|
Packit |
90a5c9 |
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
Packit |
90a5c9 |
* contributor license agreements. See the NOTICE file distributed with
|
|
Packit |
90a5c9 |
* this work for additional information regarding copyright ownership.
|
|
Packit |
90a5c9 |
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
Packit |
90a5c9 |
* (the "License"); you may not use this file except in compliance with
|
|
Packit |
90a5c9 |
* the License. You may obtain a copy of the License at
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* Unless required by applicable law or agreed to in writing, software
|
|
Packit |
90a5c9 |
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
Packit |
90a5c9 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
Packit |
90a5c9 |
* See the License for the specific language governing permissions and
|
|
Packit |
90a5c9 |
* limitations under the License.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "ap_provider.h"
|
|
Packit |
90a5c9 |
#include "httpd.h"
|
|
Packit |
90a5c9 |
#include "http_config.h"
|
|
Packit |
90a5c9 |
#include "ap_provider.h"
|
|
Packit |
90a5c9 |
#include "http_core.h"
|
|
Packit |
90a5c9 |
#include "http_log.h"
|
|
Packit |
90a5c9 |
#include "http_protocol.h"
|
|
Packit |
90a5c9 |
#include "http_request.h"
|
|
Packit |
90a5c9 |
#include "util_ldap.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "mod_auth.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "apr_strings.h"
|
|
Packit |
90a5c9 |
#include "apr_xlate.h"
|
|
Packit |
90a5c9 |
#define APR_WANT_STRFUNC
|
|
Packit |
90a5c9 |
#include "apr_want.h"
|
|
Packit |
90a5c9 |
#include "apr_lib.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include <ctype.h>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#if !APR_HAS_LDAP
|
|
Packit |
90a5c9 |
#error mod_authnz_ldap requires APR-util to have LDAP support built in. To fix add --with-ldap to ./configure.
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static char *default_attributes[3] = { "member", "uniqueMember", NULL };
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
typedef struct {
|
|
Packit |
90a5c9 |
apr_pool_t *pool; /* Pool that this config is allocated from */
|
|
Packit |
90a5c9 |
#if APR_HAS_THREADS
|
|
Packit |
90a5c9 |
apr_thread_mutex_t *lock; /* Lock for this config */
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* These parameters are all derived from the AuthLDAPURL directive */
|
|
Packit |
90a5c9 |
char *url; /* String representation of the URL */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
char *host; /* Name of the LDAP server (or space separated list) */
|
|
Packit |
90a5c9 |
int port; /* Port of the LDAP server */
|
|
Packit |
90a5c9 |
char *basedn; /* Base DN to do all searches from */
|
|
Packit |
90a5c9 |
char *attribute; /* Attribute to search for */
|
|
Packit |
90a5c9 |
char **attributes; /* Array of all the attributes to return */
|
|
Packit |
90a5c9 |
int scope; /* Scope of the search */
|
|
Packit |
90a5c9 |
char *filter; /* Filter to further limit the search */
|
|
Packit |
90a5c9 |
deref_options deref; /* how to handle alias dereferening */
|
|
Packit |
90a5c9 |
char *binddn; /* DN to bind to server (can be NULL) */
|
|
Packit |
90a5c9 |
char *bindpw; /* Password to bind to server (can be NULL) */
|
|
Packit |
90a5c9 |
int bind_authoritative; /* If true, will return errors when bind fails */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int user_is_dn; /* If true, r->user is replaced by DN during authn */
|
|
Packit |
90a5c9 |
char *remote_user_attribute; /* If set, r->user is replaced by this attribute during authn */
|
|
Packit |
90a5c9 |
int compare_dn_on_server; /* If true, will use server to do DN compare */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int have_ldap_url; /* Set if we have found an LDAP url */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_array_header_t *groupattr; /* List of Group attributes identifying user members. Default:"member uniqueMember" */
|
|
Packit |
90a5c9 |
int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise,
|
|
Packit |
90a5c9 |
it's the exact string passed by the HTTP client */
|
|
Packit |
90a5c9 |
char **sgAttributes; /* Array of strings constructed (post-config) from subgroupattrs. Last entry is NULL. */
|
|
Packit |
90a5c9 |
apr_array_header_t *subgroupclasses; /* List of object classes of sub-groups. Default:"groupOfNames groupOfUniqueNames" */
|
|
Packit |
90a5c9 |
int maxNestingDepth; /* Maximum recursive nesting depth permitted during subgroup processing. Default: 10 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int secure; /* True if SSL connections are requested */
|
|
Packit |
90a5c9 |
char *authz_prefix; /* Prefix for environment variables added during authz */
|
|
Packit |
90a5c9 |
int initial_bind_as_user; /* true if we should try to bind (to lookup DN) directly with the basic auth username */
|
|
Packit |
90a5c9 |
ap_regex_t *bind_regex; /* basic auth -> bind'able username regex */
|
|
Packit |
90a5c9 |
const char *bind_subst; /* basic auth -> bind'able username substitution */
|
|
Packit |
90a5c9 |
int search_as_user; /* true if authz searches should be done with the users credentials (when we did authn) */
|
|
Packit |
90a5c9 |
int compare_as_user; /* true if authz compares should be done with the users credentials (when we did authn) */
|
|
Packit |
90a5c9 |
} authn_ldap_config_t;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
typedef struct {
|
|
Packit |
90a5c9 |
char *dn; /* The saved dn from a successful search */
|
|
Packit |
90a5c9 |
char *user; /* The username provided by the client */
|
|
Packit |
90a5c9 |
const char **vals; /* The additional values pulled during the DN search*/
|
|
Packit |
90a5c9 |
char *password; /* if this module successfully authenticates, the basic auth password, else null */
|
|
Packit |
90a5c9 |
} authn_ldap_request_t;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
enum auth_ldap_phase {
|
|
Packit |
90a5c9 |
LDAP_AUTHN, LDAP_AUTHZ
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
enum auth_ldap_optype {
|
|
Packit |
90a5c9 |
LDAP_SEARCH, LDAP_COMPARE, LDAP_COMPARE_AND_SEARCH /* nested groups */
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* maximum group elements supported */
|
|
Packit |
90a5c9 |
#define GROUPATTR_MAX_ELTS 10
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
module AP_MODULE_DECLARE_DATA authnz_ldap_module;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(uldap_connection_close) *util_ldap_connection_close;
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find;
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn;
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare;
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_check_subgroups) *util_ldap_cache_check_subgroups;
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid;
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn;
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_hash_t *charset_conversions = NULL;
|
|
Packit |
90a5c9 |
static char *to_charset = NULL; /* UTF-8 identifier derived from the charset.conv file */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Derive a code page ID give a language name or ID */
|
|
Packit |
90a5c9 |
static char* derive_codepage_from_lang (apr_pool_t *p, char *language)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
char *charset;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!language) /* our default codepage */
|
|
Packit |
90a5c9 |
return apr_pstrdup(p, "ISO-8859-1");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
charset = (char*) apr_hash_get(charset_conversions, language, APR_HASH_KEY_STRING);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Test if language values like 'en-US' return a match from the charset
|
|
Packit |
90a5c9 |
* conversion map when shortened to 'en'.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (!charset && strlen(language) > 3 && language[2] == '-') {
|
|
Packit |
90a5c9 |
char *language_short = apr_pstrndup(p, language, 2);
|
|
Packit |
90a5c9 |
charset = (char*) apr_hash_get(charset_conversions, language_short, APR_HASH_KEY_STRING);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (charset) {
|
|
Packit |
90a5c9 |
charset = apr_pstrdup(p, charset);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return charset;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_xlate_t* get_conv_set (request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
char *lang_line = (char*)apr_table_get(r->headers_in, "accept-language");
|
|
Packit |
90a5c9 |
char *lang;
|
|
Packit |
90a5c9 |
apr_xlate_t *convset;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (lang_line) {
|
|
Packit |
90a5c9 |
lang_line = apr_pstrdup(r->pool, lang_line);
|
|
Packit |
90a5c9 |
for (lang = lang_line;*lang;lang++) {
|
|
Packit |
90a5c9 |
if ((*lang == ',') || (*lang == ';')) {
|
|
Packit |
90a5c9 |
*lang = '\0';
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
lang = derive_codepage_from_lang(r->pool, lang_line);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (lang && (apr_xlate_open(&convset, to_charset, lang, r->pool) == APR_SUCCESS)) {
|
|
Packit |
90a5c9 |
return convset;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char* authn_ldap_xlate_password(request_rec *r,
|
|
Packit |
90a5c9 |
const char* sent_password)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
apr_xlate_t *convset = NULL;
|
|
Packit |
90a5c9 |
apr_size_t inbytes;
|
|
Packit |
90a5c9 |
apr_size_t outbytes;
|
|
Packit |
90a5c9 |
char *outbuf;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (charset_conversions && (convset = get_conv_set(r)) ) {
|
|
Packit |
90a5c9 |
inbytes = strlen(sent_password);
|
|
Packit |
90a5c9 |
outbytes = (inbytes+1)*3;
|
|
Packit |
90a5c9 |
outbuf = apr_pcalloc(r->pool, outbytes);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Convert the password to UTF-8. */
|
|
Packit |
90a5c9 |
if (apr_xlate_conv_buffer(convset, sent_password, &inbytes, outbuf,
|
|
Packit |
90a5c9 |
&outbytes) == APR_SUCCESS)
|
|
Packit |
90a5c9 |
return outbuf;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return sent_password;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Build the search filter, or at least as much of the search filter that
|
|
Packit |
90a5c9 |
* will fit in the buffer. We don't worry about the buffer not being able
|
|
Packit |
90a5c9 |
* to hold the entire filter. If the buffer wasn't big enough to hold the
|
|
Packit |
90a5c9 |
* filter, ldap_search_s will complain, but the only situation where this
|
|
Packit |
90a5c9 |
* is likely to happen is if the client sent a really, really long
|
|
Packit |
90a5c9 |
* username, most likely as part of an attack.
