|
Lines 547-570
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
| 547 |
} |
547 |
} |
| 548 |
else { |
548 |
else { |
| 549 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01690) |
549 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01690) |
| 550 |
"auth_ldap authenticate: no sec->host - weird...?"); |
550 |
"authnz_ldap authenticate: no sec->host - weird...?"); |
| 551 |
return AUTH_GENERAL_ERROR; |
551 |
return AUTH_GENERAL_ERROR; |
| 552 |
} |
552 |
} |
| 553 |
|
553 |
|
| 554 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691) |
554 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691) |
| 555 |
"auth_ldap authenticate: using URL %s", sec->url); |
555 |
"authnz_ldap authenticate: using URL %s", sec->url); |
| 556 |
|
556 |
|
| 557 |
/* Get the password that the client sent */ |
557 |
/* Get the password that the client sent */ |
| 558 |
if (password == NULL) { |
558 |
if (password == NULL) { |
| 559 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) |
559 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) |
| 560 |
"auth_ldap authenticate: no password specified"); |
560 |
"authnz_ldap authenticate: no password specified"); |
| 561 |
release_ldc(r, ldc); |
561 |
release_ldc(r, ldc); |
| 562 |
return AUTH_GENERAL_ERROR; |
562 |
return AUTH_GENERAL_ERROR; |
| 563 |
} |
563 |
} |
| 564 |
|
564 |
|
| 565 |
if (user == NULL) { |
565 |
if (user == NULL) { |
| 566 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) |
566 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) |
| 567 |
"auth_ldap authenticate: no user specified"); |
567 |
"authnz_ldap authenticate: no user specified"); |
| 568 |
release_ldc(r, ldc); |
568 |
release_ldc(r, ldc); |
| 569 |
return AUTH_GENERAL_ERROR; |
569 |
return AUTH_GENERAL_ERROR; |
| 570 |
} |
570 |
} |
|
Lines 572-585
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
| 572 |
/* build the username filter */ |
572 |
/* build the username filter */ |
| 573 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, user, NULL, sec)) { |
573 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, user, NULL, sec)) { |
| 574 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02622) |
574 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02622) |
| 575 |
"auth_ldap authenticate: ldap filter too long (>%d): %s", |
575 |
"authnz_ldap authenticate: ldap filter too long (>%d): %s", |
| 576 |
FILTER_LENGTH, filtbuf); |
576 |
FILTER_LENGTH, filtbuf); |
| 577 |
release_ldc(r, ldc); |
577 |
release_ldc(r, ldc); |
| 578 |
return AUTH_GENERAL_ERROR; |
578 |
return AUTH_GENERAL_ERROR; |
| 579 |
} |
579 |
} |
| 580 |
|
580 |
|
| 581 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, |
581 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, |
| 582 |
"auth_ldap authenticate: final authn filter is %s", filtbuf); |
582 |
"authnz_ldap authenticate: final authn filter is %s", filtbuf); |
| 583 |
|
583 |
|
| 584 |
/* convert password to utf-8 */ |
584 |
/* convert password to utf-8 */ |
| 585 |
utfpassword = authn_ldap_xlate_password(r, password); |
585 |
utfpassword = authn_ldap_xlate_password(r, password); |
|
Lines 594-607
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
| 594 |
if (result != LDAP_SUCCESS) { |
594 |
if (result != LDAP_SUCCESS) { |
| 595 |
if (!sec->bind_authoritative) { |
595 |
if (!sec->bind_authoritative) { |
| 596 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01694) |
596 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01694) |
| 597 |
"auth_ldap authenticate: user %s authentication failed; " |
597 |
"authnz_ldap authenticate: user %s authentication failed; " |
| 598 |
"URI %s [%s][%s] (not authoritative)", |
598 |
"URI %s [%s][%s] (not authoritative)", |
| 599 |
user, r->uri, ldc->reason, ldap_err2string(result)); |
599 |
user, r->uri, ldc->reason, ldap_err2string(result)); |
| 600 |
return AUTH_USER_NOT_FOUND; |
600 |
return AUTH_USER_NOT_FOUND; |
| 601 |
} |
601 |
} |
| 602 |
|
602 |
|
| 603 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01695) |
603 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01695) |
| 604 |
"auth_ldap authenticate: " |
604 |
"authnz_ldap authenticate: " |
| 605 |
"user %s authentication failed; URI %s [%s][%s]", |
605 |
"user %s authentication failed; URI %s [%s][%s]", |
| 606 |
user, r->uri, ldc->reason, ldap_err2string(result)); |
606 |
user, r->uri, ldc->reason, ldap_err2string(result)); |
| 607 |
|
607 |
|
|
Lines 646-652
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
| 646 |
/* sanity check */ |
646 |
/* sanity check */ |
| 647 |
if (sec->remote_user_attribute && !remote_user_attribute_set) { |
647 |
if (sec->remote_user_attribute && !remote_user_attribute_set) { |
| 648 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01696) |
648 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01696) |
| 649 |
"auth_ldap authenticate: " |
649 |
"authnz_ldap authenticate: " |
| 650 |
"REMOTE_USER was to be set with attribute '%s', " |
650 |
"REMOTE_USER was to be set with attribute '%s', " |
| 651 |
"but this attribute was not requested for in the " |
651 |
"but this attribute was not requested for in the " |
| 652 |
"LDAP query for the user. REMOTE_USER will fall " |
652 |
"LDAP query for the user. REMOTE_USER will fall " |
|
Lines 655-661
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
