ASF Bugzilla – Attachment 25026 Details for
Bug 48780
Enable mod_authnz_ldap to accept valid client certificates as sufficient authentication
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch
unified.mod_authnz_ldap.patch (text/plain), 2.72 KB, created by
Peter Thomas
on 2010-02-19 22:26:40 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Peter Thomas
Created:
2010-02-19 22:26:40 UTC
Size:
2.72 KB
patch
obsolete
>diff -ur httpd-2.2.14/modules/aaa/mod_authnz_ldap.c httpd-2.2.14-patch/modules/aaa/mod_authnz_ldap.c >--- httpd-2.2.14/modules/aaa/mod_authnz_ldap.c 2009-09-20 13:50:19.000000000 -0400 >+++ httpd-2.2.14-patch/modules/aaa/mod_authnz_ldap.c 2010-02-19 17:08:03.000000000 -0500 >@@ -75,6 +75,7 @@ > it's the exact string passed by the HTTP client */ > > int secure; /* True if SSL connections are requested */ >+ int accept_ssl_auth /* True if existence of a matching LDAP entry is sufficient authentication */ > } authn_ldap_config_t; > > typedef struct { >@@ -307,6 +308,7 @@ > sec->user_is_dn = 0; > sec->remote_user_attribute = NULL; > sec->compare_dn_on_server = 0; >+ sec->accept_ssl_auth = 0; > > return sec; > } >@@ -378,7 +380,7 @@ > "[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url); > > /* Get the password that the client sent */ >- if (password == NULL) { >+ if (!sec->accept_ssl_auth && password == NULL) { > ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > "[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid()); > util_ldap_connection_close(ldc); >@@ -396,8 +398,15 @@ > authn_ldap_build_filter(filtbuf, r, user, NULL, sec); > > /* do the user search */ >- result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, >- sec->attributes, filtbuf, password, &dn, &vals); >+ result = sec->accept_ssl_auth ? >+ >+ /* authenticates the user if found in LDAP, without binding as the user */ >+ util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, >+ sec->attributes, filtbuf, password, &dn, &vals) : >+ >+ /* default: when querying the ldap server, bind as the user, using the supplied password */ >+ util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, >+ sec->attributes, filtbuf, password, &dn, &vals); > util_ldap_connection_close(ldc); > > /* sanity check - if server is down, retry it up to 5 times */ >@@ -1115,6 +1124,12 @@ > "Character set conversion configuration file. If omitted, character set" > "conversion is disabled."), > >+ AP_INIT_FLAG("AuthLDAPAcceptClientCert", ap_set_flag_slot, >+ (void *)APR_OFFSETOF(authn_ldap_config_t, accept_ssl_auth), OR_AUTHCFG, >+ "Set to 'on' to authenticate the user if they have an entry matching their " >+ "client SSL certificate's DN. Note: Requires the +FakeBasicAuth option of " >+ "mod_ssl. Defaults to off."), >+ > {NULL} > }; >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 48780
:
25026
|
25105
|
25237