You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bn...@apache.org on 2005/12/10 00:04:01 UTC
svn commit: r355629 -
/httpd/httpd/branches/authz-dev/modules/aaa/mod_authnz_ldap.c
Author: bnicholes
Date: Fri Dec 9 15:03:59 2005
New Revision: 355629
URL: http://svn.apache.org/viewcvs?rev=355629&view=rev
Log:
Initial conversion of mod_authnz_ldap to provider based authorization
Modified:
httpd/httpd/branches/authz-dev/modules/aaa/mod_authnz_ldap.c
Modified: httpd/httpd/branches/authz-dev/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/modules/aaa/mod_authnz_ldap.c?rev=355629&r1=355628&r2=355629&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/authz-dev/modules/aaa/mod_authnz_ldap.c Fri Dec 9 15:03:59 2005
@@ -17,6 +17,7 @@
#include "ap_provider.h"
#include "httpd.h"
#include "http_config.h"
+#include "ap_provider.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
@@ -448,6 +449,7 @@
return AUTH_GRANTED;
}
+#if 0
/*
* Authorisation Phase
* -------------------
@@ -820,6 +822,641 @@
return HTTP_UNAUTHORIZED;
}
+#endif
+
+static authz_status ldapuser_check_authorization(request_rec *r,
+ const char *require_args)
+{
+ int result = 0;
+ authn_ldap_request_t *req =
+ (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+ authn_ldap_config_t *sec =
+ (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+ util_ldap_connection_t *ldc = NULL;
+
+ const char *t;
+ char *w;
+
+ char filtbuf[FILTER_LENGTH];
+ const char *dn = NULL;
+ const char **vals = NULL;
+
+ if (!sec->have_ldap_url) {
+ return AUTHZ_DENIED;
+ }
+
+ if (sec->host) {
+ ldc = util_ldap_connection_find(r, sec->host, sec->port,
+ sec->binddn, sec->bindpw, sec->deref,
+ sec->secure);
+ apr_pool_cleanup_register(r->pool, ldc,
+ authnz_ldap_cleanup_connection_close,
+ apr_pool_cleanup_null);
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+ return AUTHZ_DENIED;
+ }
+
+ /*
+ * If we have been authenticated by some other module than mod_authnz_ldap,
+ * the req structure needed for authorization needs to be created
+ * and populated with the userid and DN of the account in LDAP
+ */
+
+ /* Check that we have a userid to start with */
+ if ((!r->user) || (strlen(r->user) == 0)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "ldap authorize: Userid is blank, AuthType=%s",
+ r->ap_auth_type);
+ }
+
+ if(!req) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "ldap authorize: Creating LDAP req structure");
+
+ /* Build the username filter */
+ authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+ /* Search for the user DN */
+ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+ sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+ /* Search failed, log error and return failure */
+ if(result != LDAP_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "auth_ldap authorise: User DN not found, %s", ldc->reason);
+ return AUTHZ_DENIED;
+ }
+
+ req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(authn_ldap_request_t));
+ ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+ req->dn = apr_pstrdup(r->pool, dn);
+ req->user = r->user;
+ }
+
+ if (req->dn == NULL || strlen(req->dn) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require user: user's DN has not been defined; failing authorization",
+ getpid());
+ return AUTHZ_DENIED;
+ }
+
+ /*
+ * First do a whole-line compare, in case it's something like
+ * require user Babs Jensen
+ */
+ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require user: authorization successful", getpid());
+ return AUTHZ_GRANTED;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: require user: "
+ "authorization failed [%s][%s]", getpid(),
+ ldc->reason, ldap_err2string(result));
+ }
+ }
+
+ /*
+ * Now break apart the line and compare each word on it
+ */
+ t = require_args;
+ while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require user: authorization successful", getpid());
+ return AUTHZ_GRANTED;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require user: authorization failed [%s][%s]",
+ getpid(), ldc->reason, ldap_err2string(result));
+ }
+ }
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: authorization denied", getpid());
+ return AUTHZ_DENIED;
+}
+
+static authz_status ldapgroup_check_authorization(request_rec *r,
