Tree - source-git/httpd - CentOS Git server

source-git / httpd

Blame modules/aaa/mod_authnz_ldap.c

Blob History Raw

Packit	90a5c9	`/* Licensed to the Apache Software Foundation (ASF) under one or more`
Packit	90a5c9	`* contributor license agreements. See the NOTICE file distributed with`
Packit	90a5c9	`* this work for additional information regarding copyright ownership.`
Packit	90a5c9	`* The ASF licenses this file to You under the Apache License, Version 2.0`
Packit	90a5c9	`* (the "License"); you may not use this file except in compliance with`
Packit	90a5c9	`* the License. You may obtain a copy of the License at`
Packit	90a5c9	`*`
Packit	90a5c9	`* http://www.apache.org/licenses/LICENSE-2.0`
Packit	90a5c9	`*`
Packit	90a5c9	`* Unless required by applicable law or agreed to in writing, software`
Packit	90a5c9	`* distributed under the License is distributed on an "AS IS" BASIS,`
Packit	90a5c9	`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
Packit	90a5c9	`* See the License for the specific language governing permissions and`
Packit	90a5c9	`* limitations under the License.`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`#include "ap_provider.h"`
Packit	90a5c9	`#include "httpd.h"`
Packit	90a5c9	`#include "http_config.h"`
Packit	90a5c9	`#include "ap_provider.h"`
Packit	90a5c9	`#include "http_core.h"`
Packit	90a5c9	`#include "http_log.h"`
Packit	90a5c9	`#include "http_protocol.h"`
Packit	90a5c9	`#include "http_request.h"`
Packit	90a5c9	`#include "util_ldap.h"`
Packit	90a5c9
Packit	90a5c9	`#include "mod_auth.h"`
Packit	90a5c9
Packit	90a5c9	`#include "apr_strings.h"`
Packit	90a5c9	`#include "apr_xlate.h"`
Packit	90a5c9	`#define APR_WANT_STRFUNC`
Packit	90a5c9	`#include "apr_want.h"`
Packit	90a5c9	`#include "apr_lib.h"`
Packit	90a5c9
Packit	90a5c9	`#include <ctype.h>`
Packit	90a5c9
Packit	90a5c9	`#if !APR_HAS_LDAP`
Packit	90a5c9	`#error mod_authnz_ldap requires APR-util to have LDAP support built in. To fix add --with-ldap to ./configure.`
Packit	90a5c9	`#endif`
Packit	90a5c9
Packit	90a5c9	`static char *default_attributes[3] = { "member", "uniqueMember", NULL };`
Packit	90a5c9
Packit	90a5c9	`typedef struct {`
Packit	90a5c9	`apr_pool_t pool; / Pool that this config is allocated from */`
Packit	90a5c9	`#if APR_HAS_THREADS`
Packit	90a5c9	`apr_thread_mutex_t lock; / Lock for this config */`
Packit	90a5c9	`#endif`
Packit	90a5c9
Packit	90a5c9	`/* These parameters are all derived from the AuthLDAPURL directive */`
Packit	90a5c9	`char url; / String representation of the URL */`
Packit	90a5c9
Packit	90a5c9	`char host; / Name of the LDAP server (or space separated list) */`
Packit	90a5c9	`int port; /* Port of the LDAP server */`
Packit	90a5c9	`char basedn; / Base DN to do all searches from */`
Packit	90a5c9	`char attribute; / Attribute to search for */`
Packit	90a5c9	`char *attributes; / Array of all the attributes to return */`
Packit	90a5c9	`int scope; /* Scope of the search */`
Packit	90a5c9	`char filter; / Filter to further limit the search */`
Packit	90a5c9	`deref_options deref; /* how to handle alias dereferening */`
Packit	90a5c9	`char binddn; / DN to bind to server (can be NULL) */`
Packit	90a5c9	`char bindpw; / Password to bind to server (can be NULL) */`
Packit	90a5c9	`int bind_authoritative; /* If true, will return errors when bind fails */`
Packit	90a5c9
Packit	90a5c9	`int user_is_dn; /* If true, r->user is replaced by DN during authn */`
Packit	90a5c9	`char remote_user_attribute; / If set, r->user is replaced by this attribute during authn */`
Packit	90a5c9	`int compare_dn_on_server; /* If true, will use server to do DN compare */`
Packit	90a5c9
Packit	90a5c9	`int have_ldap_url; /* Set if we have found an LDAP url */`
Packit	90a5c9
Packit	90a5c9	`apr_array_header_t groupattr; / List of Group attributes identifying user members. Default:"member uniqueMember" */`
Packit	90a5c9	`int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise,`
Packit	90a5c9	`it's the exact string passed by the HTTP client */`
Packit	90a5c9	`char *sgAttributes; / Array of strings constructed (post-config) from subgroupattrs. Last entry is NULL. */`
Packit	90a5c9	`apr_array_header_t subgroupclasses; / List of object classes of sub-groups. Default:"groupOfNames groupOfUniqueNames" */`
Packit	90a5c9	`int maxNestingDepth; /* Maximum recursive nesting depth permitted during subgroup processing. Default: 10 */`
Packit	90a5c9
Packit	90a5c9	`int secure; /* True if SSL connections are requested */`
Packit	90a5c9	`char authz_prefix; / Prefix for environment variables added during authz */`
Packit	90a5c9	`int initial_bind_as_user; /* true if we should try to bind (to lookup DN) directly with the basic auth username */`
Packit	90a5c9	`ap_regex_t bind_regex; / basic auth -> bind'able username regex */`
Packit	90a5c9	`const char bind_subst; / basic auth -> bind'able username substitution */`
Packit	90a5c9	`int search_as_user; /* true if authz searches should be done with the users credentials (when we did authn) */`
Packit	90a5c9	`int compare_as_user; /* true if authz compares should be done with the users credentials (when we did authn) */`
Packit	90a5c9	`} authn_ldap_config_t;`
Packit	90a5c9
Packit	90a5c9	`typedef struct {`
Packit	90a5c9	`char dn; / The saved dn from a successful search */`
Packit	90a5c9	`char user; / The username provided by the client */`
Packit	90a5c9	`const char *vals; / The additional values pulled during the DN search*/`
Packit	90a5c9	`char password; / if this module successfully authenticates, the basic auth password, else null */`
Packit	90a5c9	`} authn_ldap_request_t;`
Packit	90a5c9
Packit	90a5c9	`enum auth_ldap_phase {`
Packit	90a5c9	`LDAP_AUTHN, LDAP_AUTHZ`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`enum auth_ldap_optype {`
Packit	90a5c9	`LDAP_SEARCH, LDAP_COMPARE, LDAP_COMPARE_AND_SEARCH /* nested groups */`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`/* maximum group elements supported */`
Packit	90a5c9	`#define GROUPATTR_MAX_ELTS 10`
Packit	90a5c9
Packit	90a5c9	`module AP_MODULE_DECLARE_DATA authnz_ldap_module;`
Packit	90a5c9
Packit	90a5c9	`static APR_OPTIONAL_FN_TYPE(uldap_connection_close) *util_ldap_connection_close;`
Packit	90a5c9	`static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find;`
Packit	90a5c9	`static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn;`
Packit	90a5c9	`static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare;`
Packit	90a5c9	`static APR_OPTIONAL_FN_TYPE(uldap_cache_check_subgroups) *util_ldap_cache_check_subgroups;`
Packit	90a5c9	`static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid;`
Packit	90a5c9	`static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn;`
Packit	90a5c9	`static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported;`
Packit	90a5c9
Packit	90a5c9	`static apr_hash_t *charset_conversions = NULL;`
Packit	90a5c9	`static char to_charset = NULL; / UTF-8 identifier derived from the charset.conv file */`
Packit	90a5c9
Packit	90a5c9
Packit	90a5c9	`/* Derive a code page ID give a language name or ID */`
Packit	90a5c9	`static char* derive_codepage_from_lang (apr_pool_t p, char language)`
Packit	90a5c9	`{`
Packit	90a5c9	`char *charset;`
Packit	90a5c9
Packit	90a5c9	`if (!language) /* our default codepage */`
Packit	90a5c9	`return apr_pstrdup(p, "ISO-8859-1");`
Packit	90a5c9
Packit	90a5c9	`charset = (char*) apr_hash_get(charset_conversions, language, APR_HASH_KEY_STRING);`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Test if language values like 'en-US' return a match from the charset`
Packit	90a5c9	`* conversion map when shortened to 'en'.`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (!charset && strlen(language) > 3 && language[2] == '-') {`
Packit	90a5c9	`char *language_short = apr_pstrndup(p, language, 2);`
Packit	90a5c9	`charset = (char*) apr_hash_get(charset_conversions, language_short, APR_HASH_KEY_STRING);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (charset) {`
Packit	90a5c9	`charset = apr_pstrdup(p, charset);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return charset;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static apr_xlate_t* get_conv_set (request_rec *r)`
Packit	90a5c9	`{`
Packit	90a5c9	`char lang_line = (char)apr_table_get(r->headers_in, "accept-language");`
Packit	90a5c9	`char *lang;`
Packit	90a5c9	`apr_xlate_t *convset;`
Packit	90a5c9
Packit	90a5c9	`if (lang_line) {`
Packit	90a5c9	`lang_line = apr_pstrdup(r->pool, lang_line);`
Packit	90a5c9	`for (lang = lang_line;*lang;lang++) {`
Packit	90a5c9	`if ((lang == ',') \|\| (lang == ';')) {`
Packit	90a5c9	`*lang = '\0';`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`lang = derive_codepage_from_lang(r->pool, lang_line);`
Packit	90a5c9
Packit	90a5c9	`if (lang && (apr_xlate_open(&convset, to_charset, lang, r->pool) == APR_SUCCESS)) {`
Packit	90a5c9	`return convset;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9
Packit	90a5c9	`static const char* authn_ldap_xlate_password(request_rec *r,`
Packit	90a5c9	`const char* sent_password)`
Packit	90a5c9	`{`
Packit	90a5c9	`apr_xlate_t *convset = NULL;`
Packit	90a5c9	`apr_size_t inbytes;`
Packit	90a5c9	`apr_size_t outbytes;`
Packit	90a5c9	`char *outbuf;`
Packit	90a5c9
Packit	90a5c9	`if (charset_conversions && (convset = get_conv_set(r)) ) {`
Packit	90a5c9	`inbytes = strlen(sent_password);`
Packit	90a5c9	`outbytes = (inbytes+1)*3;`
Packit	90a5c9	`outbuf = apr_pcalloc(r->pool, outbytes);`
Packit	90a5c9
Packit	90a5c9	`/* Convert the password to UTF-8. */`
Packit	90a5c9	`if (apr_xlate_conv_buffer(convset, sent_password, &inbytes, outbuf,`
Packit	90a5c9	`&outbytes) == APR_SUCCESS)`
Packit	90a5c9	`return outbuf;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return sent_password;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Build the search filter, or at least as much of the search filter that`
Packit	90a5c9	`* will fit in the buffer. We don't worry about the buffer not being able`
Packit	90a5c9	`* to hold the entire filter. If the buffer wasn't big enough to hold the`
Packit	90a5c9	`* filter, ldap_search_s will complain, but the only situation where this`
Packit	90a5c9	`* is likely to happen is if the client sent a really, really long`
