You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2013/04/28 01:14:11 UTC
svn commit: r1476694 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS
docs/manual/mod/mod_authnz_ldap.xml include/ap_mmn.h include/httpd.h
modules/aaa/mod_authnz_ldap.c server/util.c
Author: minfrin
Date: Sat Apr 27 23:14:11 2013
New Revision: 1476694
URL: http://svn.apache.org/r1476694
Log:
mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog
for AuthLDAPBindPassword.
trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1433478
http://svn.apache.org/viewvc?view=revision&revision=1467523
http://svn.apache.org/viewvc?view=revision&revision=1467792
2.4.x patch: http://people.apache.org/~druggeri/patches/AuthLDAPBindPasswordExec-2.4.patch
(20130119 - updated to include minor mmn bump)
(20130412 - updated to not use static var - thx, wrowe)
Submitted by: druggeri
Reviewed by: jim, minfrin
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml
httpd/httpd/branches/2.4.x/include/ap_mmn.h
httpd/httpd/branches/2.4.x/include/httpd.h
httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c
httpd/httpd/branches/2.4.x/server/util.c
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1476694&r1=1476693&r2=1476694&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sat Apr 27 23:14:11 2013
@@ -2,6 +2,9 @@
Changes with Apache 2.4.5
+ *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
+ password. [Daniel Ruggeri]
+
*) Added balancer parameter failontimeout to allow server admin
to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1476694&r1=1476693&r2=1476694&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sat Apr 27 23:14:11 2013
@@ -90,16 +90,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog
- for AuthLDAPBindPassword.
- trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1433478
- http://svn.apache.org/viewvc?view=revision&revision=1467523
- http://svn.apache.org/viewvc?view=revision&revision=1467792
- 2.4.x patch: http://people.apache.org/~druggeri/patches/AuthLDAPBindPasswordExec-2.4.patch
- (20130119 - updated to include minor mmn bump)
- (20130412 - updated to not use static var - thx, wrowe)
- +1: druggeri, jim, minfrin
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml?rev=1476694&r1=1476693&r2=1476694&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml Sat Apr 27 23:14:11 2013
@@ -911,6 +911,21 @@ to perform a DN lookup</description>
module="mod_authnz_ldap">AuthLDAPBindDN</directive> and <directive
module="mod_authnz_ldap">AuthLDAPBindPassword</directive> if you
absolutely need them to search the directory.</p>
+
+ <p>If the value begins with exec: the resulting command will be
+ executed and the first line returned to standard output by the
+ program will be used as the password.</p>
+<example><pre>
+#Password used as-is
+AuthLDAPBindPassword secret
+
+#Run /path/to/program to get my password
+AuthLDAPBindPassword exec:/path/to/program
+
+#Run /path/to/otherProgram and provide arguments
+AuthLDAPBindPassword "exec:/path/to/otherProgram argument1"
+</pre></example>
+
</usage>
</directivesynopsis>
Modified: httpd/httpd/branches/2.4.x/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_mmn.h?rev=1476694&r1=1476693&r2=1476694&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/include/ap_mmn.h (original)
+++ httpd/httpd/branches/2.4.x/include/ap_mmn.h Sat Apr 27 23:14:11 2013
@@ -401,7 +401,8 @@
* 20120211.9 (2.4.4-dev) Add fgrab() to ap_slotmem_provider_t.
