Lines 547-570
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
547 |
} |
547 |
} |
548 |
else { |
548 |
else { |
549 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01690) |
549 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01690) |
550 |
"auth_ldap authenticate: no sec->host - weird...?"); |
550 |
"authnz_ldap authenticate: no sec->host - weird...?"); |
551 |
return AUTH_GENERAL_ERROR; |
551 |
return AUTH_GENERAL_ERROR; |
552 |
} |
552 |
} |
553 |
|
553 |
|
554 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691) |
554 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691) |
555 |
"auth_ldap authenticate: using URL %s", sec->url); |
555 |
"authnz_ldap authenticate: using URL %s", sec->url); |
556 |
|
556 |
|
557 |
/* Get the password that the client sent */ |
557 |
/* Get the password that the client sent */ |
558 |
if (password == NULL) { |
558 |
if (password == NULL) { |
559 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) |
559 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) |
560 |
"auth_ldap authenticate: no password specified"); |
560 |
"authnz_ldap authenticate: no password specified"); |
561 |
release_ldc(r, ldc); |
561 |
release_ldc(r, ldc); |
562 |
return AUTH_GENERAL_ERROR; |
562 |
return AUTH_GENERAL_ERROR; |
563 |
} |
563 |
} |
564 |
|
564 |
|
565 |
if (user == NULL) { |
565 |
if (user == NULL) { |
566 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) |
566 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) |
567 |
"auth_ldap authenticate: no user specified"); |
567 |
"authnz_ldap authenticate: no user specified"); |
568 |
release_ldc(r, ldc); |
568 |
release_ldc(r, ldc); |
569 |
return AUTH_GENERAL_ERROR; |
569 |
return AUTH_GENERAL_ERROR; |
570 |
} |
570 |
} |
Lines 572-585
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
572 |
/* build the username filter */ |
572 |
/* build the username filter */ |
573 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, user, NULL, sec)) { |
573 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, user, NULL, sec)) { |
574 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02622) |
574 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02622) |
575 |
"auth_ldap authenticate: ldap filter too long (>%d): %s", |
575 |
"authnz_ldap authenticate: ldap filter too long (>%d): %s", |
576 |
FILTER_LENGTH, filtbuf); |
576 |
FILTER_LENGTH, filtbuf); |
577 |
release_ldc(r, ldc); |
577 |
release_ldc(r, ldc); |
578 |
return AUTH_GENERAL_ERROR; |
578 |
return AUTH_GENERAL_ERROR; |
579 |
} |
579 |
} |
580 |
|
580 |
|
581 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, |
581 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, |
582 |
"auth_ldap authenticate: final authn filter is %s", filtbuf); |
582 |
"authnz_ldap authenticate: final authn filter is %s", filtbuf); |
583 |
|
583 |
|
584 |
/* convert password to utf-8 */ |
584 |
/* convert password to utf-8 */ |
585 |
utfpassword = authn_ldap_xlate_password(r, password); |
585 |
utfpassword = authn_ldap_xlate_password(r, password); |
Lines 594-607
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
594 |
if (result != LDAP_SUCCESS) { |
594 |
if (result != LDAP_SUCCESS) { |
595 |
if (!sec->bind_authoritative) { |
595 |
if (!sec->bind_authoritative) { |
596 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01694) |
596 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01694) |
597 |
"auth_ldap authenticate: user %s authentication failed; " |
597 |
"authnz_ldap authenticate: user %s authentication failed; " |
598 |
"URI %s [%s][%s] (not authoritative)", |
598 |
"URI %s [%s][%s] (not authoritative)", |
599 |
user, r->uri, ldc->reason, ldap_err2string(result)); |
599 |
user, r->uri, ldc->reason, ldap_err2string(result)); |
600 |
return AUTH_USER_NOT_FOUND; |
600 |
return AUTH_USER_NOT_FOUND; |
601 |
} |
601 |
} |
602 |
|
602 |
|
603 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01695) |
603 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01695) |
604 |
"auth_ldap authenticate: " |
604 |
"authnz_ldap authenticate: " |
605 |
"user %s authentication failed; URI %s [%s][%s]", |
605 |
"user %s authentication failed; URI %s [%s][%s]", |
606 |
user, r->uri, ldc->reason, ldap_err2string(result)); |
606 |
user, r->uri, ldc->reason, ldap_err2string(result)); |
607 |
|
607 |
|
Lines 646-652
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
646 |
/* sanity check */ |
646 |
/* sanity check */ |
647 |
if (sec->remote_user_attribute && !remote_user_attribute_set) { |
647 |
if (sec->remote_user_attribute && !remote_user_attribute_set) { |
648 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01696) |
648 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01696) |
649 |
"auth_ldap authenticate: " |
649 |
"authnz_ldap authenticate: " |
650 |
"REMOTE_USER was to be set with attribute '%s', " |
650 |
"REMOTE_USER was to be set with attribute '%s', " |
651 |
"but this attribute was not requested for in the " |
651 |
"but this attribute was not requested for in the " |
652 |
"LDAP query for the user. REMOTE_USER will fall " |
652 |
"LDAP query for the user. REMOTE_USER will fall " |
Lines 655-661
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