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* The search filter consists of the filter provided with the URL,
|
|
Packit |
90a5c9 |
* combined with a filter made up of the attribute provided with the URL,
|
|
Packit |
90a5c9 |
* and the actual username passed by the HTTP client. For example, assume
|
|
Packit |
90a5c9 |
* that the LDAP URL is
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*)
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* Further, assume that the userid passed by the client was `userj'. The
|
|
Packit |
90a5c9 |
* search filter will be (&(posixid=*)(uid=userj)).
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
#define FILTER_LENGTH MAX_STRING_LEN
|
|
Packit |
90a5c9 |
static void authn_ldap_build_filter(char *filtbuf,
|
|
Packit |
90a5c9 |
request_rec *r,
|
|
Packit |
90a5c9 |
const char* sent_user,
|
|
Packit |
90a5c9 |
const char* sent_filter,
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
char *p, *q, *filtbuf_end;
|
|
Packit |
90a5c9 |
char *user, *filter;
|
|
Packit |
90a5c9 |
apr_xlate_t *convset = NULL;
|
|
Packit |
90a5c9 |
apr_size_t inbytes;
|
|
Packit |
90a5c9 |
apr_size_t outbytes;
|
|
Packit |
90a5c9 |
char *outbuf;
|
|
Packit |
90a5c9 |
int nofilter = 0;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sent_user != NULL) {
|
|
Packit |
90a5c9 |
user = apr_pstrdup (r->pool, sent_user);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else
|
|
Packit |
90a5c9 |
return;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sent_filter != NULL) {
|
|
Packit |
90a5c9 |
filter = apr_pstrdup (r->pool, sent_filter);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else
|
|
Packit |
90a5c9 |
filter = sec->filter;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (charset_conversions) {
|
|
Packit |
90a5c9 |
convset = get_conv_set(r);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (convset) {
|
|
Packit |
90a5c9 |
inbytes = strlen(user);
|
|
Packit |
90a5c9 |
outbytes = (inbytes+1)*3;
|
|
Packit |
90a5c9 |
outbuf = apr_pcalloc(r->pool, outbytes);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Convert the user name to UTF-8. This is only valid for LDAP v3 */
|
|
Packit |
90a5c9 |
if (apr_xlate_conv_buffer(convset, user, &inbytes, outbuf, &outbytes) == APR_SUCCESS) {
|
|
Packit |
90a5c9 |
user = apr_pstrdup(r->pool, outbuf);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Create the first part of the filter, which consists of the
|
|
Packit |
90a5c9 |
* config-supplied portions.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((nofilter = (filter && !strcasecmp(filter, "none")))) {
|
|
Packit |
90a5c9 |
apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Now add the client-supplied username to the filter, ensuring that any
|
|
Packit |
90a5c9 |
* LDAP filter metachars are escaped.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
filtbuf_end = filtbuf + FILTER_LENGTH - 1;
|
|
Packit |
90a5c9 |
#if APR_HAS_MICROSOFT_LDAPSDK
|
|
Packit |
90a5c9 |
for (p = user, q=filtbuf + strlen(filtbuf);
|
|
Packit |
90a5c9 |
*p && q < filtbuf_end; ) {
|
|
Packit |
90a5c9 |
if (strchr("*()\\", *p) != NULL) {
|
|
Packit |
90a5c9 |
if ( q + 3 >= filtbuf_end)
|
|
Packit |
90a5c9 |
break; /* Don't write part of escape sequence if we can't write all of it */
|
|
Packit |
90a5c9 |
*q++ = '\\';
|
|
Packit |
90a5c9 |
switch ( *p++ )
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
case '*':
|
|
Packit |
90a5c9 |
*q++ = '2';
|
|
Packit |
90a5c9 |
*q++ = 'a';
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
case '(':
|
|
Packit |
90a5c9 |
*q++ = '2';
|
|
Packit |
90a5c9 |
*q++ = '8';
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
case ')':
|
|
Packit |
90a5c9 |
*q++ = '2';
|
|
Packit |
90a5c9 |
*q++ = '9';
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
case '\\':
|
|
Packit |
90a5c9 |
*q++ = '5';
|
|
Packit |
90a5c9 |
*q++ = 'c';
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else
|
|
Packit |
90a5c9 |
*q++ = *p++;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
for (p = user, q=filtbuf + strlen(filtbuf);
|
|
Packit |
90a5c9 |
*p && q < filtbuf_end; *q++ = *p++) {
|
|
Packit |
90a5c9 |
if (strchr("*()\\", *p) != NULL) {
|
|
Packit |
90a5c9 |
*q++ = '\\';
|
|
Packit |
90a5c9 |
if (q >= filtbuf_end) {
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
*q = '\0';
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Append the closing parens of the filter, unless doing so would
|
|
Packit |
90a5c9 |
* overrun the buffer.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (nofilter) {
|
|
Packit |
90a5c9 |
if (q + 1 <= filtbuf_end)
|
|
Packit |
90a5c9 |
strcat(filtbuf, ")");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
if (q + 2 <= filtbuf_end)
|
|
Packit |
90a5c9 |
strcat(filtbuf, "))");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)apr_pcalloc(p, sizeof(authn_ldap_config_t));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->pool = p;
|
|
Packit |
90a5c9 |
#if APR_HAS_THREADS
|
|
Packit |
90a5c9 |
apr_thread_mutex_create(&sec->lock, APR_THREAD_MUTEX_DEFAULT, p);
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
sec->authz_enabled = 1;
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS,
|
|
Packit |
90a5c9 |
sizeof(struct mod_auth_ldap_groupattr_entry_t));
|
|
Packit |
90a5c9 |
sec->subgroupclasses = apr_array_make(p, GROUPATTR_MAX_ELTS,
|
|
Packit |
90a5c9 |
sizeof(struct mod_auth_ldap_groupattr_entry_t));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->have_ldap_url = 0;
|
|
Packit |
90a5c9 |
sec->url = "";
|
|
Packit |
90a5c9 |
sec->host = NULL;
|
|
Packit |
90a5c9 |
sec->binddn = NULL;
|
|
Packit |
90a5c9 |
sec->bindpw = NULL;
|
|
Packit |
90a5c9 |
sec->bind_authoritative = 1;
|
|
Packit |
90a5c9 |
sec->deref = always;
|
|
Packit |
90a5c9 |
sec->group_attrib_is_dn = 1;
|
|
Packit |
90a5c9 |
sec->secure = -1; /*Initialize to unset*/
|
|
Packit |
90a5c9 |
sec->maxNestingDepth = 10;
|
|
Packit |
90a5c9 |
sec->sgAttributes = apr_pcalloc(p, sizeof (char *) * GROUPATTR_MAX_ELTS + 1);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->user_is_dn = 0;
|
|
Packit |
90a5c9 |
sec->remote_user_attribute = NULL;
|
|
Packit |
90a5c9 |
sec->compare_dn_on_server = 0;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->authz_prefix = AUTHZ_PREFIX;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return sec;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_status_t authnz_ldap_cleanup_connection_close(void *param)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
util_ldap_connection_t *ldc = param;
|
|
Packit |
90a5c9 |
util_ldap_connection_close(ldc);
|
|
Packit |
90a5c9 |
return APR_SUCCESS;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int set_request_vars(request_rec *r, enum auth_ldap_phase phase) {
|
|
Packit |
90a5c9 |
char *prefix = NULL;
|
|
Packit |
90a5c9 |
int prefix_len;
|
|
Packit |
90a5c9 |
int remote_user_attribute_set = 0;
|
|
Packit |
90a5c9 |
authn_ldap_request_t *req =
|
|
Packit |
90a5c9 |
(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
const char **vals = req->vals;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
prefix = (phase == LDAP_AUTHN) ? AUTHN_PREFIX : sec->authz_prefix;
|
|
Packit |
90a5c9 |
prefix_len = strlen(prefix);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->attributes && vals) {
|
|
Packit |
90a5c9 |
apr_table_t *e = r->subprocess_env;
|
|
Packit |
90a5c9 |
int i = 0;
|
|
Packit |
90a5c9 |
while (sec->attributes[i]) {
|
|
Packit |
90a5c9 |
char *str = apr_pstrcat(r->pool, prefix, sec->attributes[i], NULL);
|
|
Packit |
90a5c9 |
int j = prefix_len;
|
|
Packit |
90a5c9 |
while (str[j]) {
|
|
Packit |
90a5c9 |
str[j] = apr_toupper(str[j]);
|
|
Packit |
90a5c9 |
j++;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
apr_table_setn(e, str, vals[i] ? vals[i] : "");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* handle remote_user_attribute, if set */
|
|
Packit |
90a5c9 |
if ((phase == LDAP_AUTHN) &&
|
|
Packit |
90a5c9 |
sec->remote_user_attribute &&
|
|
Packit |
90a5c9 |
!strcmp(sec->remote_user_attribute, sec->attributes[i])) {
|
|
Packit |
90a5c9 |
r->user = (char *)apr_pstrdup(r->pool, vals[i]);
|
|
Packit |
90a5c9 |
remote_user_attribute_set = 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
i++;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return remote_user_attribute_set;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *ldap_determine_binddn(request_rec *r, const char *user) {
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
const char *result = user;
|
|
Packit |
90a5c9 |
ap_regmatch_t regm[AP_MAX_REG_MATCH];
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (NULL == user || NULL == sec || !sec->bind_regex || !sec->bind_subst) {
|
|
Packit |
90a5c9 |
return result;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!ap_regexec(sec->bind_regex, user, AP_MAX_REG_MATCH, regm, 0)) {
|
|
Packit |
90a5c9 |
char *substituted = ap_pregsub(r->pool, sec->bind_subst, user, AP_MAX_REG_MATCH, regm);
|
|
Packit |
90a5c9 |
if (NULL != substituted) {
|
|
Packit |
90a5c9 |
result = substituted;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_table_set(r->subprocess_env, "LDAP_BINDASUSER", result);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return result;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Some LDAP servers restrict who can search or compare, and the hard-coded ID
|
|
Packit |
90a5c9 |
* might be good for the DN lookup but not for later operations.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static util_ldap_connection_t *get_connection_for_authz(request_rec *r, enum auth_ldap_optype type) {
|
|
Packit |
90a5c9 |
authn_ldap_request_t *req =
|
|
Packit |
90a5c9 |
(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
char *binddn = sec->binddn;
|
|
Packit |
90a5c9 |
char *bindpw = sec->bindpw;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* If the per-request config isn't set, we didn't authenticate this user, and leave the default credentials */
|
|
Packit |
90a5c9 |
if (req && req->password &&
|
|
Packit |
90a5c9 |
((type == LDAP_SEARCH && sec->search_as_user) ||
|
|
Packit |
90a5c9 |
(type == LDAP_COMPARE && sec->compare_as_user) ||
|
|
Packit |
90a5c9 |
(type == LDAP_COMPARE_AND_SEARCH && sec->compare_as_user && sec->search_as_user))){
|
|
Packit |
90a5c9 |
binddn = req->dn;
|
|
Packit |
90a5c9 |
bindpw = req->password;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return util_ldap_connection_find(r, sec->host, sec->port,
|
|
Packit |
90a5c9 |
binddn, bindpw,
|
|
Packit |
90a5c9 |
sec->deref, sec->secure);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Authentication Phase
|
|
Packit |
90a5c9 |
* --------------------
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* This phase authenticates the credentials the user has sent with
|
|
Packit |
90a5c9 |
* the request (ie the username and password are checked). This is done
|
|
Packit |
90a5c9 |
* by making an attempt to bind to the LDAP server using this user's
|
|
Packit |
90a5c9 |
* DN and the supplied password.