Link Here
|
| 655 |
} |
655 |
} |
| 656 |
|
656 |
|
| 657 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01697) |
657 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01697) |
| 658 |
"auth_ldap authenticate: accepting %s", user); |
658 |
"authnz_ldap authenticate: accepting %s", user); |
| 659 |
|
659 |
|
| 660 |
return AUTH_GRANTED; |
660 |
return AUTH_GRANTED; |
| 661 |
} |
661 |
} |
|
Lines 673-679
static authz_status get_dn_for_nonldap_authn(request_rec *r, util_ldap_connectio
Link Here
|
| 673 |
/* Build the username filter */ |
673 |
/* Build the username filter */ |
| 674 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { |
674 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { |
| 675 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02623) |
675 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02623) |
| 676 |
"auth_ldap authorize: ldap filter too long (>%d): %s", |
676 |
"authnz_ldap authorize: ldap filter too long (>%d): %s", |
| 677 |
FILTER_LENGTH, filtbuf); |
677 |
FILTER_LENGTH, filtbuf); |
| 678 |
return AUTHZ_DENIED; |
678 |
return AUTHZ_DENIED; |
| 679 |
} |
679 |
} |
|
Lines 685-691
static authz_status get_dn_for_nonldap_authn(request_rec *r, util_ldap_connectio
Link Here
|
| 685 |
/* Search failed, log error and return failure */ |
685 |
/* Search failed, log error and return failure */ |
| 686 |
if (result != LDAP_SUCCESS) { |
686 |
if (result != LDAP_SUCCESS) { |
| 687 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01701) |
687 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01701) |
| 688 |
"auth_ldap authorise: User DN not found, %s", ldc->reason); |
688 |
"authnz_ldap authorise: User DN not found, %s", ldc->reason); |
| 689 |
return AUTHZ_DENIED; |
689 |
return AUTHZ_DENIED; |
| 690 |
} |
690 |
} |
| 691 |
|
691 |
|
|
Lines 724-730
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
| 724 |
|
724 |
|
| 725 |
if (!sec->host) { |
725 |
if (!sec->host) { |
| 726 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01698) |
726 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01698) |
| 727 |
"auth_ldap authorize: no sec->host - weird...?"); |
727 |
"authnz_ldap authorize: no sec->host - weird...?"); |
| 728 |
return AUTHZ_DENIED; |
728 |
return AUTHZ_DENIED; |
| 729 |
} |
729 |
} |
| 730 |
|
730 |
|
|
Lines 750-762
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
| 750 |
|
750 |
|
| 751 |
if (!strlen(r->user)) { |
751 |
if (!strlen(r->user)) { |
| 752 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699) |
752 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699) |
| 753 |
"ldap authorize: Userid is blank, AuthType=%s", |
753 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
| 754 |
r->ap_auth_type); |
754 |
r->ap_auth_type); |
| 755 |
} |
755 |
} |
| 756 |
|
756 |
|
| 757 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
757 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
| 758 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01702) |
758 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01702) |
| 759 |
"auth_ldap authorize: require user: user's DN has not " |
759 |
"authnz_ldap authorize: require user: user's DN has not " |
| 760 |
"been defined; failing authorization"); |
760 |
"been defined; failing authorization"); |
| 761 |
return AUTHZ_DENIED; |
761 |
return AUTHZ_DENIED; |
| 762 |
} |
762 |
} |
|
Lines 764-770
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
| 764 |
require = ap_expr_str_exec(r, expr, &err); |
764 |
require = ap_expr_str_exec(r, expr, &err); |
| 765 |
if (err) { |
765 |
if (err) { |
| 766 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585) |
766 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585) |
| 767 |
"auth_ldap authorize: require user: Can't evaluate expression: %s", |
767 |
"authnz_ldap authorize: require user: Can't evaluate expression: %s", |
| 768 |
err); |
768 |
err); |
| 769 |
return AUTHZ_DENIED; |
769 |
return AUTHZ_DENIED; |
| 770 |
} |
770 |
} |
|
Lines 777-790
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
| 777 |
switch(result) { |
777 |
switch(result) { |
| 778 |
case LDAP_COMPARE_TRUE: { |
778 |
case LDAP_COMPARE_TRUE: { |
| 779 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703) |
779 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703) |
| 780 |
"auth_ldap authorize: require user: authorization " |
780 |
"authnz_ldap authorize: require user: authorization " |
| 781 |
"successful"); |
781 |
"successful"); |
| 782 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
782 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
| 783 |
return AUTHZ_GRANTED; |
783 |
return AUTHZ_GRANTED; |
| 784 |
} |
784 |
} |
| 785 |
default: { |
785 |
default: { |
| 786 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01704) |
786 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01704) |
| 787 |
"auth_ldap authorize: require user: " |
787 |
"authnz_ldap authorize: require user: " |
| 788 |
"authorization failed [%s][%s]", |
788 |
"authorization failed [%s][%s]", |
| 789 |
ldc->reason, ldap_err2string(result)); |
789 |
ldc->reason, ldap_err2string(result)); |
| 790 |
} |
790 |
} |
|
Lines 799-812
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
| 799 |
switch(result) { |
799 |
switch(result) { |
| 800 |
case LDAP_COMPARE_TRUE: { |
800 |
case LDAP_COMPARE_TRUE: { |