655 |
} |
655 |
} |
656 |
|
656 |
|
657 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01697) |
657 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01697) |
658 |
"auth_ldap authenticate: accepting %s", user); |
658 |
"authnz_ldap authenticate: accepting %s", user); |
659 |
|
659 |
|
660 |
return AUTH_GRANTED; |
660 |
return AUTH_GRANTED; |
661 |
} |
661 |
} |
Lines 673-679
static authz_status get_dn_for_nonldap_authn(request_rec *r, util_ldap_connectio
Link Here
|
673 |
/* Build the username filter */ |
673 |
/* Build the username filter */ |
674 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { |
674 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { |
675 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02623) |
675 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02623) |
676 |
"auth_ldap authorize: ldap filter too long (>%d): %s", |
676 |
"authnz_ldap authorize: ldap filter too long (>%d): %s", |
677 |
FILTER_LENGTH, filtbuf); |
677 |
FILTER_LENGTH, filtbuf); |
678 |
return AUTHZ_DENIED; |
678 |
return AUTHZ_DENIED; |
679 |
} |
679 |
} |
Lines 685-691
static authz_status get_dn_for_nonldap_authn(request_rec *r, util_ldap_connectio
Link Here
|
685 |
/* Search failed, log error and return failure */ |
685 |
/* Search failed, log error and return failure */ |
686 |
if (result != LDAP_SUCCESS) { |
686 |
if (result != LDAP_SUCCESS) { |
687 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01701) |
687 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01701) |
688 |
"auth_ldap authorise: User DN not found, %s", ldc->reason); |
688 |
"authnz_ldap authorise: User DN not found, %s", ldc->reason); |
689 |
return AUTHZ_DENIED; |
689 |
return AUTHZ_DENIED; |
690 |
} |
690 |
} |
691 |
|
691 |
|
Lines 724-730
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
724 |
|
724 |
|
725 |
if (!sec->host) { |
725 |
if (!sec->host) { |
726 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01698) |
726 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01698) |
727 |
"auth_ldap authorize: no sec->host - weird...?"); |
727 |
"authnz_ldap authorize: no sec->host - weird...?"); |
728 |
return AUTHZ_DENIED; |
728 |
return AUTHZ_DENIED; |
729 |
} |
729 |
} |
730 |
|
730 |
|
Lines 750-762
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
750 |
|
750 |
|
751 |
if (!strlen(r->user)) { |
751 |
if (!strlen(r->user)) { |
752 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699) |
752 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699) |
753 |
"ldap authorize: Userid is blank, AuthType=%s", |
753 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
754 |
r->ap_auth_type); |
754 |
r->ap_auth_type); |
755 |
} |
755 |
} |
756 |
|
756 |
|
757 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
757 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
758 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01702) |
758 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01702) |
759 |
"auth_ldap authorize: require user: user's DN has not " |
759 |
"authnz_ldap authorize: require user: user's DN has not " |
760 |
"been defined; failing authorization"); |
760 |
"been defined; failing authorization"); |
761 |
return AUTHZ_DENIED; |
761 |
return AUTHZ_DENIED; |
762 |
} |
762 |
} |
Lines 764-770
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
764 |
require = ap_expr_str_exec(r, expr, &err); |
764 |
require = ap_expr_str_exec(r, expr, &err); |
765 |
if (err) { |
765 |
if (err) { |
766 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585) |
766 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585) |
767 |
"auth_ldap authorize: require user: Can't evaluate expression: %s", |
767 |
"authnz_ldap authorize: require user: Can't evaluate expression: %s", |
768 |
err); |
768 |
err); |
769 |
return AUTHZ_DENIED; |
769 |
return AUTHZ_DENIED; |
770 |
} |
770 |
} |
Lines 777-790
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
777 |
switch(result) { |
777 |
switch(result) { |
778 |
case LDAP_COMPARE_TRUE: { |
778 |
case LDAP_COMPARE_TRUE: { |
779 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703) |
779 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703) |
780 |
"auth_ldap authorize: require user: authorization " |
780 |
"authnz_ldap authorize: require user: authorization " |
781 |
"successful"); |
781 |
"successful"); |
782 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
782 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
783 |
return AUTHZ_GRANTED; |
783 |
return AUTHZ_GRANTED; |
784 |
} |
784 |
} |
785 |
default: { |
785 |
default: { |
786 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01704) |
786 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01704) |
787 |
"auth_ldap authorize: require user: " |
787 |
"authnz_ldap authorize: require user: " |
788 |
"authorization failed [%s][%s]", |
788 |
"authorization failed [%s][%s]", |
789 |
ldc->reason, ldap_err2string(result)); |
789 |
ldc->reason, ldap_err2string(result)); |
790 |
} |
790 |
} |
Lines 799-812
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
799 |
switch(result) { |
799 |
switch(result) { |
800 |
case LDAP_COMPARE_TRUE: { |
800 |