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
|
|
Packit |
90a5c9 |
const char *password)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
char filtbuf[FILTER_LENGTH];
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
util_ldap_connection_t *ldc = NULL;
|
|
Packit |
90a5c9 |
int result = 0;
|
|
Packit |
90a5c9 |
int remote_user_attribute_set = 0;
|
|
Packit |
90a5c9 |
const char *dn = NULL;
|
|
Packit |
90a5c9 |
const char *utfpassword;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
authn_ldap_request_t *req =
|
|
Packit |
90a5c9 |
(authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t));
|
|
Packit |
90a5c9 |
ap_set_module_config(r->request_config, &authnz_ldap_module, req);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
if (!sec->enabled) {
|
|
Packit |
90a5c9 |
return AUTH_USER_NOT_FOUND;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Basic sanity checks before any LDAP operations even happen.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (!sec->have_ldap_url) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02558)
|
|
Packit |
90a5c9 |
"no AuthLDAPURL");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return AUTH_GENERAL_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* There is a good AuthLDAPURL, right? */
|
|
Packit |
90a5c9 |
if (sec->host) {
|
|
Packit |
90a5c9 |
const char *binddn = sec->binddn;
|
|
Packit |
90a5c9 |
const char *bindpw = sec->bindpw;
|
|
Packit |
90a5c9 |
if (sec->initial_bind_as_user) {
|
|
Packit |
90a5c9 |
bindpw = password;
|
|
Packit |
90a5c9 |
binddn = ldap_determine_binddn(r, user);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ldc = util_ldap_connection_find(r, sec->host, sec->port,
|
|
Packit |
90a5c9 |
binddn, bindpw,
|
|
Packit |
90a5c9 |
sec->deref, sec->secure);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01690)
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: no sec->host - weird...?");
|
|
Packit |
90a5c9 |
return AUTH_GENERAL_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691)
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: using URL %s", sec->url);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Get the password that the client sent */
|
|
Packit |
90a5c9 |
if (password == NULL) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: no password specified");
|
|
Packit |
90a5c9 |
util_ldap_connection_close(ldc);
|
|
Packit |
90a5c9 |
return AUTH_GENERAL_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (user == NULL) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: no user specified");
|
|
Packit |
90a5c9 |
util_ldap_connection_close(ldc);
|
|
Packit |
90a5c9 |
return AUTH_GENERAL_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* build the username filter */
|
|
Packit |
90a5c9 |
authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: final authn filter is %s", filtbuf);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* convert password to utf-8 */
|
|
Packit |
90a5c9 |
utfpassword = authn_ldap_xlate_password(r, password);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* do the user search */
|
|
Packit |
90a5c9 |
result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
|
|
Packit |
90a5c9 |
sec->attributes, filtbuf, utfpassword,
|
|
Packit |
90a5c9 |
&dn, &(req->vals));
|
|
Packit |
90a5c9 |
util_ldap_connection_close(ldc);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* handle bind failure */
|
|
Packit |
90a5c9 |
if (result != LDAP_SUCCESS) {
|
|
Packit |
90a5c9 |
if (!sec->bind_authoritative) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01694)
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: user %s authentication failed; "
|
|
Packit |
90a5c9 |
"URI %s [%s][%s] (not authoritative)",
|
|
Packit |
90a5c9 |
user, r->uri, ldc->reason, ldap_err2string(result));
|
|
Packit |
90a5c9 |
return AUTH_USER_NOT_FOUND;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01695)
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: "
|
|
Packit |
90a5c9 |
"user %s authentication failed; URI %s [%s][%s]",
|
|
Packit |
90a5c9 |
user, r->uri, ldc->reason, ldap_err2string(result));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific errors */
|
|
Packit |
90a5c9 |
if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) {
|
|
Packit |
90a5c9 |
return AUTH_USER_NOT_FOUND;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND
|
|
Packit |
90a5c9 |
#ifdef LDAP_SECURITY_ERROR
|
|
Packit |
90a5c9 |
: (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
: (LDAP_INAPPROPRIATE_AUTH == result) ? AUTH_DENIED
|
|
Packit |
90a5c9 |
: (LDAP_INVALID_CREDENTIALS == result) ? AUTH_DENIED
|
|
Packit |
90a5c9 |
#ifdef LDAP_INSUFFICIENT_ACCESS
|
|
Packit |
90a5c9 |
: (LDAP_INSUFFICIENT_ACCESS == result) ? AUTH_DENIED
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
#ifdef LDAP_INSUFFICIENT_RIGHTS
|
|
Packit |
90a5c9 |
: (LDAP_INSUFFICIENT_RIGHTS == result) ? AUTH_DENIED
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
#ifdef LDAP_CONSTRAINT_VIOLATION
|
|
Packit |
90a5c9 |
/* At least Sun Directory Server sends this if a user is
|
|
Packit |
90a5c9 |
* locked. This is not covered by LDAP_SECURITY_ERROR.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
: (LDAP_CONSTRAINT_VIOLATION == result) ? AUTH_DENIED
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
: AUTH_GENERAL_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* mark the user and DN */
|
|
Packit |
90a5c9 |
req->dn = apr_pstrdup(r->pool, dn);
|
|
Packit |
90a5c9 |
req->user = apr_pstrdup(r->pool, user);
|
|
Packit |
90a5c9 |
req->password = apr_pstrdup(r->pool, password);
|
|
Packit |
90a5c9 |
if (sec->user_is_dn) {
|
|
Packit |
90a5c9 |
r->user = req->dn;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* add environment variables */
|
|
Packit |
90a5c9 |
remote_user_attribute_set = set_request_vars(r, LDAP_AUTHN);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* sanity check */
|
|
Packit |
90a5c9 |
if (sec->remote_user_attribute && !remote_user_attribute_set) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01696)
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: "
|
|
Packit |
90a5c9 |
"REMOTE_USER was to be set with attribute '%s', "
|
|
Packit |
90a5c9 |
"but this attribute was not requested for in the "
|
|
Packit |
90a5c9 |
"LDAP query for the user. REMOTE_USER will fall "
|
|
Packit |
90a5c9 |
"back to username or DN as appropriate.",
|
|
Packit |
90a5c9 |
sec->remote_user_attribute);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01697)
|
|
Packit |
90a5c9 |
"auth_ldap authenticate: accepting %s", user);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return AUTH_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static authz_status ldapuser_check_authorization(request_rec *r,
|
|
Packit |
90a5c9 |
const char *require_args,
|
|
Packit |
90a5c9 |
const void *parsed_require_args)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int result = 0;
|
|
Packit |
90a5c9 |
authn_ldap_request_t *req =
|
|
Packit |
90a5c9 |
(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
util_ldap_connection_t *ldc = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *err = NULL;
|
|
Packit |
90a5c9 |
const ap_expr_info_t *expr = parsed_require_args;
|
|
Packit |
90a5c9 |
const char *require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *t;
|
|
Packit |
90a5c9 |
char *w;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
char filtbuf[FILTER_LENGTH];
|
|
Packit |
90a5c9 |
const char *dn = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!r->user) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED_NO_USER;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!sec->have_ldap_url) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->host) {
|
|
Packit |
90a5c9 |
ldc = get_connection_for_authz(r, LDAP_COMPARE);
|
|
Packit |
90a5c9 |
apr_pool_cleanup_register(r->pool, ldc,
|
|
Packit |
90a5c9 |
authnz_ldap_cleanup_connection_close,
|
|
Packit |
90a5c9 |
apr_pool_cleanup_null);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01698)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: no sec->host - weird...?");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* If we have been authenticated by some other module than mod_authnz_ldap,
|
|
Packit |
90a5c9 |
* the req structure needed for authorization needs to be created
|
|
Packit |
90a5c9 |
* and populated with the userid and DN of the account in LDAP
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!strlen(r->user)) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699)
|
|
Packit |
90a5c9 |
"ldap authorize: Userid is blank, AuthType=%s",
|
|
Packit |
90a5c9 |
r->ap_auth_type);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if(!req) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01700)
|
|
Packit |
90a5c9 |
"ldap authorize: Creating LDAP req structure");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
|
|
Packit |
90a5c9 |
sizeof(authn_ldap_request_t));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Build the username filter */
|
|
Packit |
90a5c9 |
authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search for the user DN */
|
|
Packit |
90a5c9 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
|
|
Packit |
90a5c9 |
sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search failed, log error and return failure */
|
|
Packit |
90a5c9 |
if(result != LDAP_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01701)
|
|
Packit |
90a5c9 |
"auth_ldap authorise: User DN not found, %s", ldc->reason);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_set_module_config(r->request_config, &authnz_ldap_module, req);
|
|
Packit |
90a5c9 |
req->dn = apr_pstrdup(r->pool, dn);
|
|
Packit |
90a5c9 |
req->user = r->user;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (req->dn == NULL || strlen(req->dn) == 0) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01702)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require user: user's DN has not "