| 801 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01705) |
801 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01705) |
| 802 |
"auth_ldap authorize: " |
802 |
"authnz_ldap authorize: " |
| 803 |
"require user: authorization successful"); |
803 |
"require user: authorization successful"); |
| 804 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
804 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
| 805 |
return AUTHZ_GRANTED; |
805 |
return AUTHZ_GRANTED; |
| 806 |
} |
806 |
} |
| 807 |
default: { |
807 |
default: { |
| 808 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01706) |
808 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01706) |
| 809 |
"auth_ldap authorize: " |
809 |
"authnz_ldap authorize: " |
| 810 |
"require user: authorization failed [%s][%s]", |
810 |
"require user: authorization failed [%s][%s]", |
| 811 |
ldc->reason, ldap_err2string(result)); |
811 |
ldc->reason, ldap_err2string(result)); |
| 812 |
} |
812 |
} |
|
Lines 814-820
static authz_status ldapuser_check_authorization(request_rec *r,
Link Here
|
| 814 |
} |
814 |
} |
| 815 |
|
815 |
|
| 816 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01707) |
816 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01707) |
| 817 |
"auth_ldap authorize user: authorization denied for " |
817 |
"authnz_ldap authorize user: authorization denied for " |
| 818 |
"user %s to %s", |
818 |
"user %s to %s", |
| 819 |
r->user, r->uri); |
819 |
r->user, r->uri); |
| 820 |
|
820 |
|
|
Lines 852-858
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 852 |
|
852 |
|
| 853 |
if (!sec->host) { |
853 |
if (!sec->host) { |
| 854 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01708) |
854 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01708) |
| 855 |
"auth_ldap authorize: no sec->host - weird...?"); |
855 |
"authnz_ldap authorize: no sec->host - weird...?"); |
| 856 |
return AUTHZ_DENIED; |
856 |
return AUTHZ_DENIED; |
| 857 |
} |
857 |
} |
| 858 |
|
858 |
|
|
Lines 912-918
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 912 |
|
912 |
|
| 913 |
if (!strlen(r->user)) { |
913 |
if (!strlen(r->user)) { |
| 914 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01709) |
914 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01709) |
| 915 |
"ldap authorize: Userid is blank, AuthType=%s", |
915 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
| 916 |
r->ap_auth_type); |
916 |
r->ap_auth_type); |
| 917 |
} |
917 |
} |
| 918 |
|
918 |
|
|
Lines 922-928
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 922 |
if (sec->group_attrib_is_dn) { |
922 |
if (sec->group_attrib_is_dn) { |
| 923 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
923 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
| 924 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01712) |
924 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01712) |
| 925 |
"auth_ldap authorize: require group: user's DN has " |
925 |
"authnz_ldap authorize: require group: user's DN has " |
| 926 |
"not been defined; failing authorization for user %s", |
926 |
"not been defined; failing authorization for user %s", |
| 927 |
r->user); |
927 |
r->user); |
| 928 |
return AUTHZ_DENIED; |
928 |
return AUTHZ_DENIED; |
|
Lines 939-945
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 939 |
require = ap_expr_str_exec(r, expr, &err); |
939 |
require = ap_expr_str_exec(r, expr, &err); |
| 940 |
if (err) { |
940 |
if (err) { |
| 941 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586) |
941 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586) |
| 942 |
"auth_ldap authorize: require group: Can't evaluate expression: %s", |
942 |
"authnz_ldap authorize: require group: Can't evaluate expression: %s", |
| 943 |
err); |
943 |
err); |
| 944 |
return AUTHZ_DENIED; |
944 |
return AUTHZ_DENIED; |
| 945 |
} |
945 |
} |
|
Lines 947-960
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 947 |
t = require; |
947 |
t = require; |
| 948 |
|
948 |
|
| 949 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713) |
949 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713) |
| 950 |
"auth_ldap authorize: require group: testing for group " |
950 |
"authnz_ldap authorize: require group: testing for group " |
| 951 |
"membership in \"%s\"", |
951 |
"membership in \"%s\"", |
| 952 |
t); |
952 |
t); |
| 953 |
|
953 |
|
| 954 |
/* PR52464 exhaust attrs in base group before checking subgroups */ |
954 |
/* PR52464 exhaust attrs in base group before checking subgroups */ |
| 955 |
for (i = 0; i < sec->groupattr->nelts; i++) { |
955 |
for (i = 0; i < sec->groupattr->nelts; i++) { |
| 956 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714) |
956 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714) |
| 957 |
"auth_ldap authorize: require group: testing for %s: " |
957 |
"authnz_ldap authorize: require group: testing for %s: " |
| 958 |
"%s (%s)", |
958 |
"%s (%s)", |
| 959 |
ent[i].name, |
959 |
ent[i].name, |
| 960 |
sec->group_attrib_is_dn ? req->dn : req->user, t); |
960 |
sec->group_attrib_is_dn ? req->dn : req->user, t); |
|
Lines 963-969
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 963 |
sec->group_attrib_is_dn ? req->dn : req->user); |
963 |
sec->group_attrib_is_dn ? req->dn : req->user); |
| 964 |
if (result == LDAP_COMPARE_TRUE) { |
964 |