+ const char *require_args)
+{
+ int result = 0;
+ authn_ldap_request_t *req =
+ (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+ authn_ldap_config_t *sec =
+ (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+ util_ldap_connection_t *ldc = NULL;
+
+ const char *t;
+
+ char filtbuf[FILTER_LENGTH];
+ const char *dn = NULL;
+ const char **vals = NULL;
+ struct mod_auth_ldap_groupattr_entry_t *ent;
+ int i;
+
+ if (!sec->have_ldap_url) {
+ return AUTHZ_DENIED;
+ }
+
+ if (sec->host) {
+ ldc = util_ldap_connection_find(r, sec->host, sec->port,
+ sec->binddn, sec->bindpw, sec->deref,
+ sec->secure);
+ apr_pool_cleanup_register(r->pool, ldc,
+ authnz_ldap_cleanup_connection_close,
+ apr_pool_cleanup_null);
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+ return AUTHZ_DENIED;
+ }
+
+ /*
+ * If there are no elements in the group attribute array, the default should be
+ * member and uniquemember; populate the array now.
+ */
+ if (sec->groupattr->nelts == 0) {
+ struct mod_auth_ldap_groupattr_entry_t *grp;
+#if APR_HAS_THREADS
+ apr_thread_mutex_lock(sec->lock);
+#endif
+ grp = apr_array_push(sec->groupattr);
+ grp->name = "member";
+ grp = apr_array_push(sec->groupattr);
+ grp->name = "uniquemember";
+#if APR_HAS_THREADS
+ apr_thread_mutex_unlock(sec->lock);
+#endif
+ }
+
+ /*
+ * If we have been authenticated by some other module than mod_auth_ldap,
+ * the req structure needed for authorization needs to be created
+ * and populated with the userid and DN of the account in LDAP
+ */
+
+ /* Check that we have a userid to start with */
+ if ((!r->user) || (strlen(r->user) == 0)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "ldap authorize: Userid is blank, AuthType=%s",
+ r->ap_auth_type);
+ }
+
+ if(!req) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "ldap authorize: Creating LDAP req structure");
+
+ /* Build the username filter */
+ authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+ /* Search for the user DN */
+ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+ sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+ /* Search failed, log error and return failure */
+ if(result != LDAP_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "auth_ldap authorise: User DN not found, %s", ldc->reason);
+ return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ }
+
+ req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(authn_ldap_request_t));
+ ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+ req->dn = apr_pstrdup(r->pool, dn);
+ req->user = r->user;
+ }
+
+ ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
+
+ if (sec->group_attrib_is_dn) {
+ if (req->dn == NULL || strlen(req->dn) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
+ "user's DN has not been defined; failing authorization",
+ getpid());
+ return AUTHZ_DENIED;
+ }
+ }
+ else {
+ if (req->user == NULL || strlen(req->user) == 0) {
+ /* We weren't called in the authentication phase, so we didn't have a
+ * chance to set the user field. Do so now. */
+ req->user = r->user;
+ }
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
+ "testing for group membership in \"%s\"",
+ getpid(), t);
+
+ t = require_args;
+
+ for (i = 0; i < sec->groupattr->nelts; i++) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
+ "testing for %s: %s (%s)", getpid(),
+ ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
+
+ result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
+ sec->group_attrib_is_dn ? req->dn : req->user);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
+ "authorization successful (attribute %s) [%s][%s]",
+ getpid(), ent[i].name, ldc->reason, ldap_err2string(result));
+ return AUTHZ_GRANTED;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: require group \"%s\": "
+ "authorization failed [%s][%s]",
+ getpid(), t, ldc->reason, ldap_err2string(result));
+ }
+ }
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: authorization denied", getpid());
+
+ return AUTHZ_DENIED;
+}
+
+static authz_status ldapdn_check_authorization(request_rec *r,
+ const char *require_args)
+{
+ int result = 0;
+ authn_ldap_request_t *req =
+ (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+ authn_ldap_config_t *sec =
+ (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+ util_ldap_connection_t *ldc = NULL;