|
|
Packit |
90a5c9 |
"been defined; failing authorization");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
require = ap_expr_str_exec(r, expr, &err;;
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require user: Can't evaluate expression: %s",
|
|
Packit |
90a5c9 |
err);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* First do a whole-line compare, in case it's something like
|
|
Packit |
90a5c9 |
* require user Babs Jensen
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require);
|
|
Packit |
90a5c9 |
switch(result) {
|
|
Packit |
90a5c9 |
case LDAP_COMPARE_TRUE: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require user: authorization "
|
|
Packit |
90a5c9 |
"successful");
|
|
Packit |
90a5c9 |
set_request_vars(r, LDAP_AUTHZ);
|
|
Packit |
90a5c9 |
return AUTHZ_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
default: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01704)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require user: "
|
|
Packit |
90a5c9 |
"authorization failed [%s][%s]",
|
|
Packit |
90a5c9 |
ldc->reason, ldap_err2string(result));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Now break apart the line and compare each word on it
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
t = require;
|
|
Packit |
90a5c9 |
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
|
|
Packit |
90a5c9 |
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
|
|
Packit |
90a5c9 |
switch(result) {
|
|
Packit |
90a5c9 |
case LDAP_COMPARE_TRUE: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01705)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: "
|
|
Packit |
90a5c9 |
"require user: authorization successful");
|
|
Packit |
90a5c9 |
set_request_vars(r, LDAP_AUTHZ);
|
|
Packit |
90a5c9 |
return AUTHZ_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
default: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01706)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: "
|
|
Packit |
90a5c9 |
"require user: authorization failed [%s][%s]",
|
|
Packit |
90a5c9 |
ldc->reason, ldap_err2string(result));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01707)
|
|
Packit |
90a5c9 |
"auth_ldap authorize user: authorization denied for "
|
|
Packit |
90a5c9 |
"user %s to %s",
|
|
Packit |
90a5c9 |
r->user, r->uri);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static authz_status ldapgroup_check_authorization(request_rec *r,
|
|
Packit |
90a5c9 |
const char *require_args,
|
|
Packit |
90a5c9 |
const void *parsed_require_args)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int result = 0;
|
|
Packit |
90a5c9 |
authn_ldap_request_t *req =
|
|
Packit |
90a5c9 |
(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
util_ldap_connection_t *ldc = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *err = NULL;
|
|
Packit |
90a5c9 |
const ap_expr_info_t *expr = parsed_require_args;
|
|
Packit |
90a5c9 |
const char *require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *t;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
char filtbuf[FILTER_LENGTH];
|
|
Packit |
90a5c9 |
const char *dn = NULL;
|
|
Packit |
90a5c9 |
struct mod_auth_ldap_groupattr_entry_t *ent;
|
|
Packit |
90a5c9 |
int i;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!r->user) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED_NO_USER;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!sec->have_ldap_url) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->host) {
|
|
Packit |
90a5c9 |
ldc = get_connection_for_authz(r, LDAP_COMPARE); /* for the top-level group only */
|
|
Packit |
90a5c9 |
apr_pool_cleanup_register(r->pool, ldc,
|
|
Packit |
90a5c9 |
authnz_ldap_cleanup_connection_close,
|
|
Packit |
90a5c9 |
apr_pool_cleanup_null);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01708)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: no sec->host - weird...?");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* If there are no elements in the group attribute array, the default should be
|
|
Packit |
90a5c9 |
* member and uniquemember; populate the array now.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (sec->groupattr->nelts == 0) {
|
|
Packit |
90a5c9 |
struct mod_auth_ldap_groupattr_entry_t *grp;
|
|
Packit |
90a5c9 |
#if APR_HAS_THREADS
|
|
Packit |
90a5c9 |
apr_thread_mutex_lock(sec->lock);
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
grp = apr_array_push(sec->groupattr);
|
|
Packit |
90a5c9 |
grp->name = "member";
|
|
Packit |
90a5c9 |
grp = apr_array_push(sec->groupattr);
|
|
Packit |
90a5c9 |
grp->name = "uniqueMember";
|
|
Packit |
90a5c9 |
#if APR_HAS_THREADS
|
|
Packit |
90a5c9 |
apr_thread_mutex_unlock(sec->lock);
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* If there are no elements in the sub group classes array, the default
|
|
Packit |
90a5c9 |
* should be groupOfNames and groupOfUniqueNames; populate the array now.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (sec->subgroupclasses->nelts == 0) {
|
|
Packit |
90a5c9 |
struct mod_auth_ldap_groupattr_entry_t *grp;
|
|
Packit |
90a5c9 |
#if APR_HAS_THREADS
|
|
Packit |
90a5c9 |
apr_thread_mutex_lock(sec->lock);
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
grp = apr_array_push(sec->subgroupclasses);
|
|
Packit |
90a5c9 |
grp->name = "groupOfNames";
|
|
Packit |
90a5c9 |
grp = apr_array_push(sec->subgroupclasses);
|
|
Packit |
90a5c9 |
grp->name = "groupOfUniqueNames";
|
|
Packit |
90a5c9 |
#if APR_HAS_THREADS
|
|
Packit |
90a5c9 |
apr_thread_mutex_unlock(sec->lock);
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* If we have been authenticated by some other module than mod_auth_ldap,
|
|
Packit |
90a5c9 |
* the req structure needed for authorization needs to be created
|
|
Packit |
90a5c9 |
* and populated with the userid and DN of the account in LDAP
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!strlen(r->user)) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01709)
|
|
Packit |
90a5c9 |
"ldap authorize: Userid is blank, AuthType=%s",
|
|
Packit |
90a5c9 |
r->ap_auth_type);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if(!req) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01710)
|
|
Packit |
90a5c9 |
"ldap authorize: Creating LDAP req structure");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
|
|
Packit |
90a5c9 |
sizeof(authn_ldap_request_t));
|
|
Packit |
90a5c9 |
/* Build the username filter */
|
|
Packit |
90a5c9 |
authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search for the user DN */
|
|
Packit |
90a5c9 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
|
|
Packit |
90a5c9 |
sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search failed, log error and return failure */
|
|
Packit |
90a5c9 |
if(result != LDAP_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01711)
|
|
Packit |
90a5c9 |
"auth_ldap authorise: User DN not found, %s", ldc->reason);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_set_module_config(r->request_config, &authnz_ldap_module, req);
|
|
Packit |
90a5c9 |
req->dn = apr_pstrdup(r->pool, dn);
|
|
Packit |
90a5c9 |
req->user = r->user;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->group_attrib_is_dn) {
|
|
Packit |
90a5c9 |
if (req->dn == NULL || strlen(req->dn) == 0) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01712)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require group: user's DN has "
|
|
Packit |
90a5c9 |
"not been defined; failing authorization for user %s",
|
|
Packit |
90a5c9 |
r->user);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
if (req->user == NULL || strlen(req->user) == 0) {
|
|
Packit |
90a5c9 |
/* We weren't called in the authentication phase, so we didn't have a
|
|
Packit |
90a5c9 |
* chance to set the user field. Do so now. */
|
|
Packit |
90a5c9 |
req->user = r->user;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
require = ap_expr_str_exec(r, expr, &err;;
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require group: Can't evaluate expression: %s",
|
|
Packit |
90a5c9 |
err);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
t = require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require group: testing for group "
|
|
Packit |
90a5c9 |
"membership in \"%s\"",
|
|
Packit |
90a5c9 |
t);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* PR52464 exhaust attrs in base group before checking subgroups */
|
|
Packit |
90a5c9 |
for (i = 0; i < sec->groupattr->nelts; i++) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require group: testing for %s: "
|
|
Packit |
90a5c9 |
"%s (%s)",
|
|
Packit |
90a5c9 |
ent[i].name,
|
|
Packit |
90a5c9 |
sec->group_attrib_is_dn ? req->dn : req->user, t);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
|
|
Packit |
90a5c9 |
sec->group_attrib_is_dn ? req->dn : req->user);
|
|
Packit |
90a5c9 |
if (result == LDAP_COMPARE_TRUE) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require group: "
|
|
Packit |
90a5c9 |
"authorization successful (attribute %s) "
|
|
Packit |
90a5c9 |
"[%s][%d - %s]",
|
|
Packit |
90a5c9 |
ent[i].name, ldc->reason, result,
|
|
Packit |
90a5c9 |
ldap_err2string(result));
|
|
Packit |
90a5c9 |
set_request_vars(r, LDAP_AUTHZ);
|
|
Packit |
90a5c9 |
return AUTHZ_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require group \"%s\": "
|
|
Packit |
90a5c9 |
"didn't match with attr %s [%s][%d - %s]",
|
|
Packit |
90a5c9 |
t, ent[i].name, ldc->reason, result,
|
|
Packit |
90a5c9 |
ldap_err2string(result));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
for (i = 0; i < sec->groupattr->nelts; i++) {
|
|
Packit |
90a5c9 |
/* nested groups need searches and compares, so grab a new handle */
|
|
Packit |
90a5c9 |
authnz_ldap_cleanup_connection_close(ldc);
|
|
Packit |
90a5c9 |
apr_pool_cleanup_kill(r->pool, ldc,authnz_ldap_cleanup_connection_close);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH);
|
|
Packit |
90a5c9 |
apr_pool_cleanup_register(r->pool, ldc,
|
|
Packit |
90a5c9 |