Packit	90a5c9	`* username, most likely as part of an attack.`
Packit	90a5c9	`*`
Packit	90a5c9	`* The search filter consists of the filter provided with the URL,`
Packit	90a5c9	`* combined with a filter made up of the attribute provided with the URL,`
Packit	90a5c9	`* and the actual username passed by the HTTP client. For example, assume`
Packit	90a5c9	`* that the LDAP URL is`
Packit	90a5c9	`*`
Packit	90a5c9	`* ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*)`
Packit	90a5c9	`*`
Packit	90a5c9	* Further, assume that the userid passed by the client was `userj'. The
Packit	90a5c9	`* search filter will be (&(posixid=*)(uid=userj)).`
Packit	90a5c9	`*/`
Packit	90a5c9	`#define FILTER_LENGTH MAX_STRING_LEN`
Packit	90a5c9	`static void authn_ldap_build_filter(char *filtbuf,`
Packit	90a5c9	`request_rec *r,`
Packit	90a5c9	`const char* sent_user,`
Packit	90a5c9	`const char* sent_filter,`
Packit	90a5c9	`authn_ldap_config_t *sec)`
Packit	90a5c9	`{`
Packit	90a5c9	`char p, q, *filtbuf_end;`
Packit	90a5c9	`char user, filter;`
Packit	90a5c9	`apr_xlate_t *convset = NULL;`
Packit	90a5c9	`apr_size_t inbytes;`
Packit	90a5c9	`apr_size_t outbytes;`
Packit	90a5c9	`char *outbuf;`
Packit	90a5c9	`int nofilter = 0;`
Packit	90a5c9
Packit	90a5c9	`if (sent_user != NULL) {`
Packit	90a5c9	`user = apr_pstrdup (r->pool, sent_user);`
Packit	90a5c9	`}`
Packit	90a5c9	`else`
Packit	90a5c9	`return;`
Packit	90a5c9
Packit	90a5c9	`if (sent_filter != NULL) {`
Packit	90a5c9	`filter = apr_pstrdup (r->pool, sent_filter);`
Packit	90a5c9	`}`
Packit	90a5c9	`else`
Packit	90a5c9	`filter = sec->filter;`
Packit	90a5c9
Packit	90a5c9	`if (charset_conversions) {`
Packit	90a5c9	`convset = get_conv_set(r);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (convset) {`
Packit	90a5c9	`inbytes = strlen(user);`
Packit	90a5c9	`outbytes = (inbytes+1)*3;`
Packit	90a5c9	`outbuf = apr_pcalloc(r->pool, outbytes);`
Packit	90a5c9
Packit	90a5c9	`/* Convert the user name to UTF-8. This is only valid for LDAP v3 */`
Packit	90a5c9	`if (apr_xlate_conv_buffer(convset, user, &inbytes, outbuf, &outbytes) == APR_SUCCESS) {`
Packit	90a5c9	`user = apr_pstrdup(r->pool, outbuf);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Create the first part of the filter, which consists of the`
Packit	90a5c9	`* config-supplied portions.`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`if ((nofilter = (filter && !strcasecmp(filter, "none")))) {`
Packit	90a5c9	`apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Now add the client-supplied username to the filter, ensuring that any`
Packit	90a5c9	`* LDAP filter metachars are escaped.`
Packit	90a5c9	`*/`
Packit	90a5c9	`filtbuf_end = filtbuf + FILTER_LENGTH - 1;`
Packit	90a5c9	`#if APR_HAS_MICROSOFT_LDAPSDK`
Packit	90a5c9	`for (p = user, q=filtbuf + strlen(filtbuf);`
Packit	90a5c9	`*p && q < filtbuf_end; ) {`
Packit	90a5c9	`if (strchr("()\\", p) != NULL) {`
Packit	90a5c9	`if ( q + 3 >= filtbuf_end)`
Packit	90a5c9	`break; /* Don't write part of escape sequence if we can't write all of it */`
Packit	90a5c9	`*q++ = '\\';`
Packit	90a5c9	`switch ( *p++ )`
Packit	90a5c9	`{`
Packit	90a5c9	`case '*':`
Packit	90a5c9	`*q++ = '2';`
Packit	90a5c9	`*q++ = 'a';`
Packit	90a5c9	`break;`
Packit	90a5c9	`case '(':`
Packit	90a5c9	`*q++ = '2';`
Packit	90a5c9	`*q++ = '8';`
Packit	90a5c9	`break;`
Packit	90a5c9	`case ')':`
Packit	90a5c9	`*q++ = '2';`
Packit	90a5c9	`*q++ = '9';`
Packit	90a5c9	`break;`
Packit	90a5c9	`case '\\':`
Packit	90a5c9	`*q++ = '5';`
Packit	90a5c9	`*q++ = 'c';`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else`
Packit	90a5c9	`q++ = p++;`
Packit	90a5c9	`}`
Packit	90a5c9	`#else`
Packit	90a5c9	`for (p = user, q=filtbuf + strlen(filtbuf);`
Packit	90a5c9	`p && q < filtbuf_end; q++ = *p++) {`
Packit	90a5c9	`if (strchr("()\\", p) != NULL) {`
Packit	90a5c9	`*q++ = '\\';`
Packit	90a5c9	`if (q >= filtbuf_end) {`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`#endif`
Packit	90a5c9	`*q = '\0';`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Append the closing parens of the filter, unless doing so would`
Packit	90a5c9	`* overrun the buffer.`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`if (nofilter) {`
Packit	90a5c9	`if (q + 1 <= filtbuf_end)`
Packit	90a5c9	`strcat(filtbuf, ")");`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`if (q + 2 <= filtbuf_end)`
Packit	90a5c9	`strcat(filtbuf, "))");`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static void create_authnz_ldap_dir_config(apr_pool_t p, char *d)`
Packit	90a5c9	`{`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)apr_pcalloc(p, sizeof(authn_ldap_config_t));`
Packit	90a5c9
Packit	90a5c9	`sec->pool = p;`
Packit	90a5c9	`#if APR_HAS_THREADS`
Packit	90a5c9	`apr_thread_mutex_create(&sec->lock, APR_THREAD_MUTEX_DEFAULT, p);`
Packit	90a5c9	`#endif`
Packit	90a5c9	`/*`
Packit	90a5c9	`sec->authz_enabled = 1;`
Packit	90a5c9	`*/`
Packit	90a5c9	`sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS,`
Packit	90a5c9	`sizeof(struct mod_auth_ldap_groupattr_entry_t));`
Packit	90a5c9	`sec->subgroupclasses = apr_array_make(p, GROUPATTR_MAX_ELTS,`
Packit	90a5c9	`sizeof(struct mod_auth_ldap_groupattr_entry_t));`
Packit	90a5c9
Packit	90a5c9	`sec->have_ldap_url = 0;`
Packit	90a5c9	`sec->url = "";`
Packit	90a5c9	`sec->host = NULL;`
Packit	90a5c9	`sec->binddn = NULL;`
Packit	90a5c9	`sec->bindpw = NULL;`
Packit	90a5c9	`sec->bind_authoritative = 1;`
Packit	90a5c9	`sec->deref = always;`
Packit	90a5c9	`sec->group_attrib_is_dn = 1;`
Packit	90a5c9	`sec->secure = -1; /Initialize to unset/`
Packit	90a5c9	`sec->maxNestingDepth = 10;`
Packit	90a5c9	`sec->sgAttributes = apr_pcalloc(p, sizeof (char ) GROUPATTR_MAX_ELTS + 1);`
Packit	90a5c9
Packit	90a5c9	`sec->user_is_dn = 0;`
Packit	90a5c9	`sec->remote_user_attribute = NULL;`
Packit	90a5c9	`sec->compare_dn_on_server = 0;`
Packit	90a5c9
Packit	90a5c9	`sec->authz_prefix = AUTHZ_PREFIX;`
Packit	90a5c9
Packit	90a5c9	`return sec;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static apr_status_t authnz_ldap_cleanup_connection_close(void *param)`
Packit	90a5c9	`{`
Packit	90a5c9	`util_ldap_connection_t *ldc = param;`
Packit	90a5c9	`util_ldap_connection_close(ldc);`
Packit	90a5c9	`return APR_SUCCESS;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static int set_request_vars(request_rec *r, enum auth_ldap_phase phase) {`
Packit	90a5c9	`char *prefix = NULL;`
Packit	90a5c9	`int prefix_len;`
Packit	90a5c9	`int remote_user_attribute_set = 0;`
Packit	90a5c9	`authn_ldap_request_t *req =`
Packit	90a5c9	`(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9	`const char **vals = req->vals;`
Packit	90a5c9
Packit	90a5c9	`prefix = (phase == LDAP_AUTHN) ? AUTHN_PREFIX : sec->authz_prefix;`
Packit	90a5c9	`prefix_len = strlen(prefix);`
Packit	90a5c9
Packit	90a5c9	`if (sec->attributes && vals) {`
Packit	90a5c9	`apr_table_t *e = r->subprocess_env;`
Packit	90a5c9	`int i = 0;`
Packit	90a5c9	`while (sec->attributes[i]) {`
Packit	90a5c9	`char *str = apr_pstrcat(r->pool, prefix, sec->attributes[i], NULL);`
Packit	90a5c9	`int j = prefix_len;`
Packit	90a5c9	`while (str[j]) {`
Packit	90a5c9	`str[j] = apr_toupper(str[j]);`
Packit	90a5c9	`j++;`
Packit	90a5c9	`}`
Packit	90a5c9	`apr_table_setn(e, str, vals[i] ? vals[i] : "");`
Packit	90a5c9
Packit	90a5c9	`/* handle remote_user_attribute, if set */`
Packit	90a5c9	`if ((phase == LDAP_AUTHN) &&`
Packit	90a5c9	`sec->remote_user_attribute &&`
Packit	90a5c9	`!strcmp(sec->remote_user_attribute, sec->attributes[i])) {`
Packit	90a5c9	`r->user = (char *)apr_pstrdup(r->pool, vals[i]);`
Packit	90a5c9	`remote_user_attribute_set = 1;`
Packit	90a5c9	`}`
Packit	90a5c9	`i++;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`return remote_user_attribute_set;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char ldap_determine_binddn(request_rec r, const char *user) {`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9	`const char *result = user;`
Packit	90a5c9	`ap_regmatch_t regm[AP_MAX_REG_MATCH];`
Packit	90a5c9
Packit	90a5c9	`if (NULL == user \|\| NULL == sec \|\| !sec->bind_regex \|\| !sec->bind_subst) {`
Packit	90a5c9	`return result;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (!ap_regexec(sec->bind_regex, user, AP_MAX_REG_MATCH, regm, 0)) {`
Packit	90a5c9	`char *substituted = ap_pregsub(r->pool, sec->bind_subst, user, AP_MAX_REG_MATCH, regm);`
Packit	90a5c9	`if (NULL != substituted) {`
Packit	90a5c9	`result = substituted;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`apr_table_set(r->subprocess_env, "LDAP_BINDASUSER", result);`
Packit	90a5c9
Packit	90a5c9	`return result;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9
Packit	90a5c9	`/* Some LDAP servers restrict who can search or compare, and the hard-coded ID`
Packit	90a5c9	`* might be good for the DN lookup but not for later operations.`
Packit	90a5c9	`*/`
Packit	90a5c9	`static util_ldap_connection_t get_connection_for_authz(request_rec r, enum auth_ldap_optype type) {`
Packit	90a5c9	`authn_ldap_request_t *req =`
Packit	90a5c9	`(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9
Packit	90a5c9	`char *binddn = sec->binddn;`
Packit	90a5c9	`char *bindpw = sec->bindpw;`
Packit	90a5c9
Packit	90a5c9	`/* If the per-request config isn't set, we didn't authenticate this user, and leave the default credentials */`
Packit	90a5c9	`if (req && req->password &&`
Packit	90a5c9	`((type == LDAP_SEARCH && sec->search_as_user) \|\|`
Packit	90a5c9	`(type == LDAP_COMPARE && sec->compare_as_user) \|\|`
Packit	90a5c9	`(type == LDAP_COMPARE_AND_SEARCH && sec->compare_as_user && sec->search_as_user))){`
Packit	90a5c9	`binddn = req->dn;`
Packit	90a5c9	`bindpw = req->password;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return util_ldap_connection_find(r, sec->host, sec->port,`
Packit	90a5c9	`binddn, bindpw,`
Packit	90a5c9	`sec->deref, sec->secure);`
Packit	90a5c9	`}`
Packit	90a5c9	`/*`
Packit	90a5c9	`* Authentication Phase`
Packit	90a5c9	`* --------------------`
Packit	90a5c9	`*`
Packit	90a5c9	`* This phase authenticates the credentials the user has sent with`
Packit	90a5c9	`* the request (ie the username and password are checked). This is done`
Packit	90a5c9	`* by making an attempt to bind to the LDAP server using this user's`
