You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bn...@apache.org on 2004/11/02 01:08:21 UTC
cvs commit: httpd-2.0/modules/aaa NWGNUauthnzldap mod_authnz_ldap.c
bnicholes 2004/11/01 16:08:21
Modified: modules/aaa NWGNUauthnzldap mod_authnz_ldap.c
Log:
Allow mod_authnz_ldap authorization functionality to be used without requiring the user to also be authenticated through mod_authnz_ldap. This allows other authentication modules to take advantage of LDAP authorization only [PR 28253]
Submitted by: Jari Ahonen [jah progress.com]
Reviewed by: Brad Nicholes
Revision Changes Path
1.2 +1 -0 httpd-2.0/modules/aaa/NWGNUauthnzldap
Index: NWGNUauthnzldap
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/aaa/NWGNUauthnzldap,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- NWGNUauthnzldap 17 Aug 2004 23:33:07 -0000 1.1
+++ NWGNUauthnzldap 2 Nov 2004 00:08:21 -0000 1.2
@@ -206,6 +206,7 @@
util_ldap_connection_find \
util_ldap_connection_close \
util_ldap_cache_checkuserid \
+ util_ldap_cache_getuserdn \
util_ldap_cache_compare \
util_ldap_cache_comparedn \
@$(APR)/aprlib.imp \
1.6 +44 -0 httpd-2.0/modules/aaa/mod_authnz_ldap.c
Index: mod_authnz_ldap.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_authnz_ldap.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- mod_authnz_ldap.c 12 Oct 2004 12:27:18 -0000 1.5
+++ mod_authnz_ldap.c 2 Nov 2004 00:08:21 -0000 1.6
@@ -469,6 +469,12 @@
char *w;
int method_restricted = 0;
+ char filtbuf[FILTER_LENGTH];
+ const char *dn = NULL;
+ const char **vals = NULL;
+ const char *type = ap_auth_type(r);
+ char *tmpuser;
+
/*
if (!sec->enabled) {
return DECLINED;
@@ -515,6 +521,44 @@
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: no requirements array", getpid());
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ }
+
+ /*
+ * If we have been authenticated by some other module than mod_auth_ldap,
+ * the req structure needed for authorization needs to be created
+ * and populated with the userid and DN of the account in LDAP
+ */
+
+ /* Check that we have a userid to start with */
+ if ((!r->user) || (strlen(r->user) == 0)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
+ "ldap authorize: Userid is blank, AuthType=%s",
+ r->ap_auth_type);
+ }
+
+ if(!req) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "ldap authorize: Creating LDAP req structure");
+
+ /* Build the username filter */
+ authn_ldap_build_filter(filtbuf, r, r->user, sec);
+
+ /* Search for the user DN */
+ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+ sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+ /* Search failed, log error and return failure */
+ if(result != LDAP_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "auth_ldap authorise: User DN not found, %s", ldc->reason);
+ return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ }
+
+ req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(authn_ldap_request_t));
+ ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+ req->dn = apr_pstrdup(r->pool, dn);
+ req->user = r->user;
}
/* Loop through the requirements array until there's no elements