You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/09/22 01:59:42 UTC
DO NOT REPLY [Bug 31352] New: -
RFE, Bind to LDAP server with browser supplier user/pass
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31352>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31352
RFE, Bind to LDAP server with browser supplier user/pass
Summary: RFE, Bind to LDAP server with browser supplier user/pass
Product: Apache httpd-2.0
Version: 2.0.51
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: Enhancement
Priority: Other
Component: mod_auth_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: simon_klyne@yahoo.com
In environments where the Access Control to the LDAP DIT is protected from
anonymous binds and bound users are only able to read their user entries
possible binding options for mod_auth_ldap will either fail to authenticate a
user, or there are security implications if the <Directory/> sections contain a
suitably powerful binddn/bindpw.
The browser supplies a username and password for the auth check.
This patch extends the AuthLDAPBindDN and AuthLDAPBindPasswd directives to
accept $USER and $PASSWORD respectively and substitute for user/pass
eg:
AuthLDAPBindDN uid=$USER,ou=people,ou=common,l=lon,c=gb,o=dis
AuthLDAPBindPassword $PASSWORD
for user/pass of 'klyne'/'password' becomes:
AuthLDAPBindDN uid=klyne,ou=people,ou=common,l=lon,c=gb,o=dis
AuthLDAPBindPassword password
The rest of mod_auth_ldap continues as before.
--- httpd-2.0.51/modules/experimental/mod_auth_ldap.c-dist 2004-05-22 01:39:
41.000000000 +0200
+++ httpd-2.0.51/modules/experimental/mod_auth_ldap.c 2004-09-21 23:40:53.
728681000 +0200
@@ -161,6 +161,83 @@
/*
+ *
+ * Read per directory module config, and substitute for variables in binddn and
bindpw
+ * This is just a wrapper around the call to
+ * ap_get_module_config(r->per_dir_config, &auth_ldap_module);
+ *
+ * If the binddn and bindpw set by the AuthLDAPBindDN and AuthLDAPBindPassword
directives
+ * contain $USER and $PASSWORD then substitute these with the browser supplied
user/pass,
+ * otherwise just return the mod_auth_ldap_config_t.
+ *
+ */
+#define BIND_USER "$USER"
+#define BIND_PASSWD "$PASSWORD"
+static mod_auth_ldap_config_t *auth_ldap_get_per_dir_module_config(request_rec
*r)
+{
+ const char *sent_pw;
+ int bad_sent_pw = 0;
+
+ char *bind_user; /* set to start of BIND_USER if binddn requires
username subst */
+
+ int doSubst = 0; /* set to true if we have values to substitute */
+
+ mod_auth_ldap_config_t *s =
+ (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config,
&auth_ldap_module);
+
+ /* check client sent a username and a password */
+ if ( ! r->user ) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authenticate:
auth_ldap_get_per_dir_module_config()"
+ " : Client sent no username",
+ getpid());
+ /* Substitute for client supplied USER in binddn if directory
configured for BIND_USER
+ * eg. if "AuthLDAPBindDN uid=$USER,ou=people,l=lon,c=gb,o=dis"
+ * send binddn to "uid=<user>,ou=people,l=lon,c=gb,o=dis"
+ */
+ } else {
+ if ((s->binddn) && ((bind_user = strstr(s->binddn, BIND_USER)) !=NULL))
{
+ char *attr;
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authenticate:
auth_ldap_get_per_dir_module_config()"
+ ": binddn %s",
+ getpid(), s->binddn);
+ attr = apr_pstrndup(r->pool, s->binddn, bind_user - s->binddn);
+ s->binddn = apr_pstrcat(r->pool, attr, r->user, bind_user +
strlen(BIND_USER), NULL );
+ doSubst++;
+ }
+ }
+
+ if ((bad_sent_pw = ap_get_basic_auth_pw(r, &sent_pw))) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap_get_per_dir_module_config() auth_ldap authenticate:
"
+ "ap_get_basic_auth_pw() returns %d", getpid(), bad_sent_pw);
+
+ /* set bindpw to client suppled password if directory configured for
bindpw
+ to BIND_PASSWD */
+ } else {
+ if ( s->bindpw && strcmp(s->bindpw, BIND_PASSWD) ==0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authenticate:
auth_ldap_get_per_dir_module_config()"
+ ": bindpw USER SUPPLIED",
+ getpid());
+ s->bindpw = (char *)sent_pw;
+ doSubst++;
+ }
+ }
+
+ if (doSubst) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap_get_per_dir_module_config() : SUBST",
+ getpid());
+
+ ap_set_module_config(r->per_dir_config, &auth_ldap_module, s);
+ }
+
+ return s;
+}
+
+/*
* Build the search filter, or at least as much of the search filter that
* will fit in the buffer. We don't worry about the buffer not being able
* to hold the entire filter. If the buffer wasn't big enough to hold the
@@ -269,7 +346,7 @@
const char **vals = NULL;
char filtbuf[FILTER_LENGTH];
mod_auth_ldap_config_t *sec =
- (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config,
&auth_ldap_module);
+ (mod_auth_ldap_config_t *)auth_ldap_get_per_dir_module_config(r);
util_ldap_connection_t *ldc = NULL;
const char *sent_pw;
@@ -409,8 +486,7 @@
(mod_auth_ldap_request_t *)ap_get_module_config(r->request_config,
&auth_ldap_module);
mod_auth_ldap_config_t *sec =
- (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config,
- &auth_ldap_module);
+ (mod_auth_ldap_config_t *)auth_ldap_get_per_dir_module_config(r);
util_ldap_connection_t *ldc = NULL;
int m = r->method_number;
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org