Packit	90a5c9	`* DN and the supplied password.`
Packit	90a5c9	`*`
Packit	90a5c9	`*/`
Packit	90a5c9	`static authn_status authn_ldap_check_password(request_rec r, const char user,`
Packit	90a5c9	`const char *password)`
Packit	90a5c9	`{`
Packit	90a5c9	`char filtbuf[FILTER_LENGTH];`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9
Packit	90a5c9	`util_ldap_connection_t *ldc = NULL;`
Packit	90a5c9	`int result = 0;`
Packit	90a5c9	`int remote_user_attribute_set = 0;`
Packit	90a5c9	`const char *dn = NULL;`
Packit	90a5c9	`const char *utfpassword;`
Packit	90a5c9
Packit	90a5c9	`authn_ldap_request_t *req =`
Packit	90a5c9	`(authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t));`
Packit	90a5c9	`ap_set_module_config(r->request_config, &authnz_ldap_module, req);`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`if (!sec->enabled) {`
Packit	90a5c9	`return AUTH_USER_NOT_FOUND;`
Packit	90a5c9	`}`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Basic sanity checks before any LDAP operations even happen.`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (!sec->have_ldap_url) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02558)`
Packit	90a5c9	`"no AuthLDAPURL");`
Packit	90a5c9
Packit	90a5c9	`return AUTH_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* There is a good AuthLDAPURL, right? */`
Packit	90a5c9	`if (sec->host) {`
Packit	90a5c9	`const char *binddn = sec->binddn;`
Packit	90a5c9	`const char *bindpw = sec->bindpw;`
Packit	90a5c9	`if (sec->initial_bind_as_user) {`
Packit	90a5c9	`bindpw = password;`
Packit	90a5c9	`binddn = ldap_determine_binddn(r, user);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ldc = util_ldap_connection_find(r, sec->host, sec->port,`
Packit	90a5c9	`binddn, bindpw,`
Packit	90a5c9	`sec->deref, sec->secure);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01690)`
Packit	90a5c9	`"auth_ldap authenticate: no sec->host - weird...?");`
Packit	90a5c9	`return AUTH_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691)`
Packit	90a5c9	`"auth_ldap authenticate: using URL %s", sec->url);`
Packit	90a5c9
Packit	90a5c9	`/* Get the password that the client sent */`
Packit	90a5c9	`if (password == NULL) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)`
Packit	90a5c9	`"auth_ldap authenticate: no password specified");`
Packit	90a5c9	`util_ldap_connection_close(ldc);`
Packit	90a5c9	`return AUTH_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (user == NULL) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)`
Packit	90a5c9	`"auth_ldap authenticate: no user specified");`
Packit	90a5c9	`util_ldap_connection_close(ldc);`
Packit	90a5c9	`return AUTH_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* build the username filter */`
Packit	90a5c9	`authn_ldap_build_filter(filtbuf, r, user, NULL, sec);`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,`
Packit	90a5c9	`"auth_ldap authenticate: final authn filter is %s", filtbuf);`
Packit	90a5c9
Packit	90a5c9	`/* convert password to utf-8 */`
Packit	90a5c9	`utfpassword = authn_ldap_xlate_password(r, password);`
Packit	90a5c9
Packit	90a5c9	`/* do the user search */`
Packit	90a5c9	`result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,`
Packit	90a5c9	`sec->attributes, filtbuf, utfpassword,`
Packit	90a5c9	`&dn, &(req->vals));`
Packit	90a5c9	`util_ldap_connection_close(ldc);`
Packit	90a5c9
Packit	90a5c9	`/* handle bind failure */`
Packit	90a5c9	`if (result != LDAP_SUCCESS) {`
Packit	90a5c9	`if (!sec->bind_authoritative) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01694)`
Packit	90a5c9	`"auth_ldap authenticate: user %s authentication failed; "`
Packit	90a5c9	`"URI %s [%s][%s] (not authoritative)",`
Packit	90a5c9	`user, r->uri, ldc->reason, ldap_err2string(result));`
Packit	90a5c9	`return AUTH_USER_NOT_FOUND;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01695)`
Packit	90a5c9	`"auth_ldap authenticate: "`
Packit	90a5c9	`"user %s authentication failed; URI %s [%s][%s]",`
Packit	90a5c9	`user, r->uri, ldc->reason, ldap_err2string(result));`
Packit	90a5c9
Packit	90a5c9	`/* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific errors */`
Packit	90a5c9	`if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) {`
Packit	90a5c9	`return AUTH_USER_NOT_FOUND;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND`
Packit	90a5c9	`#ifdef LDAP_SECURITY_ERROR`
Packit	90a5c9	`: (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED`
Packit	90a5c9	`#else`
Packit	90a5c9	`: (LDAP_INAPPROPRIATE_AUTH == result) ? AUTH_DENIED`
Packit	90a5c9	`: (LDAP_INVALID_CREDENTIALS == result) ? AUTH_DENIED`
Packit	90a5c9	`#ifdef LDAP_INSUFFICIENT_ACCESS`
Packit	90a5c9	`: (LDAP_INSUFFICIENT_ACCESS == result) ? AUTH_DENIED`
Packit	90a5c9	`#endif`
Packit	90a5c9	`#ifdef LDAP_INSUFFICIENT_RIGHTS`
Packit	90a5c9	`: (LDAP_INSUFFICIENT_RIGHTS == result) ? AUTH_DENIED`
Packit	90a5c9	`#endif`
Packit	90a5c9	`#endif`
Packit	90a5c9	`#ifdef LDAP_CONSTRAINT_VIOLATION`
Packit	90a5c9	`/* At least Sun Directory Server sends this if a user is`
Packit	90a5c9	`* locked. This is not covered by LDAP_SECURITY_ERROR.`
Packit	90a5c9	`*/`
Packit	90a5c9	`: (LDAP_CONSTRAINT_VIOLATION == result) ? AUTH_DENIED`
Packit	90a5c9	`#endif`
Packit	90a5c9	`: AUTH_GENERAL_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* mark the user and DN */`
Packit	90a5c9	`req->dn = apr_pstrdup(r->pool, dn);`
Packit	90a5c9	`req->user = apr_pstrdup(r->pool, user);`
Packit	90a5c9	`req->password = apr_pstrdup(r->pool, password);`
Packit	90a5c9	`if (sec->user_is_dn) {`
Packit	90a5c9	`r->user = req->dn;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* add environment variables */`
Packit	90a5c9	`remote_user_attribute_set = set_request_vars(r, LDAP_AUTHN);`
Packit	90a5c9
Packit	90a5c9	`/* sanity check */`
Packit	90a5c9	`if (sec->remote_user_attribute && !remote_user_attribute_set) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01696)`
Packit	90a5c9	`"auth_ldap authenticate: "`
Packit	90a5c9	`"REMOTE_USER was to be set with attribute '%s', "`
Packit	90a5c9	`"but this attribute was not requested for in the "`
Packit	90a5c9	`"LDAP query for the user. REMOTE_USER will fall "`
Packit	90a5c9	`"back to username or DN as appropriate.",`
Packit	90a5c9	`sec->remote_user_attribute);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01697)`
Packit	90a5c9	`"auth_ldap authenticate: accepting %s", user);`
Packit	90a5c9
Packit	90a5c9	`return AUTH_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static authz_status ldapuser_check_authorization(request_rec *r,`
Packit	90a5c9	`const char *require_args,`
Packit	90a5c9	`const void *parsed_require_args)`
Packit	90a5c9	`{`
Packit	90a5c9	`int result = 0;`
Packit	90a5c9	`authn_ldap_request_t *req =`
Packit	90a5c9	`(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9
Packit	90a5c9	`util_ldap_connection_t *ldc = NULL;`
Packit	90a5c9
Packit	90a5c9	`const char *err = NULL;`
Packit	90a5c9	`const ap_expr_info_t *expr = parsed_require_args;`
Packit	90a5c9	`const char *require;`
Packit	90a5c9
Packit	90a5c9	`const char *t;`
Packit	90a5c9	`char *w;`
Packit	90a5c9
Packit	90a5c9	`char filtbuf[FILTER_LENGTH];`
Packit	90a5c9	`const char *dn = NULL;`
Packit	90a5c9
Packit	90a5c9	`if (!r->user) {`
Packit	90a5c9	`return AUTHZ_DENIED_NO_USER;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (!sec->have_ldap_url) {`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (sec->host) {`
Packit	90a5c9	`ldc = get_connection_for_authz(r, LDAP_COMPARE);`
Packit	90a5c9	`apr_pool_cleanup_register(r->pool, ldc,`
Packit	90a5c9	`authnz_ldap_cleanup_connection_close,`
Packit	90a5c9	`apr_pool_cleanup_null);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01698)`
Packit	90a5c9	`"auth_ldap authorize: no sec->host - weird...?");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* If we have been authenticated by some other module than mod_authnz_ldap,`
Packit	90a5c9	`* the req structure needed for authorization needs to be created`
Packit	90a5c9	`* and populated with the userid and DN of the account in LDAP`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9
Packit	90a5c9	`if (!strlen(r->user)) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699)`
Packit	90a5c9	`"ldap authorize: Userid is blank, AuthType=%s",`
Packit	90a5c9	`r->ap_auth_type);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if(!req) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01700)`
Packit	90a5c9	`"ldap authorize: Creating LDAP req structure");`
Packit	90a5c9
Packit	90a5c9	`req = (authn_ldap_request_t *)apr_pcalloc(r->pool,`
Packit	90a5c9	`sizeof(authn_ldap_request_t));`
Packit	90a5c9
Packit	90a5c9	`/* Build the username filter */`
Packit	90a5c9	`authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);`
Packit	90a5c9
Packit	90a5c9	`/* Search for the user DN */`
Packit	90a5c9	`result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,`
Packit	90a5c9	`sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));`
Packit	90a5c9
Packit	90a5c9	`/* Search failed, log error and return failure */`
Packit	90a5c9	`if(result != LDAP_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01701)`
Packit	90a5c9	`"auth_ldap authorise: User DN not found, %s", ldc->reason);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_set_module_config(r->request_config, &authnz_ldap_module, req);`
Packit	90a5c9	`req->dn = apr_pstrdup(r->pool, dn);`
Packit	90a5c9	`req->user = r->user;`
Packit	90a5c9
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (req->dn == NULL \|\| strlen(req->dn) == 0) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01702)`
Packit	90a5c9	`"auth_ldap authorize: require user: user's DN has not "`
Packit	90a5c9	`"been defined; failing authorization");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`require = ap_expr_str_exec(r, expr, &err;;`
Packit	90a5c9	`if (err) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585)`
Packit	90a5c9	`"auth_ldap authorize: require user: Can't evaluate expression: %s",`
Packit	90a5c9	`err);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* First do a whole-line compare, in case it's something like`
Packit	90a5c9	`* require user Babs Jensen`
Packit	90a5c9	`*/`
