Attachment #25026 for bug #48780

View | Details | Raw Unified | Return to bug 48780
Collapse All | Expand All




                                        it's the exact string passed by the HTTP client */

    int secure;                     /* True if SSL connections are requested */
    int accept_ssl_auth             /* True if existence of a matching LDAP entry is sufficient authentication */ 
} authn_ldap_config_t;

typedef struct {

    sec->user_is_dn = 0;
    sec->remote_user_attribute = NULL;
    sec->compare_dn_on_server = 0;
    sec->accept_ssl_auth = 0;

    return sec;
}

                  "[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url);

    /* Get the password that the client sent */
    if (!sec->accept_ssl_auth && password == NULL) {
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                      "[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid());
        util_ldap_connection_close(ldc);

    authn_ldap_build_filter(filtbuf, r, user, NULL, sec);

    /* do the user search */
    result = sec->accept_ssl_auth ? 

        /* authenticates the user if found in LDAP, without binding as the user */
        util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope,
                                     sec->attributes, filtbuf, password, &dn, &vals) :

        /* default: when querying the ldap server, bind as the user, using the supplied password */
        util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
                                       sec->attributes, filtbuf, password, &dn, &vals);
    util_ldap_connection_close(ldc);

    /* sanity check - if server is down, retry it up to 5 times */

                  "Character set conversion configuration file. If omitted, character set"
                  "conversion is disabled."),

    AP_INIT_FLAG("AuthLDAPAcceptClientCert", ap_set_flag_slot,
                 (void *)APR_OFFSETOF(authn_ldap_config_t, accept_ssl_auth), OR_AUTHCFG,
                 "Set to 'on' to authenticate the user if they have an entry matching their "
                 "client SSL certificate's DN.  Note: Requires the +FakeBasicAuth option of "
                 "mod_ssl. Defaults to off."),

    {NULL}
};


Return to bug 48780

Lines 75-80 Link Here

(-)httpd-2.2.14/modules/aaa/mod_authnz_ldap.c (-3 / +18 lines)
75	it's the exact string passed by the HTTP client */	75	it's the exact string passed by the HTTP client */
76		76
77	int secure; /* True if SSL connections are requested */	77	int secure; /* True if SSL connections are requested */
		78	int accept_ssl_auth /* True if existence of a matching LDAP entry is sufficient authentication */
78	} authn_ldap_config_t;	79	} authn_ldap_config_t;
79		80
80	typedef struct {	81	typedef struct {
Lines 307-312 Link Here
307	sec->user_is_dn = 0;	308	sec->user_is_dn = 0;
308	sec->remote_user_attribute = NULL;	309	sec->remote_user_attribute = NULL;
309	sec->compare_dn_on_server = 0;	310	sec->compare_dn_on_server = 0;
		311	sec->accept_ssl_auth = 0;
310		312
311	return sec;	313	return sec;
312	}	314	}
Lines 378-384 Link Here
378	"[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url);	380	"[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url);
379		381
380	/* Get the password that the client sent */	382	/* Get the password that the client sent */
381	if (password == NULL) {	383	if (!sec->accept_ssl_auth && password == NULL) {
382	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,	384	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
383	"[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid());	385	"[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid());
384	util_ldap_connection_close(ldc);	386	util_ldap_connection_close(ldc);
Lines 396-403 Link Here
396	authn_ldap_build_filter(filtbuf, r, user, NULL, sec);	398	authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
397		399
398	/* do the user search */	400	/* do the user search */
399	result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,	401	result = sec->accept_ssl_auth ?
400	sec->attributes, filtbuf, password, &dn, &vals);	402
		403	/* authenticates the user if found in LDAP, without binding as the user */
		404	util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope,
		405	sec->attributes, filtbuf, password, &dn, &vals) :
		406
		407	/* default: when querying the ldap server, bind as the user, using the supplied password */
		408	util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
		409	sec->attributes, filtbuf, password, &dn, &vals);
401	util_ldap_connection_close(ldc);	410	util_ldap_connection_close(ldc);
402		411
403	/* sanity check - if server is down, retry it up to 5 times */	412	/* sanity check - if server is down, retry it up to 5 times */
Lines 1115-1120 Link Here
1115	"Character set conversion configuration file. If omitted, character set"	1124	"Character set conversion configuration file. If omitted, character set"
1116	"conversion is disabled."),	1125	"conversion is disabled."),
1117		1126
		1127	AP_INIT_FLAG("AuthLDAPAcceptClientCert", ap_set_flag_slot,
		1128	(void *)APR_OFFSETOF(authn_ldap_config_t, accept_ssl_auth), OR_AUTHCFG,
		1129	"Set to 'on' to authenticate the user if they have an entry matching their "
		1130	"client SSL certificate's DN. Note: Requires the +FakeBasicAuth option of "
		1131	"mod_ssl. Defaults to off."),
		1132
1118	{NULL}	1133	{NULL}
1119	};	1134	};
1120		1135