* 20120211.10 (2.4.4-dev) Add in bal_persist field to proxy_server_conf
* 20120211.11 (2.4.4-dev) Add ap_bin2hex()
- * 20120211.12 (2.4.5-dev) Add ap_remove_input|output_filter_byhandle()
+ * 20120211.12 (2.4.4-dev) Add ap_remove_input|output_filter_byhandle()
+ * 20120211.13 (2.4.4-dev) Add ap_get_exec_line
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
@@ -409,7 +410,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20120211
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 12 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 13 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Modified: httpd/httpd/branches/2.4.x/include/httpd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/httpd.h?rev=1476694&r1=1476693&r2=1476694&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/include/httpd.h (original)
+++ httpd/httpd/branches/2.4.x/include/httpd.h Sat Apr 27 23:14:11 2013
@@ -2218,6 +2218,18 @@ AP_DECLARE(void) ap_get_loadavg(ap_loada
*/
AP_DECLARE(void) ap_bin2hex(const void *src, apr_size_t srclen, char *dest);
+/**
+ * Short function to execute a command and return the first line of
+ * output minus \r \n. Useful for "obscuring" passwords via exec calls
+ * @param p the pool to allocate from
+ * @param cmd the command to execute
+ * @param argv the arguments to pass to the cmd
+ * @return ptr to characters or NULL on any error
+ */
+AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p,
+ const char *cmd,
+ const char * const *argv);
+
#define AP_NORESTART APR_OS_START_USEERR + 1
#ifdef __cplusplus
Modified: httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c?rev=1476694&r1=1476693&r2=1476694&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c Sat Apr 27 23:14:11 2013
@@ -1531,6 +1531,43 @@ static const char *set_bind_pattern(cmd_
return NULL;
}
+static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg)
+{
+ authn_ldap_config_t *sec = _cfg;
+ int arglen = strlen(arg);
+ char **argv;
+ char *result;
+
+ if ((arglen > 5) && strncmp(arg, "exec:", 5) == 0) {
+ if (apr_tokenize_to_argv(arg+5, &argv, cmd->temp_pool) != APR_SUCCESS) {
+ return apr_pstrcat(cmd->pool,
+ "Unable to parse exec arguments from ",
+ arg+5, NULL);
+ }
+ argv[0] = ap_server_root_relative(cmd->temp_pool, argv[0]);
+
+ if (!argv[0]) {
+ return apr_pstrcat(cmd->pool,
+ "Invalid AuthLDAPBindPassword exec location:",
+ arg+5, NULL);
+ }
+ result = ap_get_exec_line(cmd->pool,
+ (const char*)argv[0], (const char * const *)argv);
+
+ if(!result) {
+ return apr_pstrcat(cmd->pool,
+ "Unable to get bind password from exec of ",
+ arg+5, NULL);
+ }
+ sec->bindpw = result;
+ }
+ else {
+ sec->bindpw = (char *)arg;
+ }
+
+ return NULL;
+}
+
static const command_rec authnz_ldap_cmds[] =
{
AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG,
@@ -1561,8 +1598,7 @@ static const command_rec authnz_ldap_cmd
(void *)APR_OFFSETOF(authn_ldap_config_t, binddn), OR_AUTHCFG,
"DN to use to bind to LDAP server. If not provided, will do an anonymous bind."),
- AP_INIT_TAKE1("AuthLDAPBindPassword", ap_set_string_slot,
- (void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG,
+ AP_INIT_TAKE1("AuthLDAPBindPassword", set_bind_password, NULL, OR_AUTHCFG,
"Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot,
Modified: httpd/httpd/branches/2.4.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/util.c?rev=1476694&r1=1476693&r2=1476694&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/server/util.c (original)
+++ httpd/httpd/branches/2.4.x/server/util.c Sat Apr 27 23:14:11 2013
@@ -2886,3 +2886,45 @@ AP_DECLARE(void) ap_get_loadavg(ap_loada
}
#endif
}
+
+AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p,
+ const char *cmd,
+ const char * const * argv)
+{
+ char buf[MAX_STRING_LEN];
+ apr_procattr_t *procattr;
+ apr_proc_t *proc;
+ apr_file_t *fp;
+ apr_size_t nbytes = 1;
+ char c;
+ int k;
+
+ if (apr_procattr_create(&procattr, p) != APR_SUCCESS)
+ return NULL;
+ if (apr_procattr_io_set(procattr, APR_FULL_BLOCK, APR_FULL_BLOCK,
+ APR_FULL_BLOCK) != APR_SUCCESS)
+ return NULL;
+ if (apr_procattr_dir_set(procattr,
+ ap_make_dirstr_parent(p, cmd)) != APR_SUCCESS)
+ return NULL;
+ if (apr_procattr_cmdtype_set(procattr, APR_PROGRAM) != APR_SUCCESS)
+ return NULL;
+ proc = apr_pcalloc(p, sizeof(apr_proc_t));
+ if (apr_proc_create(proc, cmd, argv, NULL, procattr, p) != APR_SUCCESS)
+ return NULL;
+ fp = proc->out;
+
+ if (fp == NULL)
+ return NULL;
+ /* XXX: we are reading 1 byte at a time here */
+ for (k = 0; apr_file_read(fp, &c, &nbytes) == APR_SUCCESS
+ && nbytes == 1 && (k < MAX_STRING_LEN-1) ; ) {
+ if (c == '\n' || c == '\r')
+ break;
+ buf[k++] = c;
+ }
+ buf[k] = '\0';
+ apr_file_close(fp);
+
+ return apr_pstrndup(p, buf, k);
+}
Re: svn commit: r1476694 - in /httpd/httpd/branches/2.4.x: CHANGES
STATUS docs/manual/mod/mod_authnz_ldap.xml include/ap_mmn.h include/httpd.h
modules/aaa/mod_authnz_ldap.c server/util.c
Posted by Rainer Jung <ra...@kippdata.de>.