if (result == LDAP_COMPARE_TRUE) { |
| 965 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) |
965 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) |
| 966 |
"auth_ldap authorize: require group: " |
966 |
"authnz_ldap authorize: require group: " |
| 967 |
"authorization successful (attribute %s) " |
967 |
"authorization successful (attribute %s) " |
| 968 |
"[%s][%d - %s]", |
968 |
"[%s][%d - %s]", |
| 969 |
ent[i].name, ldc->reason, result, |
969 |
ent[i].name, ldc->reason, result, |
|
Lines 973-979
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 973 |
} |
973 |
} |
| 974 |
else { |
974 |
else { |
| 975 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) |
975 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) |
| 976 |
"auth_ldap authorize: require group \"%s\": " |
976 |
"authnz_ldap authorize: require group \"%s\": " |
| 977 |
"didn't match with attr %s [%s][%d - %s]", |
977 |
"didn't match with attr %s [%s][%d - %s]", |
| 978 |
t, ent[i].name, ldc->reason, result, |
978 |
t, ent[i].name, ldc->reason, result, |
| 979 |
ldap_err2string(result)); |
979 |
ldap_err2string(result)); |
|
Lines 985-991
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 985 |
release_ldc(r, ldc); |
985 |
release_ldc(r, ldc); |
| 986 |
ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH); |
986 |
ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH); |
| 987 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716) |
987 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716) |
| 988 |
"auth_ldap authorise: require group \"%s\": " |
988 |
"authnz_ldap authorise: require group \"%s\": " |
| 989 |
"failed [%s][%d - %s], checking sub-groups", |
989 |
"failed [%s][%d - %s], checking sub-groups", |
| 990 |
t, ldc->reason, result, ldap_err2string(result)); |
990 |
t, ldc->reason, result, ldap_err2string(result)); |
| 991 |
} |
991 |
} |
|
Lines 999-1005
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 999 |
0, sec->maxNestingDepth); |
999 |
0, sec->maxNestingDepth); |
| 1000 |
if (result == LDAP_COMPARE_TRUE) { |
1000 |
if (result == LDAP_COMPARE_TRUE) { |
| 1001 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717) |
1001 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717) |
| 1002 |
"auth_ldap authorise: require group " |
1002 |
"authnz_ldap authorise: require group " |
| 1003 |
"(sub-group): authorisation successful " |
1003 |
"(sub-group): authorisation successful " |
| 1004 |
"(attribute %s) [%s][%d - %s]", |
1004 |
"(attribute %s) [%s][%d - %s]", |
| 1005 |
ent[i].name, ldc->reason, result, |
1005 |
ent[i].name, ldc->reason, result, |
|
Lines 1009-1015
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 1009 |
} |
1009 |
} |
| 1010 |
else { |
1010 |
else { |
| 1011 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718) |
1011 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718) |
| 1012 |
"auth_ldap authorise: require group " |
1012 |
"authnz_ldap authorise: require group " |
| 1013 |
"(sub-group) \"%s\": didn't match with attr %s " |
1013 |
"(sub-group) \"%s\": didn't match with attr %s " |
| 1014 |
"[%s][%d - %s]", |
1014 |
"[%s][%d - %s]", |
| 1015 |
t, ldc->reason, ent[i].name, result, |
1015 |
t, ldc->reason, ent[i].name, result, |
|
Lines 1018-1024
static authz_status ldapgroup_check_authorization(request_rec *r,
Link Here
|
| 1018 |
} |
1018 |
} |
| 1019 |
|
1019 |
|
| 1020 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720) |
1020 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720) |
| 1021 |
"auth_ldap authorize group: authorization denied for " |
1021 |
"authnz_ldap authorize group: authorization denied for " |
| 1022 |
"user %s to %s", |
1022 |
"user %s to %s", |
| 1023 |
r->user, r->uri); |
1023 |
r->user, r->uri); |
| 1024 |
|
1024 |
|
|
Lines 1053-1071
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
| 1053 |
|
1053 |
|
| 1054 |
if (!sec->host) { |
1054 |
if (!sec->host) { |
| 1055 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01721) |
1055 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01721) |
| 1056 |
"auth_ldap authorize: no sec->host - weird...?"); |
1056 |
"authnz_ldap authorize: no sec->host - weird...?"); |
| 1057 |
return AUTHZ_DENIED; |
1057 |
return AUTHZ_DENIED; |
| 1058 |
} |
1058 |
} |
| 1059 |
|
1059 |
|
| 1060 |
/* |
1060 |
/* |
| 1061 |
* If we have been authenticated by some other module than mod_auth_ldap, |
1061 |
* If we have been authenticated by some other module than mod_authnz_ldap, |
| 1062 |
* the req structure needed for authorization needs to be created |
1062 |
* the req structure needed for authorization needs to be created |
| 1063 |
* and populated with the userid and DN of the account in LDAP |
1063 |
* and populated with the userid and DN of the account in LDAP |
| 1064 |
*/ |
1064 |
*/ |
| 1065 |
|
1065 |
|
| 1066 |
if (!strlen(r->user)) { |
1066 |
if (!strlen(r->user)) { |
| 1067 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722) |
1067 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722) |
| 1068 |
"ldap authorize: Userid is blank, AuthType=%s", |
1068 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
| 1069 |
r->ap_auth_type); |
1069 |
r->ap_auth_type); |
| 1070 |
} |
1070 |
} |
| 1071 |
|
1071 |
|
|
Lines 1084-1090
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
| 1084 |
