
383 |
"[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid()); |
385 |
"[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid()); |
384 |
util_ldap_connection_close(ldc); |
386 |
util_ldap_connection_close(ldc); |
Lines 396-403
Link Here
|
396 |
authn_ldap_build_filter(filtbuf, r, user, NULL, sec); |
398 |
authn_ldap_build_filter(filtbuf, r, user, NULL, sec); |
397 |
|
399 |
|
398 |
/* do the user search */ |
400 |
/* do the user search */ |
399 |
result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, |
401 |
result = sec->accept_ssl_auth ? |
400 |
sec->attributes, filtbuf, password, &dn, &vals); |
402 |
|
|
|
403 |
/* authenticates the user if found in LDAP, without binding as the user */ |
404 |
util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, |
405 |
sec->attributes, filtbuf, password, &dn, &vals) : |
406 |
|
407 |
/* default: when querying the ldap server, bind as the user, using the supplied password */ |
408 |
util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, |
409 |
sec->attributes, filtbuf, password, &dn, &vals); |
401 |
util_ldap_connection_close(ldc); |
410 |
util_ldap_connection_close(ldc); |
402 |
|
411 |
|
403 |
/* sanity check - if server is down, retry it up to 5 times */ |
412 |
/* sanity check - if server is down, retry it up to 5 times */ |
Lines 1115-1120
Link Here
|
1115 |
"Character set conversion configuration file. If omitted, character set" |
1124 |
"Character set conversion configuration file. If omitted, character set" |
1116 |
"conversion is disabled."), |
1125 |
"conversion is disabled."), |
1117 |
|
1126 |
|
|
|
1127 |
AP_INIT_FLAG("AuthLDAPAcceptClientCert", ap_set_flag_slot, |
1128 |
(void *)APR_OFFSETOF(authn_ldap_config_t, accept_ssl_auth), OR_AUTHCFG, |
1129 |
"Set to 'on' to authenticate the user if they have an entry matching their " |
1130 |
"client SSL certificate's DN. Note: Requires the +FakeBasicAuth option of " |
1131 |
"mod_ssl. Defaults to off."), |
1132 |
|
1118 |
{NULL} |
1133 |
{NULL} |
1119 |
}; |
1134 |
}; |
1120 |
|
1135 |
|