Packit	90a5c9	`result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require);`
Packit	90a5c9	`switch(result) {`
Packit	90a5c9	`case LDAP_COMPARE_TRUE: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703)`
Packit	90a5c9	`"auth_ldap authorize: require user: authorization "`
Packit	90a5c9	`"successful");`
Packit	90a5c9	`set_request_vars(r, LDAP_AUTHZ);`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`default: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01704)`
Packit	90a5c9	`"auth_ldap authorize: require user: "`
Packit	90a5c9	`"authorization failed [%s][%s]",`
Packit	90a5c9	`ldc->reason, ldap_err2string(result));`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Now break apart the line and compare each word on it`
Packit	90a5c9	`*/`
Packit	90a5c9	`t = require;`
Packit	90a5c9	`while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {`
Packit	90a5c9	`result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);`
Packit	90a5c9	`switch(result) {`
Packit	90a5c9	`case LDAP_COMPARE_TRUE: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01705)`
Packit	90a5c9	`"auth_ldap authorize: "`
Packit	90a5c9	`"require user: authorization successful");`
Packit	90a5c9	`set_request_vars(r, LDAP_AUTHZ);`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`default: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01706)`
Packit	90a5c9	`"auth_ldap authorize: "`
Packit	90a5c9	`"require user: authorization failed [%s][%s]",`
Packit	90a5c9	`ldc->reason, ldap_err2string(result));`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01707)`
Packit	90a5c9	`"auth_ldap authorize user: authorization denied for "`
Packit	90a5c9	`"user %s to %s",`
Packit	90a5c9	`r->user, r->uri);`
Packit	90a5c9
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static authz_status ldapgroup_check_authorization(request_rec *r,`
Packit	90a5c9	`const char *require_args,`
Packit	90a5c9	`const void *parsed_require_args)`
Packit	90a5c9	`{`
Packit	90a5c9	`int result = 0;`
Packit	90a5c9	`authn_ldap_request_t *req =`
Packit	90a5c9	`(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9
Packit	90a5c9	`util_ldap_connection_t *ldc = NULL;`
Packit	90a5c9
Packit	90a5c9	`const char *err = NULL;`
Packit	90a5c9	`const ap_expr_info_t *expr = parsed_require_args;`
Packit	90a5c9	`const char *require;`
Packit	90a5c9
Packit	90a5c9	`const char *t;`
Packit	90a5c9
Packit	90a5c9	`char filtbuf[FILTER_LENGTH];`
Packit	90a5c9	`const char *dn = NULL;`
Packit	90a5c9	`struct mod_auth_ldap_groupattr_entry_t *ent;`
Packit	90a5c9	`int i;`
Packit	90a5c9
Packit	90a5c9	`if (!r->user) {`
Packit	90a5c9	`return AUTHZ_DENIED_NO_USER;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (!sec->have_ldap_url) {`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (sec->host) {`
Packit	90a5c9	`ldc = get_connection_for_authz(r, LDAP_COMPARE); /* for the top-level group only */`
Packit	90a5c9	`apr_pool_cleanup_register(r->pool, ldc,`
Packit	90a5c9	`authnz_ldap_cleanup_connection_close,`
Packit	90a5c9	`apr_pool_cleanup_null);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01708)`
Packit	90a5c9	`"auth_ldap authorize: no sec->host - weird...?");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* If there are no elements in the group attribute array, the default should be`
Packit	90a5c9	`* member and uniquemember; populate the array now.`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (sec->groupattr->nelts == 0) {`
Packit	90a5c9	`struct mod_auth_ldap_groupattr_entry_t *grp;`
Packit	90a5c9	`#if APR_HAS_THREADS`
Packit	90a5c9	`apr_thread_mutex_lock(sec->lock);`
Packit	90a5c9	`#endif`
Packit	90a5c9	`grp = apr_array_push(sec->groupattr);`
Packit	90a5c9	`grp->name = "member";`
Packit	90a5c9	`grp = apr_array_push(sec->groupattr);`
Packit	90a5c9	`grp->name = "uniqueMember";`
Packit	90a5c9	`#if APR_HAS_THREADS`
Packit	90a5c9	`apr_thread_mutex_unlock(sec->lock);`
Packit	90a5c9	`#endif`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* If there are no elements in the sub group classes array, the default`
Packit	90a5c9	`* should be groupOfNames and groupOfUniqueNames; populate the array now.`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (sec->subgroupclasses->nelts == 0) {`
Packit	90a5c9	`struct mod_auth_ldap_groupattr_entry_t *grp;`
Packit	90a5c9	`#if APR_HAS_THREADS`
Packit	90a5c9	`apr_thread_mutex_lock(sec->lock);`
Packit	90a5c9	`#endif`
Packit	90a5c9	`grp = apr_array_push(sec->subgroupclasses);`
Packit	90a5c9	`grp->name = "groupOfNames";`
Packit	90a5c9	`grp = apr_array_push(sec->subgroupclasses);`
Packit	90a5c9	`grp->name = "groupOfUniqueNames";`
Packit	90a5c9	`#if APR_HAS_THREADS`
Packit	90a5c9	`apr_thread_mutex_unlock(sec->lock);`
Packit	90a5c9	`#endif`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* If we have been authenticated by some other module than mod_auth_ldap,`
Packit	90a5c9	`* the req structure needed for authorization needs to be created`
Packit	90a5c9	`* and populated with the userid and DN of the account in LDAP`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`if (!strlen(r->user)) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01709)`
Packit	90a5c9	`"ldap authorize: Userid is blank, AuthType=%s",`
Packit	90a5c9	`r->ap_auth_type);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if(!req) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01710)`
Packit	90a5c9	`"ldap authorize: Creating LDAP req structure");`
Packit	90a5c9
Packit	90a5c9	`req = (authn_ldap_request_t *)apr_pcalloc(r->pool,`
Packit	90a5c9	`sizeof(authn_ldap_request_t));`
Packit	90a5c9	`/* Build the username filter */`
Packit	90a5c9	`authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);`
Packit	90a5c9
Packit	90a5c9	`/* Search for the user DN */`
Packit	90a5c9	`result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,`
Packit	90a5c9	`sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));`
Packit	90a5c9
Packit	90a5c9	`/* Search failed, log error and return failure */`
Packit	90a5c9	`if(result != LDAP_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01711)`
Packit	90a5c9	`"auth_ldap authorise: User DN not found, %s", ldc->reason);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_set_module_config(r->request_config, &authnz_ldap_module, req);`
Packit	90a5c9	`req->dn = apr_pstrdup(r->pool, dn);`
Packit	90a5c9	`req->user = r->user;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;`
Packit	90a5c9
Packit	90a5c9	`if (sec->group_attrib_is_dn) {`
Packit	90a5c9	`if (req->dn == NULL \|\| strlen(req->dn) == 0) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01712)`
Packit	90a5c9	`"auth_ldap authorize: require group: user's DN has "`
Packit	90a5c9	`"not been defined; failing authorization for user %s",`
Packit	90a5c9	`r->user);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`if (req->user == NULL \|\| strlen(req->user) == 0) {`
Packit	90a5c9	`/* We weren't called in the authentication phase, so we didn't have a`
Packit	90a5c9	`* chance to set the user field. Do so now. */`
Packit	90a5c9	`req->user = r->user;`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`require = ap_expr_str_exec(r, expr, &err;;`
Packit	90a5c9	`if (err) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586)`
Packit	90a5c9	`"auth_ldap authorize: require group: Can't evaluate expression: %s",`
Packit	90a5c9	`err);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`t = require;`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713)`
Packit	90a5c9	`"auth_ldap authorize: require group: testing for group "`
Packit	90a5c9	`"membership in \"%s\"",`
Packit	90a5c9	`t);`
Packit	90a5c9
Packit	90a5c9	`/* PR52464 exhaust attrs in base group before checking subgroups */`
Packit	90a5c9	`for (i = 0; i < sec->groupattr->nelts; i++) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714)`
Packit	90a5c9	`"auth_ldap authorize: require group: testing for %s: "`
Packit	90a5c9	`"%s (%s)",`
Packit	90a5c9	`ent[i].name,`
Packit	90a5c9	`sec->group_attrib_is_dn ? req->dn : req->user, t);`
Packit	90a5c9
Packit	90a5c9	`result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,`
Packit	90a5c9	`sec->group_attrib_is_dn ? req->dn : req->user);`
Packit	90a5c9	`if (result == LDAP_COMPARE_TRUE) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715)`
Packit	90a5c9	`"auth_ldap authorize: require group: "`
Packit	90a5c9	`"authorization successful (attribute %s) "`
Packit	90a5c9	`"[%s][%d - %s]",`
Packit	90a5c9	`ent[i].name, ldc->reason, result,`
Packit	90a5c9	`ldap_err2string(result));`
Packit	90a5c9	`set_request_vars(r, LDAP_AUTHZ);`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719)`
Packit	90a5c9	`"auth_ldap authorize: require group \"%s\": "`
Packit	90a5c9	`"didn't match with attr %s [%s][%d - %s]",`
Packit	90a5c9	`t, ent[i].name, ldc->reason, result,`
Packit	90a5c9	`ldap_err2string(result));`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`for (i = 0; i < sec->groupattr->nelts; i++) {`
Packit	90a5c9	`/* nested groups need searches and compares, so grab a new handle */`
Packit	90a5c9	`authnz_ldap_cleanup_connection_close(ldc);`
Packit	90a5c9	`apr_pool_cleanup_kill(r->pool, ldc,authnz_ldap_cleanup_connection_close);`
Packit	90a5c9
Packit	90a5c9	`ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH);`
Packit	90a5c9	`apr_pool_cleanup_register(r->pool, ldc,`
Packit	90a5c9	`authnz_ldap_cleanup_connection_close,`
Packit	90a5c9	`apr_pool_cleanup_null);`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716)`
Packit	90a5c9	`"auth_ldap authorise: require group \"%s\": "`
Packit	90a5c9	`"failed [%s][%d - %s], checking sub-groups",`
Packit	90a5c9	`t, ldc->reason, result, ldap_err2string(result));`
Packit	90a5c9
Packit	90a5c9	`result = util_ldap_cache_check_subgroups(r, ldc, sec->url, t, ent[i].name,`
Packit	90a5c9	`sec->group_attrib_is_dn ? req->dn : req->user,`
Packit	90a5c9	`sec->sgAttributes[0] ? sec->sgAttributes : default_attributes,`
Packit	90a5c9	`sec->subgroupclasses,`
Packit	90a5c9	`0, sec->maxNestingDepth);`
Packit	90a5c9	`if (result == LDAP_COMPARE_TRUE) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717)`
Packit	90a5c9	`"auth_ldap authorise: require group "`
Packit	90a5c9	`"(sub-group): authorisation successful "`