case LDAP_COMPARE_TRUE: { |
801 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01705) |
801 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01705) |
802 |
"auth_ldap authorize: " |
802 |
"authnz_ldap authorize: " |
803 |
"require user: authorization successful"); |
803 |
"require user: authorization successful"); |
804 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
804 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
805 |
return AUTHZ_GRANTED; |
805 |
return AUTHZ_GRANTED; |
806 |
} |
806 |
} |
807 |
default: { |
807 |
default: { |
808 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01706) |
808 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01706) |
809 |
"auth_ldap authorize: " |
809 |
"authnz_ldap authorize: " |
810 |
"require user: authorization failed [%s][%s]", |
810 |
"require user: authorization failed [%s][%s]", |
811 |
ldc->reason, ldap_err2string(result)); |
811 |
ldc->reason, ldap_err2string(result)); |
812 |
} |
812 |
} |
Lines 814-820
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
814 |
} |
814 |
} |
815 |
|
815 |
|
816 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01707) |
816 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01707) |
817 |
"auth_ldap authorize user: authorization denied for " |
817 |
"authnz_ldap authorize user: authorization denied for " |
818 |
"user %s to %s", |
818 |
"user %s to %s", |
819 |
r->user, r->uri); |
819 |
r->user, r->uri); |
820 |
|
820 |
|
Lines 852-858
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
852 |
|
852 |
|
853 |
if (!sec->host) { |
853 |
if (!sec->host) { |
854 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01708) |
854 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01708) |
855 |
"auth_ldap authorize: no sec->host - weird...?"); |
855 |
"authnz_ldap authorize: no sec->host - weird...?"); |
856 |
return AUTHZ_DENIED; |
856 |
return AUTHZ_DENIED; |
857 |
} |
857 |
} |
858 |
|
858 |
|
Lines 912-918
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
912 |
|
912 |
|
913 |
if (!strlen(r->user)) { |
913 |
if (!strlen(r->user)) { |
914 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01709) |
914 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01709) |
915 |
"ldap authorize: Userid is blank, AuthType=%s", |
915 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
916 |
r->ap_auth_type); |
916 |
r->ap_auth_type); |
917 |
} |
917 |
} |
918 |
|
918 |
|
Lines 922-928
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
922 |
if (sec->group_attrib_is_dn) { |
922 |
if (sec->group_attrib_is_dn) { |
923 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
923 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
924 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01712) |
924 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01712) |
925 |
"auth_ldap authorize: require group: user's DN has " |
925 |
"authnz_ldap authorize: require group: user's DN has " |
926 |
"not been defined; failing authorization for user %s", |
926 |
"not been defined; failing authorization for user %s", |
927 |
r->user); |
927 |
r->user); |
928 |
return AUTHZ_DENIED; |
928 |
return AUTHZ_DENIED; |
Lines 939-945
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
939 |
require = ap_expr_str_exec(r, expr, &err); |
939 |
require = ap_expr_str_exec(r, expr, &err); |
940 |
if (err) { |
940 |
if (err) { |
941 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586) |
941 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586) |
942 |
"auth_ldap authorize: require group: Can't evaluate expression: %s", |
942 |
"authnz_ldap authorize: require group: Can't evaluate expression: %s", |
943 |
err); |
943 |
err); |
944 |
return AUTHZ_DENIED; |
944 |
return AUTHZ_DENIED; |
945 |
} |
945 |
} |
Lines 947-960
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
947 |
t = require; |
947 |
t = require; |
948 |
|
948 |
|
949 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713) |
949 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713) |
950 |
"auth_ldap authorize: require group: testing for group " |
950 |
"authnz_ldap authorize: require group: testing for group " |
951 |
"membership in \"%s\"", |
951 |
"membership in \"%s\"", |
952 |
t); |
952 |
t); |
953 |
|
953 |
|
954 |
/* PR52464 exhaust attrs in base group before checking subgroups */ |
954 |
/* PR52464 exhaust attrs in base group before checking subgroups */ |
955 |
for (i = 0; i < sec->groupattr->nelts; i++) { |
955 |
for (i = 0; i < sec->groupattr->nelts; i++) { |
956 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714) |
956 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714) |
957 |
"auth_ldap authorize: require group: testing for %s: " |
957 |
"authnz_ldap authorize: require group: testing for %s: " |
958 |
"%s (%s)", |
958 |
"%s (%s)", |
959 |
ent[i].name, |
959 |
ent[i].name, |
960 |
sec->group_attrib_is_dn ? req->dn : req->user, t); |
960 |
sec->group_attrib_is_dn ? req->dn : req->user, t); |
Lines 963-969
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
963 |
sec->group_attrib_is_dn ? req->dn : req->user); |
963 |
sec->group_attrib_is_dn ? req->dn : req->user); |
964 |
if (result == LDAP_COMPARE_TRUE) { |