On 28.04.2013 07:53, Marion & Christophe JAILLET wrote:
>
> Le 28/04/2013 01:14, minfrin@apache.org a écrit :
>> Author: minfrin
>> Date: Sat Apr 27 23:14:11 2013
>> New Revision: 1476694
>>
>> URL: http://svn.apache.org/r1476694
>> Log:
>> mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog
>> for AuthLDAPBindPassword.
>>
>> trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1433478
>> http://svn.apache.org/viewvc?view=revision&revision=1467523
>> http://svn.apache.org/viewvc?view=revision&revision=1467792
>> 2.4.x patch:
>> http://people.apache.org/~druggeri/patches/AuthLDAPBindPasswordExec-2.4.patch
>>
>> (20130119 - updated to include minor mmn bump)
>> (20130412 - updated to not use static var - thx, wrowe)
>
>> Modified: httpd/httpd/branches/2.4.x/include/ap_mmn.h
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_mmn.h?rev=1476694&r1=1476693&r2=1476694&view=diff
>>
>> ==============================================================================
>>
>> --- httpd/httpd/branches/2.4.x/include/ap_mmn.h (original)
>> +++ httpd/httpd/branches/2.4.x/include/ap_mmn.h Sat Apr 27 23:14:11 2013
>> @@ -401,7 +401,8 @@
>> * 20120211.9 (2.4.4-dev) Add fgrab() to ap_slotmem_provider_t.
>> * 20120211.10 (2.4.4-dev) Add in bal_persist field to
>> proxy_server_conf
>> * 20120211.11 (2.4.4-dev) Add ap_bin2hex()
>> - * 20120211.12 (2.4.5-dev) Add ap_remove_input|output_filter_byhandle()
>> + * 20120211.12 (2.4.4-dev) Add ap_remove_input|output_filter_byhandle()
>> + * 20120211.13 (2.4.4-dev) Add ap_get_exec_line
>> */
>
> Shouldn't we keep 2.4.5-dev here ?
Corrected in r1476737.
Regards,
Rainer
Re: svn commit: r1476694 - in /httpd/httpd/branches/2.4.x: CHANGES
STATUS docs/manual/mod/mod_authnz_ldap.xml include/ap_mmn.h include/httpd.h
modules/aaa/mod_authnz_ldap.c server/util.c
Posted by Marion & Christophe JAILLET <ch...@wanadoo.fr>.
Le 28/04/2013 01:14, minfrin@apache.org a écrit :
> Author: minfrin
> Date: Sat Apr 27 23:14:11 2013
> New Revision: 1476694
>
> URL: http://svn.apache.org/r1476694
> Log:
> mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog
> for AuthLDAPBindPassword.
>
> trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1433478
> http://svn.apache.org/viewvc?view=revision&revision=1467523
> http://svn.apache.org/viewvc?view=revision&revision=1467792
> 2.4.x patch: http://people.apache.org/~druggeri/patches/AuthLDAPBindPasswordExec-2.4.patch
> (20130119 - updated to include minor mmn bump)
> (20130412 - updated to not use static var - thx, wrowe)
> Modified: httpd/httpd/branches/2.4.x/include/ap_mmn.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_mmn.h?rev=1476694&r1=1476693&r2=1476694&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/include/ap_mmn.h (original)
> +++ httpd/httpd/branches/2.4.x/include/ap_mmn.h Sat Apr 27 23:14:11 2013
> @@ -401,7 +401,8 @@
> * 20120211.9 (2.4.4-dev) Add fgrab() to ap_slotmem_provider_t.
> * 20120211.10 (2.4.4-dev) Add in bal_persist field to proxy_server_conf
> * 20120211.11 (2.4.4-dev) Add ap_bin2hex()
> - * 20120211.12 (2.4.5-dev) Add ap_remove_input|output_filter_byhandle()
> + * 20120211.12 (2.4.4-dev) Add ap_remove_input|output_filter_byhandle()
> + * 20120211.13 (2.4.4-dev) Add ap_get_exec_line
> */
Shouldn't we keep 2.4.5-dev here ?
CJ