Attachment 25026 Details for Bug 48780 – Proposed patch

[patch] Proposed patch

unified.mod_authnz_ldap.patch (text/plain), 2.72 KB, created by Peter Thomas on 2010-02-19 22:26:40 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Peter Thomas

Created: 2010-02-19 22:26:40 UTC

Size: 2.72 KB

patch

obsolete

>diff -ur httpd-2.2.14/modules/aaa/mod_authnz_ldap.c httpd-2.2.14-patch/modules/aaa/mod_authnz_ldap.c
>--- httpd-2.2.14/modules/aaa/mod_authnz_ldap.c	2009-09-20 13:50:19.000000000 -0400
>+++ httpd-2.2.14-patch/modules/aaa/mod_authnz_ldap.c	2010-02-19 17:08:03.000000000 -0500
>@@ -75,6 +75,7 @@
>                                         it's the exact string passed by the HTTP client */
> 
>     int secure;                     /* True if SSL connections are requested */
>+    int accept_ssl_auth             /* True if existence of a matching LDAP entry is sufficient authentication */ 
> } authn_ldap_config_t;
> 
> typedef struct {
>@@ -307,6 +308,7 @@
>     sec->user_is_dn = 0;
>     sec->remote_user_attribute = NULL;
>     sec->compare_dn_on_server = 0;
>+    sec->accept_ssl_auth = 0;
> 
>     return sec;
> }
>@@ -378,7 +380,7 @@
>                   "[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url);
> 
>     /* Get the password that the client sent */
>-    if (password == NULL) {
>+    if (!sec->accept_ssl_auth && password == NULL) {
>         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>                       "[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid());
>         util_ldap_connection_close(ldc);
>@@ -396,8 +398,15 @@
>     authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
> 
>     /* do the user search */
>-    result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
>-                                         sec->attributes, filtbuf, password, &dn, &vals);
>+    result = sec->accept_ssl_auth ? 
>+
>+        /* authenticates the user if found in LDAP, without binding as the user */
>+        util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope,
>+                                     sec->attributes, filtbuf, password, &dn, &vals) :
>+
>+        /* default: when querying the ldap server, bind as the user, using the supplied password */
>+        util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
>+                                       sec->attributes, filtbuf, password, &dn, &vals);
>     util_ldap_connection_close(ldc);
> 
>     /* sanity check - if server is down, retry it up to 5 times */
>@@ -1115,6 +1124,12 @@
>                   "Character set conversion configuration file. If omitted, character set"
>                   "conversion is disabled."),
> 
>+    AP_INIT_FLAG("AuthLDAPAcceptClientCert", ap_set_flag_slot,
>+                 (void *)APR_OFFSETOF(authn_ldap_config_t, accept_ssl_auth), OR_AUTHCFG,
>+                 "Set to 'on' to authenticate the user if they have an entry matching their "
>+                 "client SSL certificate's DN.  Note: Requires the +FakeBasicAuth option of "
>+                 "mod_ssl. Defaults to off."),
>+
>     {NULL}
> };
>

Actions: View | Diff

Attachments on bug 48780: 25026 | 25105 | 25237