+
+ const char *t;
+
+ char filtbuf[FILTER_LENGTH];
+ const char *dn = NULL;
+ const char **vals = NULL;
+
+ if (!sec->have_ldap_url) {
+ return AUTHZ_DENIED;
+ }
+
+ if (sec->host) {
+ ldc = util_ldap_connection_find(r, sec->host, sec->port,
+ sec->binddn, sec->bindpw, sec->deref,
+ sec->secure);
+ apr_pool_cleanup_register(r->pool, ldc,
+ authnz_ldap_cleanup_connection_close,
+ apr_pool_cleanup_null);
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+ return AUTHZ_DENIED;
+ }
+
+ /*
+ * If we have been authenticated by some other module than mod_auth_ldap,
+ * the req structure needed for authorization needs to be created
+ * and populated with the userid and DN of the account in LDAP
+ */
+
+ /* Check that we have a userid to start with */
+ if ((!r->user) || (strlen(r->user) == 0)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "ldap authorize: Userid is blank, AuthType=%s",
+ r->ap_auth_type);
+ }
+
+ if(!req) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "ldap authorize: Creating LDAP req structure");
+
+ /* Build the username filter */
+ authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+ /* Search for the user DN */
+ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+ sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+ /* Search failed, log error and return failure */
+ if(result != LDAP_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "auth_ldap authorise: User DN not found, %s", ldc->reason);
+ return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ }
+
+ req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(authn_ldap_request_t));
+ ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+ req->dn = apr_pstrdup(r->pool, dn);
+ req->user = r->user;
+ }
+
+ t = require_args;
+
+ if (req->dn == NULL || strlen(req->dn) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require dn: user's DN has not been defined; failing authorization",
+ getpid());
+ return AUTHZ_DENIED;
+ }
+
+ result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require dn: authorization successful", getpid());
+ return AUTHZ_GRANTED;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require dn \"%s\": LDAP error [%s][%s]",
+ getpid(), t, ldc->reason, ldap_err2string(result));
+ }
+ }
+
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid());
+
+ return AUTHZ_DENIED;
+}
+
+static authz_status ldapattribute_check_authorization(request_rec *r,
+ const char *require_args)
+{
+ int result = 0;
+ authn_ldap_request_t *req =
+ (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+ authn_ldap_config_t *sec =
+ (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+ util_ldap_connection_t *ldc = NULL;
+
+ const char *t;
+ char *w, *value;
+
+ char filtbuf[FILTER_LENGTH];
+ const char *dn = NULL;
+ const char **vals = NULL;
+
+ if (!sec->have_ldap_url) {
+ return AUTHZ_DENIED;
+ }
+
+ if (sec->host) {
+ ldc = util_ldap_connection_find(r, sec->host, sec->port,
+ sec->binddn, sec->bindpw, sec->deref,
+ sec->secure);
+ apr_pool_cleanup_register(r->pool, ldc,
+ authnz_ldap_cleanup_connection_close,
+ apr_pool_cleanup_null);
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+ return AUTHZ_DENIED;
+ }
+
+ /*
+ * If we have been authenticated by some other module than mod_auth_ldap,
+ * the req structure needed for authorization needs to be created
+ * and populated with the userid and DN of the account in LDAP
+ */
+
+ /* Check that we have a userid to start with */
+ if ((!r->user) || (strlen(r->user) == 0)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "ldap authorize: Userid is blank, AuthType=%s",
+ r->ap_auth_type);
+ }
+
+ if(!req) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "ldap authorize: Creating LDAP req structure");
+
+ /* Build the username filter */
+ authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+ /* Search for the user DN */
+ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+ sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+ /* Search failed, log error and return failure */
+ if(result != LDAP_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "auth_ldap authorise: User DN not found, %s", ldc->reason);
+ return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ }
+