964 |
if (result == LDAP_COMPARE_TRUE) { |
965 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) |
965 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) |
966 |
"auth_ldap authorize: require group: " |
966 |
"authnz_ldap authorize: require group: " |
967 |
"authorization successful (attribute %s) " |
967 |
"authorization successful (attribute %s) " |
968 |
"[%s][%d - %s]", |
968 |
"[%s][%d - %s]", |
969 |
ent[i].name, ldc->reason, result, |
969 |
ent[i].name, ldc->reason, result, |
Lines 973-979
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
973 |
} |
973 |
} |
974 |
else { |
974 |
else { |
975 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) |
975 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) |
976 |
"auth_ldap authorize: require group \"%s\": " |
976 |
"authnz_ldap authorize: require group \"%s\": " |
977 |
"didn't match with attr %s [%s][%d - %s]", |
977 |
"didn't match with attr %s [%s][%d - %s]", |
978 |
t, ent[i].name, ldc->reason, result, |
978 |
t, ent[i].name, ldc->reason, result, |
979 |
ldap_err2string(result)); |
979 |
ldap_err2string(result)); |
Lines 985-991
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
985 |
release_ldc(r, ldc); |
985 |
release_ldc(r, ldc); |
986 |
ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH); |
986 |
ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH); |
987 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716) |
987 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716) |
988 |
"auth_ldap authorise: require group \"%s\": " |
988 |
"authnz_ldap authorise: require group \"%s\": " |
989 |
"failed [%s][%d - %s], checking sub-groups", |
989 |
"failed [%s][%d - %s], checking sub-groups", |
990 |
t, ldc->reason, result, ldap_err2string(result)); |
990 |
t, ldc->reason, result, ldap_err2string(result)); |
991 |
} |
991 |
} |
Lines 999-1005
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
999 |
0, sec->maxNestingDepth); |
999 |
0, sec->maxNestingDepth); |
1000 |
if (result == LDAP_COMPARE_TRUE) { |
1000 |
if (result == LDAP_COMPARE_TRUE) { |
1001 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717) |
1001 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717) |
1002 |
"auth_ldap authorise: require group " |
1002 |
"authnz_ldap authorise: require group " |
1003 |
"(sub-group): authorisation successful " |
1003 |
"(sub-group): authorisation successful " |
1004 |
"(attribute %s) [%s][%d - %s]", |
1004 |
"(attribute %s) [%s][%d - %s]", |
1005 |
ent[i].name, ldc->reason, result, |
1005 |
ent[i].name, ldc->reason, result, |
Lines 1009-1015
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
1009 |
} |
1009 |
} |
1010 |
else { |
1010 |
else { |
1011 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718) |
1011 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718) |
1012 |
"auth_ldap authorise: require group " |
1012 |
"authnz_ldap authorise: require group " |
1013 |
"(sub-group) \"%s\": didn't match with attr %s " |
1013 |
"(sub-group) \"%s\": didn't match with attr %s " |
1014 |
"[%s][%d - %s]", |
1014 |
"[%s][%d - %s]", |
1015 |
t, ldc->reason, ent[i].name, result, |
1015 |
t, ldc->reason, ent[i].name, result, |
Lines 1018-1024
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
1018 |
} |
1018 |
} |
1019 |
|
1019 |
|
1020 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720) |
1020 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720) |
1021 |
"auth_ldap authorize group: authorization denied for " |
1021 |
"authnz_ldap authorize group: authorization denied for " |
1022 |
"user %s to %s", |
1022 |
"user %s to %s", |
1023 |
r->user, r->uri); |
1023 |
r->user, r->uri); |
1024 |
|
1024 |
|
Lines 1053-1071
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
1053 |
|
1053 |
|
1054 |
if (!sec->host) { |
1054 |
if (!sec->host) { |
1055 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01721) |
1055 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01721) |
1056 |
"auth_ldap authorize: no sec->host - weird...?"); |
1056 |
"authnz_ldap authorize: no sec->host - weird...?"); |
1057 |
return AUTHZ_DENIED; |
1057 |
return AUTHZ_DENIED; |
1058 |
} |
1058 |
} |
1059 |
|
1059 |
|
1060 |
/* |
1060 |
/* |
1061 |
* If we have been authenticated by some other module than mod_auth_ldap, |
1061 |
* If we have been authenticated by some other module than mod_authnz_ldap, |
1062 |
* the req structure needed for authorization needs to be created |
1062 |
* the req structure needed for authorization needs to be created |
1063 |
* and populated with the userid and DN of the account in LDAP |
1063 |
* and populated with the userid and DN of the account in LDAP |
1064 |
*/ |
1064 |
*/ |
1065 |
|
1065 |
|
1066 |
if (!strlen(r->user)) { |
1066 |
if (!strlen(r->user)) { |
1067 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722) |
1067 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722) |
1068 |
"ldap authorize: Userid is blank, AuthType=%s", |
1068 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
1069 |
r->ap_auth_type); |
1069 |
r->ap_auth_type); |
1070 |
} |
1070 |
} |
1071 |
|
1071 |
|
Lines 1084-1090
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
1084 |
