You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bn...@apache.org on 2004/11/10 19:05:47 UTC
cvs commit: httpd-2.0/modules/experimental mod_auth_ldap.c
bnicholes 2004/11/10 10:05:47
Modified: . Tag: APACHE_2_0_BRANCH CHANGES STATUS
docs/manual/mod Tag: APACHE_2_0_BRANCH mod_auth_ldap.xml
modules/experimental Tag: APACHE_2_0_BRANCH mod_auth_ldap.c
Log:
Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. PR 31913
Submitted by: Ryan Morgan <rmorgan pobox.com>
Reviewd by: bnicholes, wrowe, jim
Revision Changes Path
No revision
No revision
1.988.2.380 +5 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.988.2.379
retrieving revision 1.988.2.380
diff -u -r1.988.2.379 -r1.988.2.380
--- CHANGES 10 Nov 2004 16:35:20 -0000 1.988.2.379
+++ CHANGES 10 Nov 2004 18:05:46 -0000 1.988.2.380
@@ -5,6 +5,11 @@
user cache without having to require ldap authentication as well.
[PR 31898] [Jari Ahonen jah progress.com, Brad Nicholes]
+ *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
+ allows the module to only authorize a user if the attribute value
+ specified matches the value of the user object. PR 31913
+ [Ryan Morgan <rmorgan pobox.com>]
+
*) SECURITY: CAN-2004-0942 (cve.mitre.org)
Fix for memory consumption DoS in handling of MIME folded request
headers. [Joe Orton]
1.751.2.1147 +1 -8 httpd-2.0/STATUS
Index: STATUS
===================================================================
RCS file: /home/cvs/httpd-2.0/STATUS,v
retrieving revision 1.751.2.1146
retrieving revision 1.751.2.1147
diff -u -r1.751.2.1146 -r1.751.2.1147
--- STATUS 10 Nov 2004 16:35:21 -0000 1.751.2.1146
+++ STATUS 10 Nov 2004 18:05:46 -0000 1.751.2.1147
@@ -75,13 +75,6 @@
[ please place file names and revisions from HEAD here, so it is easy to
identify exactly what the proposed changes are! ]
- *) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that
- allows the module to only authorize a user if the attribute value
- specified matches the value of the user object. PR 31913
- modules/aaa/mod_authnz_ldap.c: r1.7
- docs/manual/mod/mod_authnz_ldap.xml: r1.3
- +1: bnicholes, wrowe, jim
-
*) mod_ssl: Fix an possible NULL pointer dereference in some configs.
http://nagoya.apache.org/bugzilla/showattachment.cgi?attach_id=13182
PR: 31848
No revision
No revision
1.6.2.13 +34 -1 httpd-2.0/docs/manual/mod/Attic/mod_auth_ldap.xml
Index: mod_auth_ldap.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/Attic/mod_auth_ldap.xml,v
retrieving revision 1.6.2.12
retrieving revision 1.6.2.13
diff -u -r1.6.2.12 -r1.6.2.13
--- mod_auth_ldap.xml 21 May 2004 18:44:28 -0000 1.6.2.12
+++ mod_auth_ldap.xml 10 Nov 2004 18:05:47 -0000 1.6.2.13
@@ -80,6 +80,7 @@
<li><a href="#requser">require user</a></li>
<li><a href="#reqgroup">require group</a></li>
<li><a href="#reqdn">require dn</a></li>
+ <li><a href="#reqattribute">require ldap-attribute</a></li>
</ul>
</li>
@@ -198,6 +199,11 @@
the DN fetched from the LDAP directory (or the username
passed by the client) occurs in the LDAP group.</li>
+ <li>Grant access if there is a <a href="#reqattribute">
+ <code>require ldap-attribute</code></a>
+ directive, and the attribute fetched from the LDAP directory
+ matches the given value.</li>
+
<li>otherwise, deny or decline access</li>
</ul>
@@ -336,6 +342,33 @@
module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive>
directive.</p>
</section>
+
+<section id="reqattribute"><title>require ldap-attribute</title>
+
+ <p>The <code>require ldap-attribute</code> directive allows the
+ administrator to grant access based on attributes of the authenticated
+ user in the LDAP directory. If the attribute in the directory
+ matches the value given in the configuration, access is granted.</p>
+
+ <p>The following directive would grant access to anyone with
+ the attribute employeeType = active</p>
+
+ <example>require ldap-attribute employeeType=active</example>
+
+ <p>Multiple attribute/value pairs can be specified on the same line
+ separated by spaces or they can be specified in multiple
+ <code>require ldap-attribute</code> directives. The effect of listing
+ multiple attribute/values pairs is an OR operation. Access will be
+ granted if any of the listed attribute values match the value of a
+ corresponding attribute in the user object. If the value of the
+ attribute contains a space, only the value must be within double quotes.</p>
+
+ <p>The following directive would grant access to anyone with
+ the city attribute equal to "San Jose" or status equal to "Active"</p>
+
+ <example>require ldap-attribute city="San Jose" status=active</example>
+</section>
+
</section>
<section id="examples"><title>Examples</title>
No revision
No revision
1.8.2.16 +29 -1 httpd-2.0/modules/experimental/Attic/mod_auth_ldap.c
Index: mod_auth_ldap.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/experimental/Attic/mod_auth_ldap.c,v
retrieving revision 1.8.2.15
retrieving revision 1.8.2.16
diff -u -r1.8.2.15 -r1.8.2.16
--- mod_auth_ldap.c 21 May 2004 23:39:41 -0000 1.8.2.15
+++ mod_auth_ldap.c 10 Nov 2004 18:05:47 -0000 1.8.2.16
@@ -420,7 +420,7 @@
register int x;
const char *t;
- char *w;
+ char *w, *value;
int method_restricted = 0;
if (!sec->enabled) {
@@ -623,6 +623,34 @@
"[%d] auth_ldap authorise: require group \"%s\": "
"authorisation failed [%s][%s]",
getpid(), t, ldc->reason, ldap_err2string(result));
+ }
+ }
+ }
+ }
+ else if (strcmp(w, "ldap-attribute") == 0) {
+ while (t[0]) {
+ w = ap_getword(r->pool, &t, '=');
+ value = ap_getword_conf(r->pool, &t);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: checking attribute"
+ " %s has value %s", getpid(), w, value);
+ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
+ w, value);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require attribute: authorisation "
+ "successful", getpid());
+ return OK;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require attribute: authorisation "
+ "failed [%s][%s]", getpid(),
+ ldc->reason, ldap_err2string(result));
}
}
}