Packit	90a5c9	`"(attribute %s) [%s][%d - %s]",`
Packit	90a5c9	`ent[i].name, ldc->reason, result,`
Packit	90a5c9	`ldap_err2string(result));`
Packit	90a5c9	`set_request_vars(r, LDAP_AUTHZ);`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718)`
Packit	90a5c9	`"auth_ldap authorise: require group "`
Packit	90a5c9	`"(sub-group) \"%s\": didn't match with attr %s "`
Packit	90a5c9	`"[%s][%d - %s]",`
Packit	90a5c9	`t, ldc->reason, ent[i].name, result,`
Packit	90a5c9	`ldap_err2string(result));`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720)`
Packit	90a5c9	`"auth_ldap authorize group: authorization denied for "`
Packit	90a5c9	`"user %s to %s",`
Packit	90a5c9	`r->user, r->uri);`
Packit	90a5c9
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static authz_status ldapdn_check_authorization(request_rec *r,`
Packit	90a5c9	`const char *require_args,`
Packit	90a5c9	`const void *parsed_require_args)`
Packit	90a5c9	`{`
Packit	90a5c9	`int result = 0;`
Packit	90a5c9	`authn_ldap_request_t *req =`
Packit	90a5c9	`(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9
Packit	90a5c9	`util_ldap_connection_t *ldc = NULL;`
Packit	90a5c9
Packit	90a5c9	`const char *err = NULL;`
Packit	90a5c9	`const ap_expr_info_t *expr = parsed_require_args;`
Packit	90a5c9	`const char *require;`
Packit	90a5c9
Packit	90a5c9	`const char *t;`
Packit	90a5c9
Packit	90a5c9	`char filtbuf[FILTER_LENGTH];`
Packit	90a5c9	`const char *dn = NULL;`
Packit	90a5c9
Packit	90a5c9	`if (!r->user) {`
Packit	90a5c9	`return AUTHZ_DENIED_NO_USER;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (!sec->have_ldap_url) {`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (sec->host) {`
Packit	90a5c9	`ldc = get_connection_for_authz(r, LDAP_SEARCH); /* _comparedn is a searche */`
Packit	90a5c9	`apr_pool_cleanup_register(r->pool, ldc,`
Packit	90a5c9	`authnz_ldap_cleanup_connection_close,`
Packit	90a5c9	`apr_pool_cleanup_null);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01721)`
Packit	90a5c9	`"auth_ldap authorize: no sec->host - weird...?");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* If we have been authenticated by some other module than mod_auth_ldap,`
Packit	90a5c9	`* the req structure needed for authorization needs to be created`
Packit	90a5c9	`* and populated with the userid and DN of the account in LDAP`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`if (!strlen(r->user)) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722)`
Packit	90a5c9	`"ldap authorize: Userid is blank, AuthType=%s",`
Packit	90a5c9	`r->ap_auth_type);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if(!req) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01723)`
Packit	90a5c9	`"ldap authorize: Creating LDAP req structure");`
Packit	90a5c9
Packit	90a5c9	`req = (authn_ldap_request_t *)apr_pcalloc(r->pool,`
Packit	90a5c9	`sizeof(authn_ldap_request_t));`
Packit	90a5c9	`/* Build the username filter */`
Packit	90a5c9	`authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);`
Packit	90a5c9
Packit	90a5c9	`/* Search for the user DN */`
Packit	90a5c9	`result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,`
Packit	90a5c9	`sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));`
Packit	90a5c9
Packit	90a5c9	`/* Search failed, log error and return failure */`
Packit	90a5c9	`if(result != LDAP_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01724)`
Packit	90a5c9	`"auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_set_module_config(r->request_config, &authnz_ldap_module, req);`
Packit	90a5c9	`req->dn = apr_pstrdup(r->pool, dn);`
Packit	90a5c9	`req->user = r->user;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`require = ap_expr_str_exec(r, expr, &err;;`
Packit	90a5c9	`if (err) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587)`
Packit	90a5c9	`"auth_ldap authorize: require dn: Can't evaluate expression: %s",`
Packit	90a5c9	`err);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`t = require;`
Packit	90a5c9
Packit	90a5c9	`if (req->dn == NULL \|\| strlen(req->dn) == 0) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725)`
Packit	90a5c9	`"auth_ldap authorize: require dn: user's DN has not "`
Packit	90a5c9	`"been defined; failing authorization");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server);`
Packit	90a5c9	`switch(result) {`
Packit	90a5c9	`case LDAP_COMPARE_TRUE: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01726)`
Packit	90a5c9	`"auth_ldap authorize: "`
Packit	90a5c9	`"require dn: authorization successful");`
Packit	90a5c9	`set_request_vars(r, LDAP_AUTHZ);`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`default: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01727)`
Packit	90a5c9	`"auth_ldap authorize: "`
Packit	90a5c9	`"require dn \"%s\": LDAP error [%s][%s]",`
Packit	90a5c9	`t, ldc->reason, ldap_err2string(result));`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01728)`
Packit	90a5c9	`"auth_ldap authorize dn: authorization denied for "`
Packit	90a5c9	`"user %s to %s",`
Packit	90a5c9	`r->user, r->uri);`
Packit	90a5c9
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static authz_status ldapattribute_check_authorization(request_rec *r,`
Packit	90a5c9	`const char *require_args,`
Packit	90a5c9	`const void *parsed_require_args)`
Packit	90a5c9	`{`
Packit	90a5c9	`int result = 0;`
Packit	90a5c9	`authn_ldap_request_t *req =`
Packit	90a5c9	`(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9
Packit	90a5c9	`util_ldap_connection_t *ldc = NULL;`
Packit	90a5c9
Packit	90a5c9	`const char *err = NULL;`
Packit	90a5c9	`const ap_expr_info_t *expr = parsed_require_args;`
Packit	90a5c9	`const char *require;`
Packit	90a5c9
Packit	90a5c9	`const char *t;`
Packit	90a5c9	`char w, value;`
Packit	90a5c9
Packit	90a5c9	`char filtbuf[FILTER_LENGTH];`
Packit	90a5c9	`const char *dn = NULL;`
Packit	90a5c9
Packit	90a5c9	`if (!r->user) {`
Packit	90a5c9	`return AUTHZ_DENIED_NO_USER;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (!sec->have_ldap_url) {`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (sec->host) {`
Packit	90a5c9	`ldc = get_connection_for_authz(r, LDAP_COMPARE);`
Packit	90a5c9	`apr_pool_cleanup_register(r->pool, ldc,`
Packit	90a5c9	`authnz_ldap_cleanup_connection_close,`
Packit	90a5c9	`apr_pool_cleanup_null);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01729)`
Packit	90a5c9	`"auth_ldap authorize: no sec->host - weird...?");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* If we have been authenticated by some other module than mod_auth_ldap,`
Packit	90a5c9	`* the req structure needed for authorization needs to be created`
Packit	90a5c9	`* and populated with the userid and DN of the account in LDAP`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`if (!strlen(r->user)) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730)`
Packit	90a5c9	`"ldap authorize: Userid is blank, AuthType=%s",`
Packit	90a5c9	`r->ap_auth_type);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if(!req) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01731)`
Packit	90a5c9	`"ldap authorize: Creating LDAP req structure");`
Packit	90a5c9
Packit	90a5c9	`req = (authn_ldap_request_t *)apr_pcalloc(r->pool,`
Packit	90a5c9	`sizeof(authn_ldap_request_t));`
Packit	90a5c9	`/* Build the username filter */`
Packit	90a5c9	`authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);`
Packit	90a5c9
Packit	90a5c9	`/* Search for the user DN */`
Packit	90a5c9	`result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,`
Packit	90a5c9	`sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));`
Packit	90a5c9
Packit	90a5c9	`/* Search failed, log error and return failure */`
Packit	90a5c9	`if(result != LDAP_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01732)`
Packit	90a5c9	`"auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_set_module_config(r->request_config, &authnz_ldap_module, req);`
Packit	90a5c9	`req->dn = apr_pstrdup(r->pool, dn);`
Packit	90a5c9	`req->user = r->user;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (req->dn == NULL \|\| strlen(req->dn) == 0) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01733)`
Packit	90a5c9	`"auth_ldap authorize: require ldap-attribute: user's DN "`
Packit	90a5c9	`"has not been defined; failing authorization");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`require = ap_expr_str_exec(r, expr, &err;;`
Packit	90a5c9	`if (err) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588)`
Packit	90a5c9	`"auth_ldap authorize: require ldap-attribute: Can't "`
Packit	90a5c9	`"evaluate expression: %s", err);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`t = require;`
Packit	90a5c9
Packit	90a5c9	`while (t[0]) {`
Packit	90a5c9	`w = ap_getword(r->pool, &t, '=');`
Packit	90a5c9	`value = ap_getword_conf(r->pool, &t);`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01734)`
Packit	90a5c9	`"auth_ldap authorize: checking attribute %s has value %s",`
Packit	90a5c9	`w, value);`
Packit	90a5c9	`result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value);`
Packit	90a5c9	`switch(result) {`
Packit	90a5c9	`case LDAP_COMPARE_TRUE: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01735)`
Packit	90a5c9	`"auth_ldap authorize: "`
Packit	90a5c9	`"require attribute: authorization successful");`
Packit	90a5c9	`set_request_vars(r, LDAP_AUTHZ);`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`default: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01736)`
Packit	90a5c9	`"auth_ldap authorize: require attribute: "`
Packit	90a5c9	`"authorization failed [%s][%s]",`
Packit	90a5c9	`ldc->reason, ldap_err2string(result));`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01737)`
Packit	90a5c9	`"auth_ldap authorize attribute: authorization denied for "`
Packit	90a5c9	`"user %s to %s",`
Packit	90a5c9	`r->user, r->uri);`
Packit	90a5c9
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static authz_status ldapfilter_check_authorization(request_rec *r,`
Packit	90a5c9	`const char *require_args,`
Packit	90a5c9	`const void *parsed_require_args)`
Packit	90a5c9	`{`
Packit	90a5c9	`int result = 0;`
Packit	90a5c9	`authn_ldap_request_t *req =`
Packit	90a5c9	`(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);`