require = ap_expr_str_exec(r, expr, &err); |
1084 |
require = ap_expr_str_exec(r, expr, &err); |
1085 |
if (err) { |
1085 |
if (err) { |
1086 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587) |
1086 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587) |
1087 |
"auth_ldap authorize: require dn: Can't evaluate expression: %s", |
1087 |
"authnz_ldap authorize: require dn: Can't evaluate expression: %s", |
1088 |
err); |
1088 |
err); |
1089 |
return AUTHZ_DENIED; |
1089 |
return AUTHZ_DENIED; |
1090 |
} |
1090 |
} |
Lines 1093-1099
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
1093 |
|
1093 |
|
1094 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1094 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1095 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725) |
1095 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725) |
1096 |
"auth_ldap authorize: require dn: user's DN has not " |
1096 |
"authnz_ldap authorize: require dn: user's DN has not " |
1097 |
"been defined; failing authorization"); |
1097 |
"been defined; failing authorization"); |
1098 |
return AUTHZ_DENIED; |
1098 |
return AUTHZ_DENIED; |
1099 |
} |
1099 |
} |
Lines 1102-1115
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
1102 |
switch(result) { |
1102 |
switch(result) { |
1103 |
case LDAP_COMPARE_TRUE: { |
1103 |
case LDAP_COMPARE_TRUE: { |
1104 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01726) |
1104 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01726) |
1105 |
"auth_ldap authorize: " |
1105 |
"authnz_ldap authorize: " |
1106 |
"require dn: authorization successful"); |
1106 |
"require dn: authorization successful"); |
1107 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1107 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1108 |
return AUTHZ_GRANTED; |
1108 |
return AUTHZ_GRANTED; |
1109 |
} |
1109 |
} |
1110 |
default: { |
1110 |
default: { |
1111 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01727) |
1111 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01727) |
1112 |
"auth_ldap authorize: " |
1112 |
"authnz_ldap authorize: " |
1113 |
"require dn \"%s\": LDAP error [%s][%s]", |
1113 |
"require dn \"%s\": LDAP error [%s][%s]", |
1114 |
t, ldc->reason, ldap_err2string(result)); |
1114 |
t, ldc->reason, ldap_err2string(result)); |
1115 |
} |
1115 |
} |
Lines 1117-1123
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
1117 |
|
1117 |
|
1118 |
|
1118 |
|
1119 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01728) |
1119 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01728) |
1120 |
"auth_ldap authorize dn: authorization denied for " |
1120 |
"authnz_ldap authorize dn: authorization denied for " |
1121 |
"user %s to %s", |
1121 |
"user %s to %s", |
1122 |
r->user, r->uri); |
1122 |
r->user, r->uri); |
1123 |
|
1123 |
|
Lines 1153-1171
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
1153 |
|
1153 |
|
1154 |
if (!sec->host) { |
1154 |
if (!sec->host) { |
1155 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01729) |
1155 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01729) |
1156 |
"auth_ldap authorize: no sec->host - weird...?"); |
1156 |
"authnz_ldap authorize: no sec->host - weird...?"); |
1157 |
return AUTHZ_DENIED; |
1157 |
return AUTHZ_DENIED; |
1158 |
} |
1158 |
} |
1159 |
|
1159 |
|
1160 |
/* |
1160 |
/* |
1161 |
* If we have been authenticated by some other module than mod_auth_ldap, |
1161 |
* If we have been authenticated by some other module than mod_authnz_ldap, |
1162 |
* the req structure needed for authorization needs to be created |
1162 |
* the req structure needed for authorization needs to be created |
1163 |
* and populated with the userid and DN of the account in LDAP |
1163 |
* and populated with the userid and DN of the account in LDAP |
1164 |
*/ |
1164 |
*/ |
1165 |
|
1165 |
|
1166 |
if (!strlen(r->user)) { |
1166 |
if (!strlen(r->user)) { |
1167 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730) |
1167 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730) |
1168 |
"ldap authorize: Userid is blank, AuthType=%s", |
1168 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
1169 |
r->ap_auth_type); |
1169 |
r->ap_auth_type); |
1170 |
} |
1170 |
} |
1171 |
|
1171 |
|
Lines 1183-1189
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
1183 |
|
1183 |
|
1184 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1184 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1185 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01733) |
1185 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01733) |
1186 |
"auth_ldap authorize: require ldap-attribute: user's DN " |
1186 |
"authnz_ldap authorize: require ldap-attribute: user's DN " |
1187 |
"has not been defined; failing authorization"); |
1187 |
"has not been defined; failing authorization"); |
1188 |
return AUTHZ_DENIED; |
1188 |
return AUTHZ_DENIED; |
1189 |
} |
1189 |
} |
Lines 1191-1197
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
1191 |
require = ap_expr_str_exec(r, expr, &err); |
1191 |
require = ap_expr_str_exec(r, expr, &err); |
1192 |
if (err) { |
1192 |
if (err) { |
1193 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588) |