authnz_ldap_cleanup_connection_close,
|
|
Packit |
90a5c9 |
apr_pool_cleanup_null);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716)
|
|
Packit |
90a5c9 |
"auth_ldap authorise: require group \"%s\": "
|
|
Packit |
90a5c9 |
"failed [%s][%d - %s], checking sub-groups",
|
|
Packit |
90a5c9 |
t, ldc->reason, result, ldap_err2string(result));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
result = util_ldap_cache_check_subgroups(r, ldc, sec->url, t, ent[i].name,
|
|
Packit |
90a5c9 |
sec->group_attrib_is_dn ? req->dn : req->user,
|
|
Packit |
90a5c9 |
sec->sgAttributes[0] ? sec->sgAttributes : default_attributes,
|
|
Packit |
90a5c9 |
sec->subgroupclasses,
|
|
Packit |
90a5c9 |
0, sec->maxNestingDepth);
|
|
Packit |
90a5c9 |
if (result == LDAP_COMPARE_TRUE) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717)
|
|
Packit |
90a5c9 |
"auth_ldap authorise: require group "
|
|
Packit |
90a5c9 |
"(sub-group): authorisation successful "
|
|
Packit |
90a5c9 |
"(attribute %s) [%s][%d - %s]",
|
|
Packit |
90a5c9 |
ent[i].name, ldc->reason, result,
|
|
Packit |
90a5c9 |
ldap_err2string(result));
|
|
Packit |
90a5c9 |
set_request_vars(r, LDAP_AUTHZ);
|
|
Packit |
90a5c9 |
return AUTHZ_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718)
|
|
Packit |
90a5c9 |
"auth_ldap authorise: require group "
|
|
Packit |
90a5c9 |
"(sub-group) \"%s\": didn't match with attr %s "
|
|
Packit |
90a5c9 |
"[%s][%d - %s]",
|
|
Packit |
90a5c9 |
t, ldc->reason, ent[i].name, result,
|
|
Packit |
90a5c9 |
ldap_err2string(result));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720)
|
|
Packit |
90a5c9 |
"auth_ldap authorize group: authorization denied for "
|
|
Packit |
90a5c9 |
"user %s to %s",
|
|
Packit |
90a5c9 |
r->user, r->uri);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static authz_status ldapdn_check_authorization(request_rec *r,
|
|
Packit |
90a5c9 |
const char *require_args,
|
|
Packit |
90a5c9 |
const void *parsed_require_args)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int result = 0;
|
|
Packit |
90a5c9 |
authn_ldap_request_t *req =
|
|
Packit |
90a5c9 |
(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
util_ldap_connection_t *ldc = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *err = NULL;
|
|
Packit |
90a5c9 |
const ap_expr_info_t *expr = parsed_require_args;
|
|
Packit |
90a5c9 |
const char *require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *t;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
char filtbuf[FILTER_LENGTH];
|
|
Packit |
90a5c9 |
const char *dn = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!r->user) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED_NO_USER;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!sec->have_ldap_url) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->host) {
|
|
Packit |
90a5c9 |
ldc = get_connection_for_authz(r, LDAP_SEARCH); /* _comparedn is a searche */
|
|
Packit |
90a5c9 |
apr_pool_cleanup_register(r->pool, ldc,
|
|
Packit |
90a5c9 |
authnz_ldap_cleanup_connection_close,
|
|
Packit |
90a5c9 |
apr_pool_cleanup_null);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01721)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: no sec->host - weird...?");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* If we have been authenticated by some other module than mod_auth_ldap,
|
|
Packit |
90a5c9 |
* the req structure needed for authorization needs to be created
|
|
Packit |
90a5c9 |
* and populated with the userid and DN of the account in LDAP
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!strlen(r->user)) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722)
|
|
Packit |
90a5c9 |
"ldap authorize: Userid is blank, AuthType=%s",
|
|
Packit |
90a5c9 |
r->ap_auth_type);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if(!req) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01723)
|
|
Packit |
90a5c9 |
"ldap authorize: Creating LDAP req structure");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
|
|
Packit |
90a5c9 |
sizeof(authn_ldap_request_t));
|
|
Packit |
90a5c9 |
/* Build the username filter */
|
|
Packit |
90a5c9 |
authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search for the user DN */
|
|
Packit |
90a5c9 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
|
|
Packit |
90a5c9 |
sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search failed, log error and return failure */
|
|
Packit |
90a5c9 |
if(result != LDAP_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01724)
|
|
Packit |
90a5c9 |
"auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_set_module_config(r->request_config, &authnz_ldap_module, req);
|
|
Packit |
90a5c9 |
req->dn = apr_pstrdup(r->pool, dn);
|
|
Packit |
90a5c9 |
req->user = r->user;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
require = ap_expr_str_exec(r, expr, &err;;
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require dn: Can't evaluate expression: %s",
|
|
Packit |
90a5c9 |
err);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
t = require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (req->dn == NULL || strlen(req->dn) == 0) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require dn: user's DN has not "
|
|
Packit |
90a5c9 |
"been defined; failing authorization");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server);
|
|
Packit |
90a5c9 |
switch(result) {
|
|
Packit |
90a5c9 |
case LDAP_COMPARE_TRUE: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01726)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: "
|
|
Packit |
90a5c9 |
"require dn: authorization successful");
|
|
Packit |
90a5c9 |
set_request_vars(r, LDAP_AUTHZ);
|
|
Packit |
90a5c9 |
return AUTHZ_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
default: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01727)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: "
|
|
Packit |
90a5c9 |
"require dn \"%s\": LDAP error [%s][%s]",
|
|
Packit |
90a5c9 |
t, ldc->reason, ldap_err2string(result));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01728)
|
|
Packit |
90a5c9 |
"auth_ldap authorize dn: authorization denied for "
|
|
Packit |
90a5c9 |
"user %s to %s",
|
|
Packit |
90a5c9 |
r->user, r->uri);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static authz_status ldapattribute_check_authorization(request_rec *r,
|
|
Packit |
90a5c9 |
const char *require_args,
|
|
Packit |
90a5c9 |
const void *parsed_require_args)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int result = 0;
|
|
Packit |
90a5c9 |
authn_ldap_request_t *req =
|
|
Packit |
90a5c9 |
(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
util_ldap_connection_t *ldc = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *err = NULL;
|
|
Packit |
90a5c9 |
const ap_expr_info_t *expr = parsed_require_args;
|
|
Packit |
90a5c9 |
const char *require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *t;
|
|
Packit |
90a5c9 |
char *w, *value;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
char filtbuf[FILTER_LENGTH];
|
|
Packit |
90a5c9 |
const char *dn = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!r->user) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED_NO_USER;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!sec->have_ldap_url) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->host) {
|
|
Packit |
90a5c9 |
ldc = get_connection_for_authz(r, LDAP_COMPARE);
|
|
Packit |
90a5c9 |
apr_pool_cleanup_register(r->pool, ldc,
|
|
Packit |
90a5c9 |
authnz_ldap_cleanup_connection_close,
|
|
Packit |
90a5c9 |
apr_pool_cleanup_null);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01729)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: no sec->host - weird...?");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* If we have been authenticated by some other module than mod_auth_ldap,
|
|
Packit |
90a5c9 |
* the req structure needed for authorization needs to be created
|
|
Packit |
90a5c9 |
* and populated with the userid and DN of the account in LDAP
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!strlen(r->user)) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730)
|
|
Packit |
90a5c9 |
"ldap authorize: Userid is blank, AuthType=%s",
|
|
Packit |
90a5c9 |
r->ap_auth_type);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if(!req) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01731)
|
|
Packit |
90a5c9 |
"ldap authorize: Creating LDAP req structure");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
|
|
Packit |
90a5c9 |
sizeof(authn_ldap_request_t));
|
|
Packit |
90a5c9 |
/* Build the username filter */
|
|
Packit |
90a5c9 |
authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search for the user DN */
|
|
Packit |
90a5c9 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
|
|
Packit |
90a5c9 |
sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search failed, log error and return failure */
|
|
Packit |
90a5c9 |
if(result != LDAP_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01732)
|
|
Packit |
90a5c9 |
"auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_set_module_config(r->request_config, &authnz_ldap_module, req);
|
|
Packit |
90a5c9 |
req->dn = apr_pstrdup(r->pool, dn);
|
|
Packit |
90a5c9 |
req->user = r->user;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (req->dn == NULL || strlen(req->dn) == 0) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01733)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require ldap-attribute: user's DN "
|
|
Packit |
90a5c9 |
"has not been defined; failing authorization");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
require = ap_expr_str_exec(r, expr, &err;;
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require ldap-attribute: Can't "
|
|
Packit |
90a5c9 |
"evaluate expression: %s", err);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
t = require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
while (t[0]) {
|
|
Packit |
90a5c9 |
w = ap_getword(r->pool, &t, '=');
|
|