Packit	90a5c9	`authn_ldap_config_t *sec =`
Packit	90a5c9	`(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);`
Packit	90a5c9
Packit	90a5c9	`util_ldap_connection_t *ldc = NULL;`
Packit	90a5c9
Packit	90a5c9	`const char *err = NULL;`
Packit	90a5c9	`const ap_expr_info_t *expr = parsed_require_args;`
Packit	90a5c9	`const char *require;`
Packit	90a5c9
Packit	90a5c9	`const char *t;`
Packit	90a5c9
Packit	90a5c9	`char filtbuf[FILTER_LENGTH];`
Packit	90a5c9	`const char *dn = NULL;`
Packit	90a5c9
Packit	90a5c9	`if (!r->user) {`
Packit	90a5c9	`return AUTHZ_DENIED_NO_USER;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (!sec->have_ldap_url) {`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (sec->host) {`
Packit	90a5c9	`ldc = get_connection_for_authz(r, LDAP_SEARCH);`
Packit	90a5c9	`apr_pool_cleanup_register(r->pool, ldc,`
Packit	90a5c9	`authnz_ldap_cleanup_connection_close,`
Packit	90a5c9	`apr_pool_cleanup_null);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738)`
Packit	90a5c9	`"auth_ldap authorize: no sec->host - weird...?");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* If we have been authenticated by some other module than mod_auth_ldap,`
Packit	90a5c9	`* the req structure needed for authorization needs to be created`
Packit	90a5c9	`* and populated with the userid and DN of the account in LDAP`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`if (!strlen(r->user)) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739)`
Packit	90a5c9	`"ldap authorize: Userid is blank, AuthType=%s",`
Packit	90a5c9	`r->ap_auth_type);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if(!req) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01740)`
Packit	90a5c9	`"ldap authorize: Creating LDAP req structure");`
Packit	90a5c9
Packit	90a5c9	`req = (authn_ldap_request_t *)apr_pcalloc(r->pool,`
Packit	90a5c9	`sizeof(authn_ldap_request_t));`
Packit	90a5c9	`/* Build the username filter */`
Packit	90a5c9	`authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);`
Packit	90a5c9
Packit	90a5c9	`/* Search for the user DN */`
Packit	90a5c9	`result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,`
Packit	90a5c9	`sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));`
Packit	90a5c9
Packit	90a5c9	`/* Search failed, log error and return failure */`
Packit	90a5c9	`if(result != LDAP_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01741)`
Packit	90a5c9	`"auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_set_module_config(r->request_config, &authnz_ldap_module, req);`
Packit	90a5c9	`req->dn = apr_pstrdup(r->pool, dn);`
Packit	90a5c9	`req->user = r->user;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (req->dn == NULL \|\| strlen(req->dn) == 0) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742)`
Packit	90a5c9	`"auth_ldap authorize: require ldap-filter: user's DN "`
Packit	90a5c9	`"has not been defined; failing authorization");`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`require = ap_expr_str_exec(r, expr, &err;;`
Packit	90a5c9	`if (err) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589)`
Packit	90a5c9	`"auth_ldap authorize: require ldap-filter: Can't "`
Packit	90a5c9	`"evaluate require expression: %s", err);`
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`t = require;`
Packit	90a5c9
Packit	90a5c9	`if (t[0]) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743)`
Packit	90a5c9	`"auth_ldap authorize: checking filter %s", t);`
Packit	90a5c9
Packit	90a5c9	`/* Build the username filter */`
Packit	90a5c9	`authn_ldap_build_filter(filtbuf, r, req->user, t, sec);`
Packit	90a5c9
Packit	90a5c9	`/* Search for the user DN */`
Packit	90a5c9	`result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,`
Packit	90a5c9	`sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));`
Packit	90a5c9
Packit	90a5c9	`/* Make sure that the filtered search returned the correct user dn */`
Packit	90a5c9	`if (result == LDAP_SUCCESS) {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01744)`
Packit	90a5c9	`"auth_ldap authorize: checking dn match %s", dn);`
Packit	90a5c9	`if (sec->compare_as_user) {`
Packit	90a5c9	`/* ldap-filter is the only authz that requires a search and a compare */`
Packit	90a5c9	`apr_pool_cleanup_kill(r->pool, ldc, authnz_ldap_cleanup_connection_close);`
Packit	90a5c9	`authnz_ldap_cleanup_connection_close(ldc);`
Packit	90a5c9	`ldc = get_connection_for_authz(r, LDAP_COMPARE);`
Packit	90a5c9	`}`
Packit	90a5c9	`result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,`
Packit	90a5c9	`sec->compare_dn_on_server);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`switch(result) {`
Packit	90a5c9	`case LDAP_COMPARE_TRUE: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01745)`
Packit	90a5c9	`"auth_ldap authorize: require ldap-filter: "`
Packit	90a5c9	`"authorization successful");`
Packit	90a5c9	`set_request_vars(r, LDAP_AUTHZ);`
Packit	90a5c9	`return AUTHZ_GRANTED;`
Packit	90a5c9	`}`
Packit	90a5c9	`case LDAP_FILTER_ERROR: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01746)`
Packit	90a5c9	`"auth_ldap authorize: require ldap-filter: "`
Packit	90a5c9	`"%s authorization failed [%s][%s]",`
Packit	90a5c9	`filtbuf, ldc->reason, ldap_err2string(result));`
Packit	90a5c9	`break;`
Packit	90a5c9	`}`
Packit	90a5c9	`default: {`
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01747)`
Packit	90a5c9	`"auth_ldap authorize: require ldap-filter: "`
Packit	90a5c9	`"authorization failed [%s][%s]",`
Packit	90a5c9	`ldc->reason, ldap_err2string(result));`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01748)`
Packit	90a5c9	`"auth_ldap authorize filter: authorization denied for "`
Packit	90a5c9	`"user %s to %s",`
Packit	90a5c9	`r->user, r->uri);`
Packit	90a5c9
Packit	90a5c9	`return AUTHZ_DENIED;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char ldap_parse_config(cmd_parms cmd, const char *require_line,`
Packit	90a5c9	`const void **parsed_require_line)`
Packit	90a5c9	`{`
Packit	90a5c9	`const char *expr_err = NULL;`
Packit	90a5c9	`ap_expr_info_t *expr;`
Packit	90a5c9
Packit	90a5c9	`expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,`
Packit	90a5c9	`&expr_err, NULL);`
Packit	90a5c9
Packit	90a5c9	`if (expr_err)`
Packit	90a5c9	`return apr_pstrcat(cmd->temp_pool,`
Packit	90a5c9	`"Cannot parse expression in require line: ",`
Packit	90a5c9	`expr_err, NULL);`
Packit	90a5c9
Packit	90a5c9	`*parsed_require_line = expr;`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`* Use the ldap url parsing routines to break up the ldap url into`
Packit	90a5c9	`* host and port.`
Packit	90a5c9	`*/`
Packit	90a5c9	`static const char mod_auth_ldap_parse_url(cmd_parms cmd,`
Packit	90a5c9	`void *config,`
Packit	90a5c9	`const char *url,`
Packit	90a5c9	`const char *mode)`
Packit	90a5c9	`{`
Packit	90a5c9	`int rc;`
Packit	90a5c9	`apr_ldap_url_desc_t *urld;`
Packit	90a5c9	`apr_ldap_err_t *result;`
Packit	90a5c9
Packit	90a5c9	`authn_ldap_config_t *sec = config;`
Packit	90a5c9
Packit	90a5c9	`rc = apr_ldap_url_parse(cmd->pool, url, &(urld), &(result));`
Packit	90a5c9	`if (rc != APR_SUCCESS) {`
Packit	90a5c9	`return result->reason;`
Packit	90a5c9	`}`
Packit	90a5c9	`sec->url = apr_pstrdup(cmd->pool, url);`
Packit	90a5c9
Packit	90a5c9	`/* Set all the values, or at least some sane defaults */`
Packit	90a5c9	`if (sec->host) {`
Packit	90a5c9	`sec->host = apr_pstrcat(cmd->pool, urld->lud_host, " ", sec->host, NULL);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`sec->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost";`
Packit	90a5c9	`}`
Packit	90a5c9	`sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : "";`
Packit	90a5c9	`if (urld->lud_attrs && urld->lud_attrs[0]) {`
Packit	90a5c9	`int i = 1;`
Packit	90a5c9	`while (urld->lud_attrs[i]) {`
Packit	90a5c9	`i++;`
Packit	90a5c9	`}`
Packit	90a5c9	`sec->attributes = apr_pcalloc(cmd->pool, sizeof(char ) (i+1));`
Packit	90a5c9	`i = 0;`
Packit	90a5c9	`while (urld->lud_attrs[i]) {`
Packit	90a5c9	`sec->attributes[i] = apr_pstrdup(cmd->pool, urld->lud_attrs[i]);`
Packit	90a5c9	`i++;`
Packit	90a5c9	`}`
Packit	90a5c9	`sec->attribute = sec->attributes[0];`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`sec->attribute = "uid";`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`sec->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ?`
Packit	90a5c9	`LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE;`
Packit	90a5c9
Packit	90a5c9	`if (urld->lud_filter) {`
Packit	90a5c9	`if (urld->lud_filter[0] == '(') {`
Packit	90a5c9	`/*`
Packit	90a5c9	`* Get rid of the surrounding parens; later on when generating the`
Packit	90a5c9	`* filter, they'll be put back.`
Packit	90a5c9	`*/`
Packit	90a5c9	`sec->filter = apr_pstrmemdup(cmd->pool, urld->lud_filter+1,`
Packit	90a5c9	`strlen(urld->lud_filter)-2);`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`sec->filter = "objectclass=*";`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (mode) {`
Packit	90a5c9	`if (0 == strcasecmp("NONE", mode)) {`
Packit	90a5c9	`sec->secure = APR_LDAP_NONE;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (0 == strcasecmp("SSL", mode)) {`
Packit	90a5c9	`sec->secure = APR_LDAP_SSL;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (0 == strcasecmp("TLS", mode) \|\| 0 == strcasecmp("STARTTLS", mode)) {`
Packit	90a5c9	`sec->secure = APR_LDAP_STARTTLS;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`return "Invalid LDAP connection mode setting: must be one of NONE, "`
Packit	90a5c9	`"SSL, or TLS/STARTTLS";`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`/* "ldaps" indicates secure ldap connections desired`
Packit	90a5c9	`*/`
Packit	90a5c9	`if (strncasecmp(url, "ldaps", 5) == 0)`
Packit	90a5c9	`{`
Packit	90a5c9	`sec->secure = APR_LDAP_SSL;`
Packit	90a5c9	`sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT;`
Packit	90a5c9	`}`
Packit	90a5c9	`else`
Packit	90a5c9	`{`
Packit	90a5c9	`sec->port = urld->lud_port? urld->lud_port : LDAP_PORT;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`sec->have_ldap_url = 1;`
Packit	90a5c9
Packit	90a5c9	`ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, cmd->server,`
Packit	90a5c9	"auth_ldap url parse: `%s', Host: %s, Port: %d, DN: %s, "
Packit	90a5c9	`"attrib: %s, scope: %s, filter: %s, connection mode: %s",`