require = ap_expr_str_exec(r, expr, &err); |
1084 |
require = ap_expr_str_exec(r, expr, &err); |
| 1085 |
if (err) { |
1085 |
if (err) { |
| 1086 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587) |
1086 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587) |
| 1087 |
"auth_ldap authorize: require dn: Can't evaluate expression: %s", |
1087 |
"authnz_ldap authorize: require dn: Can't evaluate expression: %s", |
| 1088 |
err); |
1088 |
err); |
| 1089 |
return AUTHZ_DENIED; |
1089 |
return AUTHZ_DENIED; |
| 1090 |
} |
1090 |
} |
|
Lines 1093-1099
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
| 1093 |
|
1093 |
|
| 1094 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1094 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
| 1095 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725) |
1095 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725) |
| 1096 |
"auth_ldap authorize: require dn: user's DN has not " |
1096 |
"authnz_ldap authorize: require dn: user's DN has not " |
| 1097 |
"been defined; failing authorization"); |
1097 |
"been defined; failing authorization"); |
| 1098 |
return AUTHZ_DENIED; |
1098 |
return AUTHZ_DENIED; |
| 1099 |
} |
1099 |
} |
|
Lines 1102-1115
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
| 1102 |
switch(result) { |
1102 |
switch(result) { |
| 1103 |
case LDAP_COMPARE_TRUE: { |
1103 |
case LDAP_COMPARE_TRUE: { |
| 1104 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01726) |
1104 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01726) |
| 1105 |
"auth_ldap authorize: " |
1105 |
"authnz_ldap authorize: " |
| 1106 |
"require dn: authorization successful"); |
1106 |
"require dn: authorization successful"); |
| 1107 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1107 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
| 1108 |
return AUTHZ_GRANTED; |
1108 |
return AUTHZ_GRANTED; |
| 1109 |
} |
1109 |
} |
| 1110 |
default: { |
1110 |
default: { |
| 1111 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01727) |
1111 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01727) |
| 1112 |
"auth_ldap authorize: " |
1112 |
"authnz_ldap authorize: " |
| 1113 |
"require dn \"%s\": LDAP error [%s][%s]", |
1113 |
"require dn \"%s\": LDAP error [%s][%s]", |
| 1114 |
t, ldc->reason, ldap_err2string(result)); |
1114 |
t, ldc->reason, ldap_err2string(result)); |
| 1115 |
} |
1115 |
} |
|
Lines 1117-1123
static authz_status ldapdn_check_authorization(request_rec *r,
Link Here
|
| 1117 |
|
1117 |
|
| 1118 |
|
1118 |
|
| 1119 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01728) |
1119 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01728) |
| 1120 |
"auth_ldap authorize dn: authorization denied for " |
1120 |
"authnz_ldap authorize dn: authorization denied for " |
| 1121 |
"user %s to %s", |
1121 |
"user %s to %s", |
| 1122 |
r->user, r->uri); |
1122 |
r->user, r->uri); |
| 1123 |
|
1123 |
|
|
Lines 1153-1171
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
| 1153 |
|
1153 |
|
| 1154 |
if (!sec->host) { |
1154 |
if (!sec->host) { |
| 1155 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01729) |
1155 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01729) |
| 1156 |
"auth_ldap authorize: no sec->host - weird...?"); |
1156 |
"authnz_ldap authorize: no sec->host - weird...?"); |
| 1157 |
return AUTHZ_DENIED; |
1157 |
return AUTHZ_DENIED; |
| 1158 |
} |
1158 |
} |
| 1159 |
|
1159 |
|
| 1160 |
/* |
1160 |
/* |
| 1161 |
* If we have been authenticated by some other module than mod_auth_ldap, |
1161 |
* If we have been authenticated by some other module than mod_authnz_ldap, |
| 1162 |
* the req structure needed for authorization needs to be created |
1162 |
* the req structure needed for authorization needs to be created |
| 1163 |
* and populated with the userid and DN of the account in LDAP |
1163 |
* and populated with the userid and DN of the account in LDAP |
| 1164 |
*/ |
1164 |
*/ |
| 1165 |
|
1165 |
|
| 1166 |
if (!strlen(r->user)) { |
1166 |
if (!strlen(r->user)) { |
| 1167 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730) |
1167 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730) |
| 1168 |
"ldap authorize: Userid is blank, AuthType=%s", |
1168 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
| 1169 |
r->ap_auth_type); |
1169 |
r->ap_auth_type); |
| 1170 |
} |
1170 |
} |
| 1171 |
|
1171 |
|
|
Lines 1183-1189
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
| 1183 |
|
1183 |
|
| 1184 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1184 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
| 1185 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01733) |
1185 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01733) |
| 1186 |
"auth_ldap authorize: require ldap-attribute: user's DN " |
1186 |
"authnz_ldap authorize: require ldap-attribute: user's DN " |
| 1187 |
"has not been defined; failing authorization"); |
1187 |
"has not been defined; failing authorization"); |
| 1188 |
return AUTHZ_DENIED; |
1188 |
return AUTHZ_DENIED; |
| 1189 |
} |
1189 |
} |
|
Lines 1191-1197
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
| 1191 |
require = ap_expr_str_exec(r, expr, &err); |
1191 |
require = ap_expr_str_exec(r, expr, &err); |
| 1192 |
if (err) { |
1192 |
if (err) { |
| 1193 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588) |