1193 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588) |
1194 |
"auth_ldap authorize: require ldap-attribute: Can't " |
1194 |
"authnz_ldap authorize: require ldap-attribute: Can't " |
1195 |
"evaluate expression: %s", err); |
1195 |
"evaluate expression: %s", err); |
1196 |
return AUTHZ_DENIED; |
1196 |
return AUTHZ_DENIED; |
1197 |
} |
1197 |
} |
Lines 1203-1222
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
1203 |
value = ap_getword_conf(r->pool, &t); |
1203 |
value = ap_getword_conf(r->pool, &t); |
1204 |
|
1204 |
|
1205 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01734) |
1205 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01734) |
1206 |
"auth_ldap authorize: checking attribute %s has value %s", |
1206 |
"authnz_ldap authorize: checking attribute %s has value %s", |
1207 |
w, value); |
1207 |
w, value); |
1208 |
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value); |
1208 |
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value); |
1209 |
switch(result) { |
1209 |
switch(result) { |
1210 |
case LDAP_COMPARE_TRUE: { |
1210 |
case LDAP_COMPARE_TRUE: { |
1211 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01735) |
1211 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01735) |
1212 |
"auth_ldap authorize: " |
1212 |
"authnz_ldap authorize: " |
1213 |
"require attribute: authorization successful"); |
1213 |
"require attribute: authorization successful"); |
1214 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1214 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1215 |
return AUTHZ_GRANTED; |
1215 |
return AUTHZ_GRANTED; |
1216 |
} |
1216 |
} |
1217 |
default: { |
1217 |
default: { |
1218 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01736) |
1218 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01736) |
1219 |
"auth_ldap authorize: require attribute: " |
1219 |
"authnz_ldap authorize: require attribute: " |
1220 |
"authorization failed [%s][%s]", |
1220 |
"authorization failed [%s][%s]", |
1221 |
ldc->reason, ldap_err2string(result)); |
1221 |
ldc->reason, ldap_err2string(result)); |
1222 |
} |
1222 |
} |
Lines 1224-1230
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
1224 |
} |
1224 |
} |
1225 |
|
1225 |
|
1226 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01737) |
1226 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01737) |
1227 |
"auth_ldap authorize attribute: authorization denied for " |
1227 |
"authnz_ldap authorize attribute: authorization denied for " |
1228 |
"user %s to %s", |
1228 |
"user %s to %s", |
1229 |
r->user, r->uri); |
1229 |
r->user, r->uri); |
1230 |
|
1230 |
|
Lines 1262-1280
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
1262 |
|
1262 |
|
1263 |
if (!sec->host) { |
1263 |
if (!sec->host) { |
1264 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738) |
1264 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738) |
1265 |
"auth_ldap authorize: no sec->host - weird...?"); |
1265 |
"authnz_ldap authorize: no sec->host - weird...?"); |
1266 |
return AUTHZ_DENIED; |
1266 |
return AUTHZ_DENIED; |
1267 |
} |
1267 |
} |
1268 |
|
1268 |
|
1269 |
/* |
1269 |
/* |
1270 |
* If we have been authenticated by some other module than mod_auth_ldap, |
1270 |
* If we have been authenticated by some other module than mod_authnz_ldap, |
1271 |
* the req structure needed for authorization needs to be created |
1271 |
* the req structure needed for authorization needs to be created |
1272 |
* and populated with the userid and DN of the account in LDAP |
1272 |
* and populated with the userid and DN of the account in LDAP |
1273 |
*/ |
1273 |
*/ |
1274 |
|
1274 |
|
1275 |
if (!strlen(r->user)) { |
1275 |
if (!strlen(r->user)) { |
1276 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739) |
1276 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739) |
1277 |
"ldap authorize: Userid is blank, AuthType=%s", |
1277 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
1278 |
r->ap_auth_type); |
1278 |
r->ap_auth_type); |
1279 |
} |
1279 |
} |
1280 |
|
1280 |
|
Lines 1292-1298
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
1292 |
|
1292 |
|
1293 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1293 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1294 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742) |
1294 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742) |
1295 |
"auth_ldap authorize: require ldap-filter: user's DN " |
1295 |
"authnz_ldap authorize: require ldap-filter: user's DN " |
1296 |
"has not been defined; failing authorization"); |
1296 |
"has not been defined; failing authorization"); |
1297 |
return AUTHZ_DENIED; |
1297 |
return AUTHZ_DENIED; |
1298 |
} |
1298 |
} |
Lines 1300-1306
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
1300 |
require = ap_expr_str_exec(r, expr, &err); |
1300 |
require = ap_expr_str_exec(r, expr, &err); |
1301 |
if (err) { |
1301 |
if (err) { |
1302 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589) |
1302 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589) |
1303 |
"auth_ldap authorize: require ldap-filter: Can't " |
1303 |
"authnz_ldap authorize: require ldap-filter: Can't " |
1304 |