Packit	90a5c9	`url,`
Packit	90a5c9	`urld->lud_host,`
Packit	90a5c9	`urld->lud_port,`
Packit	90a5c9	`urld->lud_dn,`
Packit	90a5c9	`urld->lud_attrs? urld->lud_attrs[0] : "(null)",`
Packit	90a5c9	`(urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" :`
Packit	90a5c9	`urld->lud_scope == LDAP_SCOPE_BASE? "base" :`
Packit	90a5c9	`urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown"),`
Packit	90a5c9	`urld->lud_filter,`
Packit	90a5c9	`sec->secure == APR_LDAP_SSL ? "using SSL": "not using SSL"`
Packit	90a5c9	`);`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char mod_auth_ldap_set_deref(cmd_parms cmd, void config, const char arg)`
Packit	90a5c9	`{`
Packit	90a5c9	`authn_ldap_config_t *sec = config;`
Packit	90a5c9
Packit	90a5c9	`if (strcmp(arg, "never") == 0 \|\| strcasecmp(arg, "off") == 0) {`
Packit	90a5c9	`sec->deref = never;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (strcmp(arg, "searching") == 0) {`
Packit	90a5c9	`sec->deref = searching;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (strcmp(arg, "finding") == 0) {`
Packit	90a5c9	`sec->deref = finding;`
Packit	90a5c9	`}`
Packit	90a5c9	`else if (strcmp(arg, "always") == 0 \|\| strcasecmp(arg, "on") == 0) {`
Packit	90a5c9	`sec->deref = always;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`return "Unrecognized value for AuthLDAPDereferenceAliases directive";`
Packit	90a5c9	`}`
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char mod_auth_ldap_add_subgroup_attribute(cmd_parms cmd, void config, const char arg)`
Packit	90a5c9	`{`
Packit	90a5c9	`int i = 0;`
Packit	90a5c9
Packit	90a5c9	`authn_ldap_config_t *sec = config;`
Packit	90a5c9
Packit	90a5c9	`for (i = 0; sec->sgAttributes[i]; i++) {`
Packit	90a5c9	`;`
Packit	90a5c9	`}`
Packit	90a5c9	`if (i == GROUPATTR_MAX_ELTS)`
Packit	90a5c9	`return "Too many AuthLDAPSubGroupAttribute values";`
Packit	90a5c9
Packit	90a5c9	`sec->sgAttributes[i] = apr_pstrdup(cmd->pool, arg);`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char mod_auth_ldap_add_subgroup_class(cmd_parms cmd, void config, const char arg)`
Packit	90a5c9	`{`
Packit	90a5c9	`struct mod_auth_ldap_groupattr_entry_t *new;`
Packit	90a5c9
Packit	90a5c9	`authn_ldap_config_t *sec = config;`
Packit	90a5c9
Packit	90a5c9	`if (sec->subgroupclasses->nelts > GROUPATTR_MAX_ELTS)`
Packit	90a5c9	`return "Too many AuthLDAPSubGroupClass values";`
Packit	90a5c9
Packit	90a5c9	`new = apr_array_push(sec->subgroupclasses);`
Packit	90a5c9	`new->name = apr_pstrdup(cmd->pool, arg);`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char mod_auth_ldap_set_subgroup_maxdepth(cmd_parms cmd,`
Packit	90a5c9	`void *config,`
Packit	90a5c9	`const char *max_depth)`
Packit	90a5c9	`{`
Packit	90a5c9	`authn_ldap_config_t *sec = config;`
Packit	90a5c9
Packit	90a5c9	`sec->maxNestingDepth = atol(max_depth);`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char mod_auth_ldap_add_group_attribute(cmd_parms cmd, void config, const char arg)`
Packit	90a5c9	`{`
Packit	90a5c9	`struct mod_auth_ldap_groupattr_entry_t *new;`
Packit	90a5c9
Packit	90a5c9	`authn_ldap_config_t *sec = config;`
Packit	90a5c9
Packit	90a5c9	`if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS)`
Packit	90a5c9	`return "Too many AuthLDAPGroupAttribute directives";`
Packit	90a5c9
Packit	90a5c9	`new = apr_array_push(sec->groupattr);`
Packit	90a5c9	`new->name = apr_pstrdup(cmd->pool, arg);`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char set_charset_config(cmd_parms cmd, void config, const char arg)`
Packit	90a5c9	`{`
Packit	90a5c9	`ap_set_module_config(cmd->server->module_config, &authnz_ldap_module,`
Packit	90a5c9	`(void *)arg);`
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char set_bind_pattern(cmd_parms cmd, void _cfg, const char exp, const char *subst)`
Packit	90a5c9	`{`
Packit	90a5c9	`authn_ldap_config_t *sec = _cfg;`
Packit	90a5c9	`ap_regex_t *regexp;`
Packit	90a5c9
Packit	90a5c9	`regexp = ap_pregcomp(cmd->pool, exp, AP_REG_EXTENDED);`
Packit	90a5c9
Packit	90a5c9	`if (!regexp) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool, "AuthLDAPInitialBindPattern: cannot compile regular "`
Packit	90a5c9	`"expression '", exp, "'", NULL);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`sec->bind_regex = regexp;`
Packit	90a5c9	`sec->bind_subst = subst;`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const char set_bind_password(cmd_parms cmd, void _cfg, const char arg)`
Packit	90a5c9	`{`
Packit	90a5c9	`authn_ldap_config_t *sec = _cfg;`
Packit	90a5c9	`int arglen = strlen(arg);`
Packit	90a5c9	`char **argv;`
Packit	90a5c9	`char *result;`
Packit	90a5c9
Packit	90a5c9	`if ((arglen > 5) && strncmp(arg, "exec:", 5) == 0) {`
Packit	90a5c9	`if (apr_tokenize_to_argv(arg+5, &argv, cmd->temp_pool) != APR_SUCCESS) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool,`
Packit	90a5c9	`"Unable to parse exec arguments from ",`
Packit	90a5c9	`arg+5, NULL);`
Packit	90a5c9	`}`
Packit	90a5c9	`argv[0] = ap_server_root_relative(cmd->temp_pool, argv[0]);`
Packit	90a5c9
Packit	90a5c9	`if (!argv[0]) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool,`
Packit	90a5c9	`"Invalid AuthLDAPBindPassword exec location:",`
Packit	90a5c9	`arg+5, NULL);`
Packit	90a5c9	`}`
Packit	90a5c9	`result = ap_get_exec_line(cmd->pool,`
Packit	90a5c9	`(const char)argv[0], (const char const *)argv);`
Packit	90a5c9
Packit	90a5c9	`if (!result) {`
Packit	90a5c9	`return apr_pstrcat(cmd->pool,`
Packit	90a5c9	`"Unable to get bind password from exec of ",`
Packit	90a5c9	`arg+5, NULL);`
Packit	90a5c9	`}`
Packit	90a5c9	`sec->bindpw = result;`
Packit	90a5c9	`}`
Packit	90a5c9	`else {`
Packit	90a5c9	`sec->bindpw = (char *)arg;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return NULL;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const command_rec authnz_ldap_cmds[] =`
Packit	90a5c9	`{`
Packit	90a5c9	`AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG,`
Packit	90a5c9	`"URL to define LDAP connection. This should be an RFC 2255 compliant\n"`
Packit	90a5c9	`"URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n"`
Packit	90a5c9	`"\n"`
Packit	90a5c9	`"Host is the name of the LDAP server. Use a space separated list of hosts \n"`
Packit	90a5c9	`"to specify redundant servers.\n"`
Packit	90a5c9	`"Port is optional, and specifies the port to connect to.\n"`
Packit	90a5c9	`"basedn specifies the base DN to start searches from\n"`
Packit	90a5c9	`"Attrib specifies what attribute to search for in the directory. If not "`
Packit	90a5c9	`"provided, it defaults to uid.\n"`
Packit	90a5c9	`"Scope is the scope of the search, and can be either sub or "`
Packit	90a5c9	`"one. If not provided, the default is sub.\n"`
Packit	90a5c9	`"Filter is a filter to use in the search. If not provided, "`
Packit	90a5c9	`"defaults to (objectClass=*).\n"`
Packit	90a5c9	`"\n"`
Packit	90a5c9	`"Searches are performed using the attribute and the filter combined. "`
Packit	90a5c9	`"For example, assume that the\n"`
Packit	90a5c9	`"LDAP URL is ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*). "`
Packit	90a5c9	`"Searches will\n"`
Packit	90a5c9	`"be done using the filter (&((posixid=*))(uid=username)), "`
Packit	90a5c9	`"where username\n"`
Packit	90a5c9	`"is the user name passed by the HTTP client. The search will be a subtree "`
Packit	90a5c9	`"search on the branch ou=People, o=Airius."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE1("AuthLDAPBindDN", ap_set_string_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, binddn), OR_AUTHCFG,`
Packit	90a5c9	`"DN to use to bind to LDAP server. If not provided, will do an anonymous bind."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE1("AuthLDAPBindPassword", set_bind_password, NULL, OR_AUTHCFG,`
Packit	90a5c9	`"Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, bind_authoritative), OR_AUTHCFG,`
Packit	90a5c9	`"Set to 'on' to return failures when user-specific bind fails - defaults to on."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, user_is_dn), OR_AUTHCFG,`
Packit	90a5c9	`"Set to 'on' to set the REMOTE_USER environment variable to be the full "`
Packit	90a5c9	`"DN of the remote user. By default, this is set to off, meaning that "`
Packit	90a5c9	`"the REMOTE_USER variable will contain whatever value the remote user sent."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE1("AuthLDAPRemoteUserAttribute", ap_set_string_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, remote_user_attribute), OR_AUTHCFG,`
Packit	90a5c9	`"Override the user supplied username and place the "`
Packit	90a5c9	`"contents of this attribute in the REMOTE_USER "`
Packit	90a5c9	`"environment variable."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,`
Packit	90a5c9	`"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "`
Packit	90a5c9	`"directive) using the server, and set it 'off' to do the compares locally "`
Packit	90a5c9	`"(at the expense of possible false matches). See the documentation for "`
Packit	90a5c9	`"a complete description of this option."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_ITERATE("AuthLDAPSubGroupAttribute", mod_auth_ldap_add_subgroup_attribute, NULL, OR_AUTHCFG,`
Packit	90a5c9	`"Attribute labels used to define sub-group (or nested group) membership in groups - "`
Packit	90a5c9	`"defaults to member and uniqueMember"),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_ITERATE("AuthLDAPSubGroupClass", mod_auth_ldap_add_subgroup_class, NULL, OR_AUTHCFG,`
Packit	90a5c9	`"LDAP objectClass values used to identify sub-group instances - "`
Packit	90a5c9	`"defaults to groupOfNames and groupOfUniqueNames"),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE1("AuthLDAPMaxSubGroupDepth", mod_auth_ldap_set_subgroup_maxdepth, NULL, OR_AUTHCFG,`
Packit	90a5c9	`"Maximum subgroup nesting depth to be evaluated - defaults to 10 (top-level group = 0)"),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,`
Packit	90a5c9	`"A list of attribute labels used to identify the user members of groups - defaults to "`
Packit	90a5c9	`"member and uniquemember"),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG,`
Packit	90a5c9	`"If set to 'on', auth_ldap uses the DN that is retrieved from the server for "`