1193 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588) |
| 1194 |
"auth_ldap authorize: require ldap-attribute: Can't " |
1194 |
"authnz_ldap authorize: require ldap-attribute: Can't " |
| 1195 |
"evaluate expression: %s", err); |
1195 |
"evaluate expression: %s", err); |
| 1196 |
return AUTHZ_DENIED; |
1196 |
return AUTHZ_DENIED; |
| 1197 |
} |
1197 |
} |
|
Lines 1203-1222
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
| 1203 |
value = ap_getword_conf(r->pool, &t); |
1203 |
value = ap_getword_conf(r->pool, &t); |
| 1204 |
|
1204 |
|
| 1205 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01734) |
1205 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01734) |
| 1206 |
"auth_ldap authorize: checking attribute %s has value %s", |
1206 |
"authnz_ldap authorize: checking attribute %s has value %s", |
| 1207 |
w, value); |
1207 |
w, value); |
| 1208 |
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value); |
1208 |
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value); |
| 1209 |
switch(result) { |
1209 |
switch(result) { |
| 1210 |
case LDAP_COMPARE_TRUE: { |
1210 |
case LDAP_COMPARE_TRUE: { |
| 1211 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01735) |
1211 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01735) |
| 1212 |
"auth_ldap authorize: " |
1212 |
"authnz_ldap authorize: " |
| 1213 |
"require attribute: authorization successful"); |
1213 |
"require attribute: authorization successful"); |
| 1214 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1214 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
| 1215 |
return AUTHZ_GRANTED; |
1215 |
return AUTHZ_GRANTED; |
| 1216 |
} |
1216 |
} |
| 1217 |
default: { |
1217 |
default: { |
| 1218 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01736) |
1218 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01736) |
| 1219 |
"auth_ldap authorize: require attribute: " |
1219 |
"authnz_ldap authorize: require attribute: " |
| 1220 |
"authorization failed [%s][%s]", |
1220 |
"authorization failed [%s][%s]", |
| 1221 |
ldc->reason, ldap_err2string(result)); |
1221 |
ldc->reason, ldap_err2string(result)); |
| 1222 |
} |
1222 |
} |
|
Lines 1224-1230
static authz_status ldapattribute_check_authorization(request_rec *r,
Link Here
|
| 1224 |
} |
1224 |
} |
| 1225 |
|
1225 |
|
| 1226 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01737) |
1226 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01737) |
| 1227 |
"auth_ldap authorize attribute: authorization denied for " |
1227 |
"authnz_ldap authorize attribute: authorization denied for " |
| 1228 |
"user %s to %s", |
1228 |
"user %s to %s", |
| 1229 |
r->user, r->uri); |
1229 |
r->user, r->uri); |
| 1230 |
|
1230 |
|
|
Lines 1262-1280
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
| 1262 |
|
1262 |
|
| 1263 |
if (!sec->host) { |
1263 |
if (!sec->host) { |
| 1264 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738) |
1264 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738) |
| 1265 |
"auth_ldap authorize: no sec->host - weird...?"); |
1265 |
"authnz_ldap authorize: no sec->host - weird...?"); |
| 1266 |
return AUTHZ_DENIED; |
1266 |
return AUTHZ_DENIED; |
| 1267 |
} |
1267 |
} |
| 1268 |
|
1268 |
|
| 1269 |
/* |
1269 |
/* |
| 1270 |
* If we have been authenticated by some other module than mod_auth_ldap, |
1270 |
* If we have been authenticated by some other module than mod_authnz_ldap, |
| 1271 |
* the req structure needed for authorization needs to be created |
1271 |
* the req structure needed for authorization needs to be created |
| 1272 |
* and populated with the userid and DN of the account in LDAP |
1272 |
* and populated with the userid and DN of the account in LDAP |
| 1273 |
*/ |
1273 |
*/ |
| 1274 |
|
1274 |
|
| 1275 |
if (!strlen(r->user)) { |
1275 |
if (!strlen(r->user)) { |
| 1276 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739) |
1276 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739) |
| 1277 |
"ldap authorize: Userid is blank, AuthType=%s", |
1277 |
"authnz_ldap authorize: Userid is blank, AuthType=%s", |
| 1278 |
r->ap_auth_type); |
1278 |
r->ap_auth_type); |
| 1279 |
} |
1279 |
} |
| 1280 |
|
1280 |
|
|
Lines 1292-1298
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
| 1292 |
|
1292 |
|
| 1293 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
1293 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
| 1294 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742) |
1294 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742) |
| 1295 |
"auth_ldap authorize: require ldap-filter: user's DN " |
1295 |
"authnz_ldap authorize: require ldap-filter: user's DN " |
| 1296 |
"has not been defined; failing authorization"); |
1296 |
"has not been defined; failing authorization"); |
| 1297 |
return AUTHZ_DENIED; |
1297 |
return AUTHZ_DENIED; |
| 1298 |
} |
1298 |
} |
|
Lines 1300-1306
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
| 1300 |
require = ap_expr_str_exec(r, expr, &err); |
1300 |
require = ap_expr_str_exec(r, expr, &err); |
| 1301 |
if (err) { |
1301 |
if (err) { |
| 1302 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589) |
1302 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589) |
| 1303 |
"auth_ldap authorize: require ldap-filter: Can't " |
1303 |
"authnz_ldap authorize: require ldap-filter: Can't " |