Packit |
90a5c9 |
value = ap_getword_conf(r->pool, &t);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01734)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: checking attribute %s has value %s",
|
|
Packit |
90a5c9 |
w, value);
|
|
Packit |
90a5c9 |
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value);
|
|
Packit |
90a5c9 |
switch(result) {
|
|
Packit |
90a5c9 |
case LDAP_COMPARE_TRUE: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01735)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: "
|
|
Packit |
90a5c9 |
"require attribute: authorization successful");
|
|
Packit |
90a5c9 |
set_request_vars(r, LDAP_AUTHZ);
|
|
Packit |
90a5c9 |
return AUTHZ_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
default: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01736)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require attribute: "
|
|
Packit |
90a5c9 |
"authorization failed [%s][%s]",
|
|
Packit |
90a5c9 |
ldc->reason, ldap_err2string(result));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01737)
|
|
Packit |
90a5c9 |
"auth_ldap authorize attribute: authorization denied for "
|
|
Packit |
90a5c9 |
"user %s to %s",
|
|
Packit |
90a5c9 |
r->user, r->uri);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static authz_status ldapfilter_check_authorization(request_rec *r,
|
|
Packit |
90a5c9 |
const char *require_args,
|
|
Packit |
90a5c9 |
const void *parsed_require_args)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int result = 0;
|
|
Packit |
90a5c9 |
authn_ldap_request_t *req =
|
|
Packit |
90a5c9 |
(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec =
|
|
Packit |
90a5c9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
util_ldap_connection_t *ldc = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *err = NULL;
|
|
Packit |
90a5c9 |
const ap_expr_info_t *expr = parsed_require_args;
|
|
Packit |
90a5c9 |
const char *require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *t;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
char filtbuf[FILTER_LENGTH];
|
|
Packit |
90a5c9 |
const char *dn = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!r->user) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED_NO_USER;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!sec->have_ldap_url) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->host) {
|
|
Packit |
90a5c9 |
ldc = get_connection_for_authz(r, LDAP_SEARCH);
|
|
Packit |
90a5c9 |
apr_pool_cleanup_register(r->pool, ldc,
|
|
Packit |
90a5c9 |
authnz_ldap_cleanup_connection_close,
|
|
Packit |
90a5c9 |
apr_pool_cleanup_null);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: no sec->host - weird...?");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* If we have been authenticated by some other module than mod_auth_ldap,
|
|
Packit |
90a5c9 |
* the req structure needed for authorization needs to be created
|
|
Packit |
90a5c9 |
* and populated with the userid and DN of the account in LDAP
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!strlen(r->user)) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739)
|
|
Packit |
90a5c9 |
"ldap authorize: Userid is blank, AuthType=%s",
|
|
Packit |
90a5c9 |
r->ap_auth_type);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if(!req) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01740)
|
|
Packit |
90a5c9 |
"ldap authorize: Creating LDAP req structure");
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
|
|
Packit |
90a5c9 |
sizeof(authn_ldap_request_t));
|
|
Packit |
90a5c9 |
/* Build the username filter */
|
|
Packit |
90a5c9 |
authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search for the user DN */
|
|
Packit |
90a5c9 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
|
|
Packit |
90a5c9 |
sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search failed, log error and return failure */
|
|
Packit |
90a5c9 |
if(result != LDAP_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01741)
|
|
Packit |
90a5c9 |
"auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_set_module_config(r->request_config, &authnz_ldap_module, req);
|
|
Packit |
90a5c9 |
req->dn = apr_pstrdup(r->pool, dn);
|
|
Packit |
90a5c9 |
req->user = r->user;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (req->dn == NULL || strlen(req->dn) == 0) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require ldap-filter: user's DN "
|
|
Packit |
90a5c9 |
"has not been defined; failing authorization");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
require = ap_expr_str_exec(r, expr, &err;;
|
|
Packit |
90a5c9 |
if (err) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require ldap-filter: Can't "
|
|
Packit |
90a5c9 |
"evaluate require expression: %s", err);
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
t = require;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (t[0]) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: checking filter %s", t);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Build the username filter */
|
|
Packit |
90a5c9 |
authn_ldap_build_filter(filtbuf, r, req->user, t, sec);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Search for the user DN */
|
|
Packit |
90a5c9 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
|
|
Packit |
90a5c9 |
sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Make sure that the filtered search returned the correct user dn */
|
|
Packit |
90a5c9 |
if (result == LDAP_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01744)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: checking dn match %s", dn);
|
|
Packit |
90a5c9 |
if (sec->compare_as_user) {
|
|
Packit |
90a5c9 |
/* ldap-filter is the only authz that requires a search and a compare */
|
|
Packit |
90a5c9 |
apr_pool_cleanup_kill(r->pool, ldc, authnz_ldap_cleanup_connection_close);
|
|
Packit |
90a5c9 |
authnz_ldap_cleanup_connection_close(ldc);
|
|
Packit |
90a5c9 |
ldc = get_connection_for_authz(r, LDAP_COMPARE);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,
|
|
Packit |
90a5c9 |
sec->compare_dn_on_server);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
switch(result) {
|
|
Packit |
90a5c9 |
case LDAP_COMPARE_TRUE: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01745)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require ldap-filter: "
|
|
Packit |
90a5c9 |
"authorization successful");
|
|
Packit |
90a5c9 |
set_request_vars(r, LDAP_AUTHZ);
|
|
Packit |
90a5c9 |
return AUTHZ_GRANTED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
case LDAP_FILTER_ERROR: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01746)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require ldap-filter: "
|
|
Packit |
90a5c9 |
"%s authorization failed [%s][%s]",
|
|
Packit |
90a5c9 |
filtbuf, ldc->reason, ldap_err2string(result));
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
default: {
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01747)
|
|
Packit |
90a5c9 |
"auth_ldap authorize: require ldap-filter: "
|
|
Packit |
90a5c9 |
"authorization failed [%s][%s]",
|
|
Packit |
90a5c9 |
ldc->reason, ldap_err2string(result));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01748)
|
|
Packit |
90a5c9 |
"auth_ldap authorize filter: authorization denied for "
|
|
Packit |
90a5c9 |
"user %s to %s",
|
|
Packit |
90a5c9 |
r->user, r->uri);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line,
|
|
Packit |
90a5c9 |
const void **parsed_require_line)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
const char *expr_err = NULL;
|
|
Packit |
90a5c9 |
ap_expr_info_t *expr;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
|
|
Packit |
90a5c9 |
&expr_err, NULL);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (expr_err)
|
|
Packit |
90a5c9 |
return apr_pstrcat(cmd->temp_pool,
|
|
Packit |
90a5c9 |
"Cannot parse expression in require line: ",
|
|
Packit |
90a5c9 |
expr_err, NULL);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
*parsed_require_line = expr;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Use the ldap url parsing routines to break up the ldap url into
|
|
Packit |
90a5c9 |
* host and port.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static const char *mod_auth_ldap_parse_url(cmd_parms *cmd,
|
|
Packit |
90a5c9 |
void *config,
|
|
Packit |
90a5c9 |
const char *url,
|
|
Packit |
90a5c9 |
const char *mode)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int rc;
|
|
Packit |
90a5c9 |
apr_ldap_url_desc_t *urld;
|
|
Packit |
90a5c9 |
apr_ldap_err_t *result;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = config;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
rc = apr_ldap_url_parse(cmd->pool, url, &(urld), &(result));
|
|
Packit |
90a5c9 |
if (rc != APR_SUCCESS) {
|
|
Packit |
90a5c9 |
return result->reason;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
sec->url = apr_pstrdup(cmd->pool, url);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Set all the values, or at least some sane defaults */
|
|
Packit |
90a5c9 |
if (sec->host) {
|
|
Packit |
90a5c9 |
sec->host = apr_pstrcat(cmd->pool, urld->lud_host, " ", sec->host, NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
sec->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost";
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : "";
|
|
Packit |
90a5c9 |
if (urld->lud_attrs && urld->lud_attrs[0]) {
|
|
Packit |
90a5c9 |
int i = 1;
|
|
Packit |
90a5c9 |
while (urld->lud_attrs[i]) {
|
|
Packit |
90a5c9 |
i++;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
sec->attributes = apr_pcalloc(cmd->pool, sizeof(char *) * (i+1));
|
|
Packit |
90a5c9 |
i = 0;
|
|
Packit |
90a5c9 |
while (urld->lud_attrs[i]) {
|
|
Packit |
90a5c9 |
sec->attributes[i] = apr_pstrdup(cmd->pool, urld->lud_attrs[i]);
|
|
Packit |
90a5c9 |
i++;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
sec->attribute = sec->attributes[0];
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
sec->attribute = "uid";
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ?