Packit	90a5c9	`"subsequent group comparisons. If set to 'off', auth_ldap uses the string "`
Packit	90a5c9	`"provided by the client directly. Defaults to 'on'."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG,`
Packit	90a5c9	`"Determines how aliases are handled during a search. Can be one of the "`
Packit	90a5c9	`"values \"never\", \"searching\", \"finding\", or \"always\". "`
Packit	90a5c9	`"Defaults to always."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE1("AuthLDAPCharsetConfig", set_charset_config, NULL, RSRC_CONF,`
Packit	90a5c9	`"Character set conversion configuration file. If omitted, character set "`
Packit	90a5c9	`"conversion is disabled."),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE1("AuthLDAPAuthorizePrefix", ap_set_string_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, authz_prefix), OR_AUTHCFG,`
Packit	90a5c9	`"The prefix to add to environment variables set during "`
Packit	90a5c9	`"successful authorization, default '" AUTHZ_PREFIX "'"),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_FLAG("AuthLDAPInitialBindAsUser", ap_set_flag_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, initial_bind_as_user), OR_AUTHCFG,`
Packit	90a5c9	`"Set to 'on' to perform the initial DN lookup with the basic auth credentials "`
Packit	90a5c9	`"instead of anonymous or hard-coded credentials"),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_TAKE2("AuthLDAPInitialBindPattern", set_bind_pattern, NULL, OR_AUTHCFG,`
Packit	90a5c9	`"The regex and substitution to determine a username that can bind based on an HTTP basic auth username"),`
Packit	90a5c9
Packit	90a5c9	`AP_INIT_FLAG("AuthLDAPSearchAsUser", ap_set_flag_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, search_as_user), OR_AUTHCFG,`
Packit	90a5c9	`"Set to 'on' to perform authorization-based searches with the users credentials, when this module "`
Packit	90a5c9	`"has also performed authentication. Does not affect nested groups lookup."),`
Packit	90a5c9	`AP_INIT_FLAG("AuthLDAPCompareAsUser", ap_set_flag_slot,`
Packit	90a5c9	`(void *)APR_OFFSETOF(authn_ldap_config_t, compare_as_user), OR_AUTHCFG,`
Packit	90a5c9	`"Set to 'on' to perform authorization-based compares with the users credentials, when this module "`
Packit	90a5c9	`"has also performed authentication. Does not affect nested groups lookups."),`
Packit	90a5c9	`{NULL}`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static int authnz_ldap_post_config(apr_pool_t p, apr_pool_t plog, apr_pool_t ptemp, server_rec s)`
Packit	90a5c9	`{`
Packit	90a5c9	`ap_configfile_t *f;`
Packit	90a5c9	`char l[MAX_STRING_LEN];`
Packit	90a5c9	`const char *charset_confname = ap_get_module_config(s->module_config,`
Packit	90a5c9	`&authnz_ldap_module);`
Packit	90a5c9	`apr_status_t status;`
Packit	90a5c9
Packit	90a5c9	`/*`
Packit	90a5c9	`authn_ldap_config_t sec = (authn_ldap_config_t )`
Packit	90a5c9	`ap_get_module_config(s->module_config,`
Packit	90a5c9	`&authnz_ldap_module);`
Packit	90a5c9
Packit	90a5c9	`if (sec->secure)`
Packit	90a5c9	`{`
Packit	90a5c9	`if (!util_ldap_ssl_supported(s))`
Packit	90a5c9	`{`
Packit	90a5c9	`ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(03159)`
Packit	90a5c9	`"LDAP: SSL connections (ldaps://) not supported by utilLDAP");`
Packit	90a5c9	`return(!OK);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`*/`
Packit	90a5c9
Packit	90a5c9	`/* make sure that mod_ldap (util_ldap) is loaded */`
Packit	90a5c9	`if (ap_find_linked_module("util_ldap.c") == NULL) {`
Packit	90a5c9	`ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01749)`
Packit	90a5c9	`"Module mod_ldap missing. Mod_ldap (aka. util_ldap) "`
Packit	90a5c9	`"must be loaded in order for mod_authnz_ldap to function properly");`
Packit	90a5c9	`return HTTP_INTERNAL_SERVER_ERROR;`
Packit	90a5c9
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`if (!charset_confname) {`
Packit	90a5c9	`return OK;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`charset_confname = ap_server_root_relative(p, charset_confname);`
Packit	90a5c9	`if (!charset_confname) {`
Packit	90a5c9	`ap_log_error(APLOG_MARK, APLOG_ERR, APR_EBADPATH, s, APLOGNO(01750)`
Packit	90a5c9	`"Invalid charset conversion config path %s",`
Packit	90a5c9	`(const char *)ap_get_module_config(s->module_config,`
Packit	90a5c9	`&authnz_ldap_module));`
Packit	90a5c9	`return HTTP_INTERNAL_SERVER_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9	`if ((status = ap_pcfg_openfile(&f, ptemp, charset_confname))`
Packit	90a5c9	`!= APR_SUCCESS) {`
Packit	90a5c9	`ap_log_error(APLOG_MARK, APLOG_ERR, status, s, APLOGNO(01751)`
Packit	90a5c9	`"could not open charset conversion config file %s.",`
Packit	90a5c9	`charset_confname);`
Packit	90a5c9	`return HTTP_INTERNAL_SERVER_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`charset_conversions = apr_hash_make(p);`
Packit	90a5c9
Packit	90a5c9	`while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {`
Packit	90a5c9	`const char *ll = l;`
Packit	90a5c9	`char *lang;`
Packit	90a5c9
Packit	90a5c9	`if (l[0] == '#') {`
Packit	90a5c9	`continue;`
Packit	90a5c9	`}`
Packit	90a5c9	`lang = ap_getword_conf(p, &ll);`
Packit	90a5c9	`ap_str_tolower(lang);`
Packit	90a5c9
Packit	90a5c9	`if (ll[0]) {`
Packit	90a5c9	`char *charset = ap_getword_conf(p, &ll);`
Packit	90a5c9	`apr_hash_set(charset_conversions, lang, APR_HASH_KEY_STRING, charset);`
Packit	90a5c9	`}`
Packit	90a5c9	`}`
Packit	90a5c9	`ap_cfg_closefile(f);`
Packit	90a5c9
Packit	90a5c9	`to_charset = derive_codepage_from_lang (p, "utf-8");`
Packit	90a5c9	`if (to_charset == NULL) {`
Packit	90a5c9	`ap_log_error(APLOG_MARK, APLOG_ERR, status, s, APLOGNO(01752)`
Packit	90a5c9	`"could not find the UTF-8 charset in the file %s.",`
Packit	90a5c9	`charset_confname);`
Packit	90a5c9	`return HTTP_INTERNAL_SERVER_ERROR;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`return OK;`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static const authn_provider authn_ldap_provider =`
Packit	90a5c9	`{`
Packit	90a5c9	`&authn_ldap_check_password,`
Packit	90a5c9	`NULL,`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static const authz_provider authz_ldapuser_provider =`
Packit	90a5c9	`{`
Packit	90a5c9	`&ldapuser_check_authorization,`
Packit	90a5c9	`&ldap_parse_config,`
Packit	90a5c9	`};`
Packit	90a5c9	`static const authz_provider authz_ldapgroup_provider =`
Packit	90a5c9	`{`
Packit	90a5c9	`&ldapgroup_check_authorization,`
Packit	90a5c9	`&ldap_parse_config,`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static const authz_provider authz_ldapdn_provider =`
Packit	90a5c9	`{`
Packit	90a5c9	`&ldapdn_check_authorization,`
Packit	90a5c9	`&ldap_parse_config,`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static const authz_provider authz_ldapattribute_provider =`
Packit	90a5c9	`{`
Packit	90a5c9	`&ldapattribute_check_authorization,`
Packit	90a5c9	`&ldap_parse_config,`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static const authz_provider authz_ldapfilter_provider =`
Packit	90a5c9	`{`
Packit	90a5c9	`&ldapfilter_check_authorization,`
Packit	90a5c9	`&ldap_parse_config,`
Packit	90a5c9	`};`
Packit	90a5c9
Packit	90a5c9	`static void ImportULDAPOptFn(void)`
Packit	90a5c9	`{`
Packit	90a5c9	`util_ldap_connection_close = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_close);`
Packit	90a5c9	`util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find);`
Packit	90a5c9	`util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn);`
Packit	90a5c9	`util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare);`
Packit	90a5c9	`util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid);`
Packit	90a5c9	`util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn);`
Packit	90a5c9	`util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported);`
Packit	90a5c9	`util_ldap_cache_check_subgroups = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_check_subgroups);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`static void register_hooks(apr_pool_t *p)`
Packit	90a5c9	`{`
Packit	90a5c9	`/* Register authn provider */`
Packit	90a5c9	`ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "ldap",`
Packit	90a5c9	`AUTHN_PROVIDER_VERSION,`
Packit	90a5c9	`&authn_ldap_provider, AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9
Packit	90a5c9	`/* Register authz providers */`
Packit	90a5c9	`ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-user",`
Packit	90a5c9	`AUTHZ_PROVIDER_VERSION,`
Packit	90a5c9	`&authz_ldapuser_provider,`
Packit	90a5c9	`AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9	`ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-group",`
Packit	90a5c9	`AUTHZ_PROVIDER_VERSION,`
Packit	90a5c9	`&authz_ldapgroup_provider,`
Packit	90a5c9	`AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9	`ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-dn",`
Packit	90a5c9	`AUTHZ_PROVIDER_VERSION,`
Packit	90a5c9	`&authz_ldapdn_provider,`
Packit	90a5c9	`AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9	`ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-attribute",`
Packit	90a5c9	`AUTHZ_PROVIDER_VERSION,`
Packit	90a5c9	`&authz_ldapattribute_provider,`
Packit	90a5c9	`AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9	`ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-filter",`
Packit	90a5c9	`AUTHZ_PROVIDER_VERSION,`
Packit	90a5c9	`&authz_ldapfilter_provider,`
Packit	90a5c9	`AP_AUTH_INTERNAL_PER_CONF);`
Packit	90a5c9
Packit	90a5c9	`ap_hook_post_config(authnz_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE);`
Packit	90a5c9
Packit	90a5c9	`ap_hook_optional_fn_retrieve(ImportULDAPOptFn,NULL,NULL,APR_HOOK_MIDDLE);`
Packit	90a5c9	`}`
Packit	90a5c9
Packit	90a5c9	`AP_DECLARE_MODULE(authnz_ldap) =`
Packit	90a5c9	`{`
Packit	90a5c9	`STANDARD20_MODULE_STUFF,`
Packit	90a5c9	`create_authnz_ldap_dir_config, /* dir config creater */`
Packit	90a5c9	`NULL, /* dir merger --- default is to override */`
Packit	90a5c9	`NULL, /* server config */`
Packit	90a5c9	`NULL, /* merge server config */`
Packit	90a5c9	`authnz_ldap_cmds, /* command apr_table_t */`
Packit	90a5c9	`register_hooks /* register hooks */`
Packit	90a5c9	`};`

source-git / httpd

Source Code

Blame modules/aaa/mod_authnz_ldap.c