| 1304 |
"evaluate require expression: %s", err); |
1304 |
"evaluate require expression: %s", err); |
| 1305 |
return AUTHZ_DENIED; |
1305 |
return AUTHZ_DENIED; |
| 1306 |
} |
1306 |
} |
|
Lines 1309-1320
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
| 1309 |
|
1309 |
|
| 1310 |
if (t[0]) { |
1310 |
if (t[0]) { |
| 1311 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743) |
1311 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743) |
| 1312 |
"auth_ldap authorize: checking filter %s", t); |
1312 |
"authnz_ldap authorize: checking filter %s", t); |
| 1313 |
|
1313 |
|
| 1314 |
/* Build the username filter */ |
1314 |
/* Build the username filter */ |
| 1315 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, req->user, t, sec)) { |
1315 |
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, req->user, t, sec)) { |
| 1316 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02628) |
1316 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02628) |
| 1317 |
"auth_ldap authorize: ldap filter too long (>%d): %s", |
1317 |
"authnz_ldap authorize: ldap filter too long (>%d): %s", |
| 1318 |
FILTER_LENGTH, filtbuf); |
1318 |
FILTER_LENGTH, filtbuf); |
| 1319 |
return AUTHZ_DENIED; |
1319 |
return AUTHZ_DENIED; |
| 1320 |
} |
1320 |
} |
|
Lines 1326-1332
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
| 1326 |
/* Make sure that the filtered search returned the correct user dn */ |
1326 |
/* Make sure that the filtered search returned the correct user dn */ |
| 1327 |
if (result == LDAP_SUCCESS) { |
1327 |
if (result == LDAP_SUCCESS) { |
| 1328 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01744) |
1328 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01744) |
| 1329 |
"auth_ldap authorize: checking dn match %s", dn); |
1329 |
"authnz_ldap authorize: checking dn match %s", dn); |
| 1330 |
if (sec->compare_as_user) { |
1330 |
if (sec->compare_as_user) { |
| 1331 |
/* ldap-filter is the only authz that requires a search and a compare */ |
1331 |
/* ldap-filter is the only authz that requires a search and a compare */ |
| 1332 |
release_ldc(r, ldc); |
1332 |
release_ldc(r, ldc); |
|
Lines 1339-1359
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
| 1339 |
switch(result) { |
1339 |
switch(result) { |
| 1340 |
case LDAP_COMPARE_TRUE: { |
1340 |
case LDAP_COMPARE_TRUE: { |
| 1341 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01745) |
1341 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01745) |
| 1342 |
"auth_ldap authorize: require ldap-filter: " |
1342 |
"authnz_ldap authorize: require ldap-filter: " |
| 1343 |
"authorization successful"); |
1343 |
"authorization successful"); |
| 1344 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
1344 |
set_request_vars(r, LDAP_AUTHZ, req->vals); |
| 1345 |
return AUTHZ_GRANTED; |
1345 |
return AUTHZ_GRANTED; |
| 1346 |
} |
1346 |
} |
| 1347 |
case LDAP_FILTER_ERROR: { |
1347 |
case LDAP_FILTER_ERROR: { |
| 1348 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01746) |
1348 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01746) |
| 1349 |
"auth_ldap authorize: require ldap-filter: " |
1349 |
"authnz_ldap authorize: require ldap-filter: " |
| 1350 |
"%s authorization failed [%s][%s]", |
1350 |
"%s authorization failed [%s][%s]", |
| 1351 |
filtbuf, ldc->reason, ldap_err2string(result)); |
1351 |
filtbuf, ldc->reason, ldap_err2string(result)); |
| 1352 |
break; |
1352 |
break; |
| 1353 |
} |
1353 |
} |
| 1354 |
default: { |
1354 |
default: { |
| 1355 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01747) |
1355 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01747) |
| 1356 |
"auth_ldap authorize: require ldap-filter: " |
1356 |
"authnz_ldap authorize: require ldap-filter: " |
| 1357 |
"authorization failed [%s][%s]", |
1357 |
"authorization failed [%s][%s]", |
| 1358 |
ldc->reason, ldap_err2string(result)); |
1358 |
ldc->reason, ldap_err2string(result)); |
| 1359 |
} |
1359 |
} |
|
Lines 1361-1367
static authz_status ldapfilter_check_authorization(request_rec *r,
Link Here
|
| 1361 |
} |
1361 |
} |
| 1362 |
|
1362 |
|
| 1363 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01748) |
1363 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01748) |
| 1364 |
"auth_ldap authorize filter: authorization denied for " |
1364 |
"authnz_ldap authorize filter: authorization denied for " |
| 1365 |
"user %s to %s", |
1365 |
"user %s to %s", |
| 1366 |
r->user, r->uri); |
1366 |
r->user, r->uri); |
| 1367 |
|
1367 |
|
|
Lines 1393-1406
static authz_status ldapsearch_check_authorization(request_rec *r,
Link Here
|
| 1393 |
} |
1393 |
} |
| 1394 |
else { |
1394 |
else { |
| 1395 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02636) |
1395 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02636) |
| 1396 |
"auth_ldap authorize: no sec->host - weird...?"); |
1396 |
"authnz_ldap authorize: no sec->host - weird...?"); |
| 1397 |
return AUTHZ_DENIED; |
1397 |
return AUTHZ_DENIED; |
| 1398 |
} |
1398 |
} |
| 1399 |
|
1399 |
|
| 1400 |
require = ap_expr_str_exec(r, expr, &err); |
1400 |
require = ap_expr_str_exec(r, expr, &err); |
| 1401 |
if (err) { |
1401 |
if (err) { |
| 1402 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02629) |
1402 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02629) |
| 1403 |