|
|
Packit |
90a5c9 |
LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (urld->lud_filter) {
|
|
Packit |
90a5c9 |
if (urld->lud_filter[0] == '(') {
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Get rid of the surrounding parens; later on when generating the
|
|
Packit |
90a5c9 |
* filter, they'll be put back.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
sec->filter = apr_pstrmemdup(cmd->pool, urld->lud_filter+1,
|
|
Packit |
90a5c9 |
strlen(urld->lud_filter)-2);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
sec->filter = "objectclass=*";
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (mode) {
|
|
Packit |
90a5c9 |
if (0 == strcasecmp("NONE", mode)) {
|
|
Packit |
90a5c9 |
sec->secure = APR_LDAP_NONE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (0 == strcasecmp("SSL", mode)) {
|
|
Packit |
90a5c9 |
sec->secure = APR_LDAP_SSL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (0 == strcasecmp("TLS", mode) || 0 == strcasecmp("STARTTLS", mode)) {
|
|
Packit |
90a5c9 |
sec->secure = APR_LDAP_STARTTLS;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
return "Invalid LDAP connection mode setting: must be one of NONE, "
|
|
Packit |
90a5c9 |
"SSL, or TLS/STARTTLS";
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* "ldaps" indicates secure ldap connections desired
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (strncasecmp(url, "ldaps", 5) == 0)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
sec->secure = APR_LDAP_SSL;
|
|
Packit |
90a5c9 |
sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
sec->port = urld->lud_port? urld->lud_port : LDAP_PORT;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->have_ldap_url = 1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, cmd->server,
|
|
Packit |
90a5c9 |
"auth_ldap url parse: `%s', Host: %s, Port: %d, DN: %s, "
|
|
Packit |
90a5c9 |
"attrib: %s, scope: %s, filter: %s, connection mode: %s",
|
|
Packit |
90a5c9 |
url,
|
|
Packit |
90a5c9 |
urld->lud_host,
|
|
Packit |
90a5c9 |
urld->lud_port,
|
|
Packit |
90a5c9 |
urld->lud_dn,
|
|
Packit |
90a5c9 |
urld->lud_attrs? urld->lud_attrs[0] : "(null)",
|
|
Packit |
90a5c9 |
(urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" :
|
|
Packit |
90a5c9 |
urld->lud_scope == LDAP_SCOPE_BASE? "base" :
|
|
Packit |
90a5c9 |
urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown"),
|
|
Packit |
90a5c9 |
urld->lud_filter,
|
|
Packit |
90a5c9 |
sec->secure == APR_LDAP_SSL ? "using SSL": "not using SSL"
|
|
Packit |
90a5c9 |
);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *mod_auth_ldap_set_deref(cmd_parms *cmd, void *config, const char *arg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = config;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (strcmp(arg, "never") == 0 || strcasecmp(arg, "off") == 0) {
|
|
Packit |
90a5c9 |
sec->deref = never;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (strcmp(arg, "searching") == 0) {
|
|
Packit |
90a5c9 |
sec->deref = searching;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (strcmp(arg, "finding") == 0) {
|
|
Packit |
90a5c9 |
sec->deref = finding;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (strcmp(arg, "always") == 0 || strcasecmp(arg, "on") == 0) {
|
|
Packit |
90a5c9 |
sec->deref = always;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
return "Unrecognized value for AuthLDAPDereferenceAliases directive";
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *mod_auth_ldap_add_subgroup_attribute(cmd_parms *cmd, void *config, const char *arg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int i = 0;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = config;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
for (i = 0; sec->sgAttributes[i]; i++) {
|
|
Packit |
90a5c9 |
;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (i == GROUPATTR_MAX_ELTS)
|
|
Packit |
90a5c9 |
return "Too many AuthLDAPSubGroupAttribute values";
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->sgAttributes[i] = apr_pstrdup(cmd->pool, arg);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *mod_auth_ldap_add_subgroup_class(cmd_parms *cmd, void *config, const char *arg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
struct mod_auth_ldap_groupattr_entry_t *new;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = config;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->subgroupclasses->nelts > GROUPATTR_MAX_ELTS)
|
|
Packit |
90a5c9 |
return "Too many AuthLDAPSubGroupClass values";
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
new = apr_array_push(sec->subgroupclasses);
|
|
Packit |
90a5c9 |
new->name = apr_pstrdup(cmd->pool, arg);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *mod_auth_ldap_set_subgroup_maxdepth(cmd_parms *cmd,
|
|
Packit |
90a5c9 |
void *config,
|
|
Packit |
90a5c9 |
const char *max_depth)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = config;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->maxNestingDepth = atol(max_depth);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
struct mod_auth_ldap_groupattr_entry_t *new;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = config;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS)
|
|
Packit |
90a5c9 |
return "Too many AuthLDAPGroupAttribute directives";
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
new = apr_array_push(sec->groupattr);
|
|
Packit |
90a5c9 |
new->name = apr_pstrdup(cmd->pool, arg);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *set_charset_config(cmd_parms *cmd, void *config, const char *arg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
ap_set_module_config(cmd->server->module_config, &authnz_ldap_module,
|
|
Packit |
90a5c9 |
(void *)arg);
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *set_bind_pattern(cmd_parms *cmd, void *_cfg, const char *exp, const char *subst)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = _cfg;
|
|
Packit |
90a5c9 |
ap_regex_t *regexp;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
regexp = ap_pregcomp(cmd->pool, exp, AP_REG_EXTENDED);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!regexp) {
|
|
Packit |
90a5c9 |
return apr_pstrcat(cmd->pool, "AuthLDAPInitialBindPattern: cannot compile regular "
|
|
Packit |
90a5c9 |
"expression '", exp, "'", NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sec->bind_regex = regexp;
|
|
Packit |
90a5c9 |
sec->bind_subst = subst;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = _cfg;
|
|
Packit |
90a5c9 |
int arglen = strlen(arg);
|
|
Packit |
90a5c9 |
char **argv;
|
|
Packit |
90a5c9 |
char *result;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((arglen > 5) && strncmp(arg, "exec:", 5) == 0) {
|
|
Packit |
90a5c9 |
if (apr_tokenize_to_argv(arg+5, &argv, cmd->temp_pool) != APR_SUCCESS) {
|
|
Packit |
90a5c9 |
return apr_pstrcat(cmd->pool,
|
|
Packit |
90a5c9 |
"Unable to parse exec arguments from ",
|
|
Packit |
90a5c9 |
arg+5, NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
argv[0] = ap_server_root_relative(cmd->temp_pool, argv[0]);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!argv[0]) {
|
|
Packit |
90a5c9 |
return apr_pstrcat(cmd->pool,
|
|
Packit |
90a5c9 |
"Invalid AuthLDAPBindPassword exec location:",
|
|
Packit |
90a5c9 |
arg+5, NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
result = ap_get_exec_line(cmd->pool,
|
|
Packit |
90a5c9 |
(const char*)argv[0], (const char * const *)argv);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!result) {
|
|
Packit |
90a5c9 |
return apr_pstrcat(cmd->pool,
|
|
Packit |
90a5c9 |
"Unable to get bind password from exec of ",
|
|
Packit |
90a5c9 |
arg+5, NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
sec->bindpw = result;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
sec->bindpw = (char *)arg;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const command_rec authnz_ldap_cmds[] =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"URL to define LDAP connection. This should be an RFC 2255 compliant\n"
|
|
Packit |
90a5c9 |
"URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n"
|
|
Packit |
90a5c9 |
"
|
|
Packit |
90a5c9 |
"Host is the name of the LDAP server. Use a space separated list of hosts \n"
|
|
Packit |
90a5c9 |
"to specify redundant servers.\n"
|
|
Packit |
90a5c9 |
"Port is optional, and specifies the port to connect to.\n"
|
|
Packit |
90a5c9 |
"basedn specifies the base DN to start searches from\n"
|
|
Packit |
90a5c9 |
"Attrib specifies what attribute to search for in the directory. If not "
|
|
Packit |
90a5c9 |
"provided, it defaults to uid.\n"
|
|
Packit |
90a5c9 |
"Scope is the scope of the search, and can be either sub or "
|
|
Packit |
90a5c9 |
"one. If not provided, the default is sub.\n"
|
|
Packit |
90a5c9 |
"Filter is a filter to use in the search. If not provided, "
|
|
Packit |
90a5c9 |
"defaults to (objectClass=*).\n"
|
|
Packit |
90a5c9 |
"\n"
|
|
Packit |
90a5c9 |
"Searches are performed using the attribute and the filter combined. "
|
|
Packit |
90a5c9 |
"For example, assume that the\n"
|
|
Packit |
90a5c9 |
"LDAP URL is ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*). "
|
|
Packit |
90a5c9 |
"Searches will\n"
|
|
Packit |
90a5c9 |
"be done using the filter (&((posixid=*))(uid=username)), "
|
|
Packit |
90a5c9 |
"where username\n"
|
|
Packit |
90a5c9 |
"is the user name passed by the HTTP client. The search will be a subtree "
|
|
Packit |
90a5c9 |
"search on the branch ou=People, o=Airius."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_TAKE1("AuthLDAPBindDN", ap_set_string_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, binddn), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"DN to use to bind to LDAP server. If not provided, will do an anonymous bind."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_TAKE1("AuthLDAPBindPassword", set_bind_password, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, bind_authoritative), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Set to 'on' to return failures when user-specific bind fails - defaults to on."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, user_is_dn), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Set to 'on' to set the REMOTE_USER environment variable to be the full "
|
|
Packit |
90a5c9 |
"DN of the remote user. By default, this is set to off, meaning that "
|
|
Packit |
90a5c9 |
"the REMOTE_USER variable will contain whatever value the remote user sent."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_TAKE1("AuthLDAPRemoteUserAttribute", ap_set_string_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, remote_user_attribute), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Override the user supplied username and place the "
|
|
Packit |
90a5c9 |
"contents of this attribute in the REMOTE_USER "
|
|
Packit |
90a5c9 |
"environment variable."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "
|
|
Packit |
90a5c9 |
"directive) using the server, and set it 'off' to do the compares locally "
|
|
Packit |
90a5c9 |
"(at the expense of possible false matches). See the documentation for "
|
|
Packit |
90a5c9 |