"evaluate require expression: %s", err); |
1304 |
"evaluate require expression: %s", err); |
1305 |
return AUTHZ_DENIED; |
1305 |
return AUTHZ_DENIED; |
1306 |
} |
1306 |
} |
Lines 1309-1320
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
1309 |
|
1309 |
|
1310 |
if (t[0]) { |
1310 |
if (t[0]) { |
1311 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743) |
1311 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743) |
1312 |
"auth_ldap authorize: checking filter %s", t); |
1312 |
"authnz_ldap authorize: checking filter %s", t); |
1313 |
|
1313 |
|
1314 |
/* Build the username filter */ |
1314 |
/* Build the username filter */ |
1315 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, req->user, t, sec)) { |
1315 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, req->user, t, sec)) { |
1316 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02628) |
1316 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02628) |
1317 |
"auth_ldap authorize: ldap filter too long (>%d): %s", |
1317 |
"authnz_ldap authorize: ldap filter too long (>%d): %s", |
1318 |
FILTER_LENGTH, filtbuf); |
1318 |
FILTER_LENGTH, filtbuf); |
1319 |
return AUTHZ_DENIED; |
1319 |
return AUTHZ_DENIED; |
1320 |
} |
1320 |
} |
Lines 1326-1332
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
1326 |
/* Make sure that the filtered search returned the correct user dn */ |
1326 |
/* Make sure that the filtered search returned the correct user dn */ |
1327 |
if (result == LDAP_SUCCESS) { |
1327 |
if (result == LDAP_SUCCESS) { |
1328 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01744) |
1328 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01744) |
1329 |
"auth_ldap authorize: checking dn match %s", dn); |
1329 |
"authnz_ldap authorize: checking dn match %s", dn); |
1330 |
if (sec->compare_as_user) { |
1330 |
if (sec->compare_as_user) { |
1331 |
/* ldap-filter is the only authz that requires a search and a compare */ |
1331 |
/* ldap-filter is the only authz that requires a search and a compare */ |
1332 |
release_ldc(r, ldc); |
1332 |
release_ldc(r, ldc); |
Lines 1339-1359
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
1339 |
switch(result) { |
1339 |
switch(result) { |
1340 |
case LDAP_COMPARE_TRUE: { |
1340 |
case LDAP_COMPARE_TRUE: { |
1341 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01745) |
1341 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01745) |
1342 |
"auth_ldap authorize: require ldap-filter: " |
1342 |
"authnz_ldap authorize: require ldap-filter: " |
1343 |
"authorization successful"); |
1343 |
"authorization successful"); |
1344 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1344 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1345 |
return AUTHZ_GRANTED; |
1345 |
return AUTHZ_GRANTED; |
1346 |
} |
1346 |
} |
1347 |
case LDAP_FILTER_ERROR: { |
1347 |
case LDAP_FILTER_ERROR: { |
1348 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01746) |
1348 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01746) |
1349 |
"auth_ldap authorize: require ldap-filter: " |
1349 |
"authnz_ldap authorize: require ldap-filter: " |
1350 |
"%s authorization failed [%s][%s]", |
1350 |
"%s authorization failed [%s][%s]", |
1351 |
filtbuf, ldc->reason, ldap_err2string(result)); |
1351 |
filtbuf, ldc->reason, ldap_err2string(result)); |
1352 |
break; |
1352 |
break; |
1353 |
} |
1353 |
} |
1354 |
default: { |
1354 |
default: { |
1355 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01747) |
1355 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01747) |
1356 |
"auth_ldap authorize: require ldap-filter: " |
1356 |
"authnz_ldap authorize: require ldap-filter: " |
1357 |
"authorization failed [%s][%s]", |
1357 |
"authorization failed [%s][%s]", |
1358 |
ldc->reason, ldap_err2string(result)); |
1358 |
ldc->reason, ldap_err2string(result)); |
1359 |
} |
1359 |
} |
Lines 1361-1367
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
1361 |
} |
1361 |
} |
1362 |
|
1362 |
|
1363 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01748) |
1363 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01748) |
1364 |
"auth_ldap authorize filter: authorization denied for " |
1364 |
"authnz_ldap authorize filter: authorization denied for " |
1365 |
"user %s to %s", |
1365 |
"user %s to %s", |
1366 |
r->user, r->uri); |
1366 |
r->user, r->uri); |
1367 |
|
1367 |
|
Lines 1393-1406
static authz_status ldapsearch_check_authorization(request_rec *r,
Link Here
|
1393 |
} |
1393 |
} |
1394 |
else { |
1394 |
else { |
1395 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02636) |
1395 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02636) |
1396 |
"auth_ldap authorize: no sec->host - weird...?"); |
1396 |
"authnz_ldap authorize: no sec->host - weird...?"); |
1397 |
return AUTHZ_DENIED; |
1397 |
return AUTHZ_DENIED; |
1398 |
} |
1398 |
} |
1399 |
|
1399 |
|
1400 |
require = ap_expr_str_exec(r, expr, &err); |
1400 |
require = ap_expr_str_exec(r, expr, &err); |
1401 |
if (err) { |
1401 |
if (err) { |
1402 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02629) |
1402 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02629) |
1403 |
"auth_ldap authorize: require ldap-search: Can't " |