"auth_ldap authorize: require ldap-search: Can't " |
1403 |
"authnz_ldap authorize: require ldap-search: Can't " |
| 1404 |
"evaluate require expression: %s", err); |
1404 |
"evaluate require expression: %s", err); |
| 1405 |
return AUTHZ_DENIED; |
1405 |
return AUTHZ_DENIED; |
| 1406 |
} |
1406 |
} |
|
Lines 1411-1417
static authz_status ldapsearch_check_authorization(request_rec *r,
Link Here
|
| 1411 |
const char **vals; |
1411 |
const char **vals; |
| 1412 |
|
1412 |
|
| 1413 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02630) |
1413 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02630) |
| 1414 |
"auth_ldap authorize: checking filter %s", t); |
1414 |
"authnz_ldap authorize: checking filter %s", t); |
| 1415 |
|
1415 |
|
| 1416 |
/* Search for the user DN */ |
1416 |
/* Search for the user DN */ |
| 1417 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, |
1417 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, |
|
Lines 1420-1439
static authz_status ldapsearch_check_authorization(request_rec *r,
Link Here
|
| 1420 |
/* Make sure that the filtered search returned a single dn */ |
1420 |
/* Make sure that the filtered search returned a single dn */ |
| 1421 |
if (result == LDAP_SUCCESS && dn) { |
1421 |
if (result == LDAP_SUCCESS && dn) { |
| 1422 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631) |
1422 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631) |
| 1423 |
"auth_ldap authorize: require ldap-search: " |
1423 |
"authnz_ldap authorize: require ldap-search: " |
| 1424 |
"authorization successful"); |
1424 |
"authorization successful"); |
| 1425 |
return AUTHZ_GRANTED; |
1425 |
return AUTHZ_GRANTED; |
| 1426 |
} |
1426 |
} |
| 1427 |
else { |
1427 |
else { |
| 1428 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02632) |
1428 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02632) |
| 1429 |
"auth_ldap authorize: require ldap-search: " |
1429 |
"authnz_ldap authorize: require ldap-search: " |
| 1430 |
"%s authorization failed [%s][%s]", |
1430 |
"%s authorization failed [%s][%s]", |
| 1431 |
t, ldc->reason, ldap_err2string(result)); |
1431 |
t, ldc->reason, ldap_err2string(result)); |
| 1432 |
} |
1432 |
} |
| 1433 |
} |
1433 |
} |
| 1434 |
|
1434 |
|
| 1435 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02633) |
1435 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02633) |
| 1436 |
"auth_ldap authorize search: authorization denied for " |
1436 |
"authnz_ldap authorize search: authorization denied for " |
| 1437 |
"to %s", r->uri); |
1437 |
"to %s", r->uri); |
| 1438 |
|
1438 |
|
| 1439 |
return AUTHZ_DENIED; |
1439 |
return AUTHZ_DENIED; |
|
Lines 1556-1562
static const char *mod_auth_ldap_parse_url(cmd_parms *cmd,
Link Here
|
| 1556 |
sec->have_ldap_url = 1; |
1556 |
sec->have_ldap_url = 1; |
| 1557 |
|
1557 |
|
| 1558 |
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, cmd->server, |
1558 |
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, cmd->server, |
| 1559 |
"auth_ldap url parse: `%s', Host: %s, Port: %d, DN: %s, " |
1559 |
"authnz_ldap url parse: `%s', Host: %s, Port: %d, DN: %s, " |
| 1560 |
"attrib: %s, scope: %s, filter: %s, connection mode: %s", |
1560 |
"attrib: %s, scope: %s, filter: %s, connection mode: %s", |
| 1561 |
url, |
1561 |
url, |
| 1562 |
urld->lud_host, |
1562 |
urld->lud_host, |
|
Lines 1766-1772
static const command_rec authnz_ldap_cmds[] =
Link Here
|
| 1766 |
|
1766 |
|
| 1767 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, |
1767 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, |
| 1768 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, |
1768 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, |
| 1769 |
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " |
1769 |
"Set to 'on' to force authnz_ldap to do DN compares (for the \"require dn\" " |
| 1770 |
"directive) using the server, and set it 'off' to do the compares locally " |
1770 |
"directive) using the server, and set it 'off' to do the compares locally " |
| 1771 |
"(at the expense of possible false matches). See the documentation for " |
1771 |
"(at the expense of possible false matches). See the documentation for " |
| 1772 |
"a complete description of this option."), |
1772 |
"a complete description of this option."), |
|
Lines 1788-1795
static const command_rec authnz_ldap_cmds[] =
Link Here
|
| 1788 |
|
1788 |
|
| 1789 |
AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot, |
1789 |
AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot, |
| 1790 |
(void *)APR_OFFSETOF(authn_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG, |
1790 |
(void *)APR_OFFSETOF(authn_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG, |
| 1791 |
"If set to 'on', auth_ldap uses the DN that is retrieved from the server for " |
1791 |
"If set to 'on', authnz_ldap uses the DN that is retrieved from the server for " |
| 1792 |
"subsequent group comparisons. If set to 'off', auth_ldap uses the string " |
1792 |
"subsequent group comparisons. If set to 'off', authnz_ldap uses the string " |
| 1793 |
"provided by the client directly. Defaults to 'on'."), |
1793 |
"provided by the client directly. Defaults to 'on'."), |
| 1794 |
|
1794 |
|
| 1795 |
AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, |
1795 |
AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, |