"a complete description of this option."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_ITERATE("AuthLDAPSubGroupAttribute", mod_auth_ldap_add_subgroup_attribute, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Attribute labels used to define sub-group (or nested group) membership in groups - "
|
|
Packit |
90a5c9 |
"defaults to member and uniqueMember"),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_ITERATE("AuthLDAPSubGroupClass", mod_auth_ldap_add_subgroup_class, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"LDAP objectClass values used to identify sub-group instances - "
|
|
Packit |
90a5c9 |
"defaults to groupOfNames and groupOfUniqueNames"),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_TAKE1("AuthLDAPMaxSubGroupDepth", mod_auth_ldap_set_subgroup_maxdepth, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Maximum subgroup nesting depth to be evaluated - defaults to 10 (top-level group = 0)"),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"A list of attribute labels used to identify the user members of groups - defaults to "
|
|
Packit |
90a5c9 |
"member and uniquemember"),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"If set to 'on', auth_ldap uses the DN that is retrieved from the server for "
|
|
Packit |
90a5c9 |
"subsequent group comparisons. If set to 'off', auth_ldap uses the string "
|
|
Packit |
90a5c9 |
"provided by the client directly. Defaults to 'on'."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Determines how aliases are handled during a search. Can be one of the "
|
|
Packit |
90a5c9 |
"values \"never\", \"searching\", \"finding\", or \"always\". "
|
|
Packit |
90a5c9 |
"Defaults to always."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_TAKE1("AuthLDAPCharsetConfig", set_charset_config, NULL, RSRC_CONF,
|
|
Packit |
90a5c9 |
"Character set conversion configuration file. If omitted, character set "
|
|
Packit |
90a5c9 |
"conversion is disabled."),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_TAKE1("AuthLDAPAuthorizePrefix", ap_set_string_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, authz_prefix), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"The prefix to add to environment variables set during "
|
|
Packit |
90a5c9 |
"successful authorization, default '" AUTHZ_PREFIX "'"),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_FLAG("AuthLDAPInitialBindAsUser", ap_set_flag_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, initial_bind_as_user), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Set to 'on' to perform the initial DN lookup with the basic auth credentials "
|
|
Packit |
90a5c9 |
"instead of anonymous or hard-coded credentials"),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_TAKE2("AuthLDAPInitialBindPattern", set_bind_pattern, NULL, OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"The regex and substitution to determine a username that can bind based on an HTTP basic auth username"),
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_INIT_FLAG("AuthLDAPSearchAsUser", ap_set_flag_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, search_as_user), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Set to 'on' to perform authorization-based searches with the users credentials, when this module "
|
|
Packit |
90a5c9 |
"has also performed authentication. Does not affect nested groups lookup."),
|
|
Packit |
90a5c9 |
AP_INIT_FLAG("AuthLDAPCompareAsUser", ap_set_flag_slot,
|
|
Packit |
90a5c9 |
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_as_user), OR_AUTHCFG,
|
|
Packit |
90a5c9 |
"Set to 'on' to perform authorization-based compares with the users credentials, when this module "
|
|
Packit |
90a5c9 |
"has also performed authentication. Does not affect nested groups lookups."),
|
|
Packit |
90a5c9 |
{NULL}
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int authnz_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
ap_configfile_t *f;
|
|
Packit |
90a5c9 |
char l[MAX_STRING_LEN];
|
|
Packit |
90a5c9 |
const char *charset_confname = ap_get_module_config(s->module_config,
|
|
Packit |
90a5c9 |
&authnz_ldap_module);
|
|
Packit |
90a5c9 |
apr_status_t status;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
authn_ldap_config_t *sec = (authn_ldap_config_t *)
|
|
Packit |
90a5c9 |
ap_get_module_config(s->module_config,
|
|
Packit |
90a5c9 |
&authnz_ldap_module);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sec->secure)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
if (!util_ldap_ssl_supported(s))
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(03159)
|
|
Packit |
90a5c9 |
"LDAP: SSL connections (ldaps://) not supported by utilLDAP");
|
|
Packit |
90a5c9 |
return(!OK);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* make sure that mod_ldap (util_ldap) is loaded */
|
|
Packit |
90a5c9 |
if (ap_find_linked_module("util_ldap.c") == NULL) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01749)
|
|
Packit |
90a5c9 |
"Module mod_ldap missing. Mod_ldap (aka. util_ldap) "
|
|
Packit |
90a5c9 |
"must be loaded in order for mod_authnz_ldap to function properly");
|
|
Packit |
90a5c9 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!charset_confname) {
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
charset_confname = ap_server_root_relative(p, charset_confname);
|
|
Packit |
90a5c9 |
if (!charset_confname) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_ERR, APR_EBADPATH, s, APLOGNO(01750)
|
|
Packit |
90a5c9 |
"Invalid charset conversion config path %s",
|
|
Packit |
90a5c9 |
(const char *)ap_get_module_config(s->module_config,
|
|
Packit |
90a5c9 |
&authnz_ldap_module));
|
|
Packit |
90a5c9 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if ((status = ap_pcfg_openfile(&f, ptemp, charset_confname))
|
|
Packit |
90a5c9 |
!= APR_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_ERR, status, s, APLOGNO(01751)
|
|
Packit |
90a5c9 |
"could not open charset conversion config file %s.",
|
|
Packit |
90a5c9 |
charset_confname);
|
|
Packit |
90a5c9 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
charset_conversions = apr_hash_make(p);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
|
|
Packit |
90a5c9 |
const char *ll = l;
|
|
Packit |
90a5c9 |
char *lang;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (l[0] == '#') {
|
|
Packit |
90a5c9 |
continue;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
lang = ap_getword_conf(p, &ll);
|
|
Packit |
90a5c9 |
ap_str_tolower(lang);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (ll[0]) {
|
|
Packit |
90a5c9 |
char *charset = ap_getword_conf(p, &ll);
|
|
Packit |
90a5c9 |
apr_hash_set(charset_conversions, lang, APR_HASH_KEY_STRING, charset);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
ap_cfg_closefile(f);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
to_charset = derive_codepage_from_lang (p, "utf-8");
|
|
Packit |
90a5c9 |
if (to_charset == NULL) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_ERR, status, s, APLOGNO(01752)
|
|
Packit |
90a5c9 |
"could not find the UTF-8 charset in the file %s.",
|
|
Packit |
90a5c9 |
charset_confname);
|
|
Packit |
90a5c9 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const authn_provider authn_ldap_provider =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
&authn_ldap_check_password,
|
|
Packit |
90a5c9 |
NULL,
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const authz_provider authz_ldapuser_provider =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
&ldapuser_check_authorization,
|
|
Packit |
90a5c9 |
&ldap_parse_config,
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
static const authz_provider authz_ldapgroup_provider =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
&ldapgroup_check_authorization,
|
|
Packit |
90a5c9 |
&ldap_parse_config,
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const authz_provider authz_ldapdn_provider =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
&ldapdn_check_authorization,
|
|
Packit |
90a5c9 |
&ldap_parse_config,
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const authz_provider authz_ldapattribute_provider =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
&ldapattribute_check_authorization,
|
|
Packit |
90a5c9 |
&ldap_parse_config,
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const authz_provider authz_ldapfilter_provider =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
&ldapfilter_check_authorization,
|
|
Packit |
90a5c9 |
&ldap_parse_config,
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void ImportULDAPOptFn(void)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
util_ldap_connection_close = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_close);
|
|
Packit |
90a5c9 |
util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find);
|
|
Packit |
90a5c9 |
util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn);
|
|
Packit |
90a5c9 |
util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare);
|
|
Packit |
90a5c9 |
util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid);
|
|
Packit |
90a5c9 |
util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn);
|
|
Packit |
90a5c9 |
util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported);
|
|
Packit |
90a5c9 |
util_ldap_cache_check_subgroups = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_check_subgroups);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void register_hooks(apr_pool_t *p)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/* Register authn provider */
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "ldap",
|
|
Packit |
90a5c9 |
AUTHN_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&authn_ldap_provider, AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Register authz providers */
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-user",
|
|
Packit |
90a5c9 |
AUTHZ_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&authz_ldapuser_provider,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-group",
|
|
Packit |
90a5c9 |
AUTHZ_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&authz_ldapgroup_provider,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-dn",
|
|
Packit |
90a5c9 |
AUTHZ_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&authz_ldapdn_provider,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-attribute",
|
|
Packit |
90a5c9 |
AUTHZ_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&authz_ldapattribute_provider,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-filter",
|
|
Packit |
90a5c9 |
AUTHZ_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&authz_ldapfilter_provider,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_hook_post_config(authnz_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_hook_optional_fn_retrieve(ImportULDAPOptFn,NULL,NULL,APR_HOOK_MIDDLE);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_DECLARE_MODULE(authnz_ldap) =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
STANDARD20_MODULE_STUFF,
|
|
Packit |
90a5c9 |
create_authnz_ldap_dir_config, /* dir config creater */
|
|
Packit |
90a5c9 |
NULL, /* dir merger --- default is to override */
|
|
Packit |
90a5c9 |
NULL, /* server config */
|
|
Packit |
90a5c9 |
NULL, /* merge server config */
|
|
Packit |
90a5c9 |
authnz_ldap_cmds, /* command apr_table_t */
|
|
Packit |
90a5c9 |
register_hooks /* register hooks */
|
|
Packit |
90a5c9 |
};
|