1403 |
"authnz_ldap authorize: require ldap-search: Can't " |
1404 |
"evaluate require expression: %s", err); |
1404 |
"evaluate require expression: %s", err); |
1405 |
return AUTHZ_DENIED; |
1405 |
return AUTHZ_DENIED; |
1406 |
} |
1406 |
} |
Lines 1411-1417
static authz_status ldapsearch_check_authorization(request_rec *r,
Link Here
|
1411 |
const char **vals; |
1411 |
const char **vals; |
1412 |
|
1412 |
|
1413 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02630) |
1413 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02630) |
1414 |
"auth_ldap authorize: checking filter %s", t); |
1414 |
"authnz_ldap authorize: checking filter %s", t); |
1415 |
|
1415 |
|
1416 |
/* Search for the user DN */ |
1416 |
/* Search for the user DN */ |
1417 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, |
1417 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, |
Lines 1420-1439
static authz_status ldapsearch_check_authorization(request_rec *r,
Link Here
|
1420 |
/* Make sure that the filtered search returned a single dn */ |
1420 |
/* Make sure that the filtered search returned a single dn */ |
1421 |
if (result == LDAP_SUCCESS && dn) { |
1421 |
if (result == LDAP_SUCCESS && dn) { |
1422 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631) |
1422 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631) |
1423 |
"auth_ldap authorize: require ldap-search: " |
1423 |
"authnz_ldap authorize: require ldap-search: " |
1424 |
"authorization successful"); |
1424 |
"authorization successful"); |
1425 |
return AUTHZ_GRANTED; |
1425 |
return AUTHZ_GRANTED; |
1426 |
} |
1426 |
} |
1427 |
else { |
1427 |
else { |
1428 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02632) |
1428 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02632) |
1429 |
"auth_ldap authorize: require ldap-search: " |
1429 |
"authnz_ldap authorize: require ldap-search: " |
1430 |
"%s authorization failed [%s][%s]", |
1430 |
"%s authorization failed [%s][%s]", |
1431 |
t, ldc->reason, ldap_err2string(result)); |
1431 |
t, ldc->reason, ldap_err2string(result)); |
1432 |
} |
1432 |
} |
1433 |
} |
1433 |
} |
1434 |
|
1434 |
|
1435 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02633) |
1435 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02633) |
1436 |
"auth_ldap authorize search: authorization denied for " |
1436 |
"authnz_ldap authorize search: authorization denied for " |
1437 |
"to %s", r->uri); |
1437 |
"to %s", r->uri); |
1438 |
|
1438 |
|
1439 |
return AUTHZ_DENIED; |
1439 |
return AUTHZ_DENIED; |
Lines 1556-1562
static const char *mod_auth_ldap_parse_url(cmd_parms *cmd,
Link Here
|
1556 |
sec->have_ldap_url = 1; |
1556 |
sec->have_ldap_url = 1; |
1557 |
|
1557 |
|
1558 |
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, cmd->server, |
1558 |
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, cmd->server, |
1559 |
"auth_ldap url parse: `%s', Host: %s, Port: %d, DN: %s, " |
1559 |
"authnz_ldap url parse: `%s', Host: %s, Port: %d, DN: %s, " |
1560 |
"attrib: %s, scope: %s, filter: %s, connection mode: %s", |
1560 |
"attrib: %s, scope: %s, filter: %s, connection mode: %s", |
1561 |
url, |
1561 |
url, |
1562 |
urld->lud_host, |
1562 |
urld->lud_host, |
Lines 1766-1772
static const command_rec authnz_ldap_cmds[] =
Link Here
|
1766 |
|
1766 |
|
1767 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, |
1767 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, |
1768 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, |
1768 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, |
1769 |
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " |
1769 |
"Set to 'on' to force authnz_ldap to do DN compares (for the \"require dn\" " |
1770 |
"directive) using the server, and set it 'off' to do the compares locally " |
1770 |
"directive) using the server, and set it 'off' to do the compares locally " |
1771 |
"(at the expense of possible false matches). See the documentation for " |
1771 |
"(at the expense of possible false matches). See the documentation for " |
1772 |
"a complete description of this option."), |
1772 |
"a complete description of this option."), |
Lines 1788-1795
static const command_rec authnz_ldap_cmds[] =
Link Here
|
1788 |
|
1788 |
|
1789 |
AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot, |
1789 |
AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot, |
1790 |
(void *)APR_OFFSETOF(authn_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG, |
1790 |
(void *)APR_OFFSETOF(authn_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG, |
1791 |
"If set to 'on', auth_ldap uses the DN that is retrieved from the server for " |
1791 |
"If set to 'on', authnz_ldap uses the DN that is retrieved from the server for " |
1792 |
"subsequent group comparisons. If set to 'off', auth_ldap uses the string " |
1792 |
"subsequent group comparisons. If set to 'off', authnz_ldap uses the string " |
1793 |
"provided by the client directly. Defaults to 'on'."), |
1793 |
"provided by the client directly. Defaults to 'on'."), |
1794 |
|
1794 |
|
1795 |
AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, |
1795 |
AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, |