+ req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(authn_ldap_request_t));
+ ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+ req->dn = apr_pstrdup(r->pool, dn);
+ req->user = r->user;
+ }
+
+ if (req->dn == NULL || strlen(req->dn) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require ldap-attribute: user's DN has not been defined; failing authorization",
+ getpid());
+ return AUTHZ_DENIED;
+ }
+
+ t = require_args;
+ while (t[0]) {
+ w = ap_getword(r->pool, &t, '=');
+ value = ap_getword_conf(r->pool, &t);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: checking attribute"
+ " %s has value %s", getpid(), w, value);
+ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+ 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require attribute: authorization successful",
+ getpid());
+ return AUTHZ_GRANTED;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+ 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require attribute: authorization failed [%s][%s]",
+ getpid(), ldc->reason, ldap_err2string(result));
+ }
+ }
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid());
+
+ return AUTHZ_DENIED;
+}
+
+static authz_status ldapfilter_check_authorization(request_rec *r,
+ const char *require_args)
+{
+ int result = 0;
+ authn_ldap_request_t *req =
+ (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+ authn_ldap_config_t *sec =
+ (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+
+ util_ldap_connection_t *ldc = NULL;
+ const char *t;
+
+ char filtbuf[FILTER_LENGTH];
+ const char *dn = NULL;
+ const char **vals = NULL;
+
+ if (!sec->have_ldap_url) {
+ return AUTHZ_DENIED;
+ }
+
+ if (sec->host) {
+ ldc = util_ldap_connection_find(r, sec->host, sec->port,
+ sec->binddn, sec->bindpw, sec->deref,
+ sec->secure);
+ apr_pool_cleanup_register(r->pool, ldc,
+ authnz_ldap_cleanup_connection_close,
+ apr_pool_cleanup_null);
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid());
+ return AUTHZ_DENIED;
+ }
+
+ /*
+ * If we have been authenticated by some other module than mod_auth_ldap,
+ * the req structure needed for authorization needs to be created
+ * and populated with the userid and DN of the account in LDAP
+ */
+
+ /* Check that we have a userid to start with */
+ if ((!r->user) || (strlen(r->user) == 0)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "ldap authorize: Userid is blank, AuthType=%s",
+ r->ap_auth_type);
+ }
+
+ if(!req) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "ldap authorize: Creating LDAP req structure");
+
+ /* Build the username filter */
+ authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
+
+ /* Search for the user DN */
+ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+ sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+ /* Search failed, log error and return failure */
+ if(result != LDAP_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "auth_ldap authorise: User DN not found, %s", ldc->reason);
+ return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ }
+
+ req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(authn_ldap_request_t));
+ ap_set_module_config(r->request_config, &authnz_ldap_module, req);
+ req->dn = apr_pstrdup(r->pool, dn);
+ req->user = r->user;
+ }
+
+ if (req->dn == NULL || strlen(req->dn) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require ldap-filter: user's DN has not been defined; failing authorization",
+ getpid());
+ return AUTHZ_DENIED;
+ }
+
+ t = require_args;
+
+ if (t[0]) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: checking filter %s",
+ getpid(), t);
+
+ /* Build the username filter */
+ authn_ldap_build_filter(filtbuf, r, req->user, t, sec);
+
+ /* Search for the user DN */
+ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+ sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+ /* Make sure that the filtered search returned the correct user dn */
+ if (result == LDAP_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorize: checking dn match %s",
+ getpid(), dn);
+ result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,
+ sec->compare_dn_on_server);
+ }
+
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+ 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require ldap-filter: authorization "
+ "successful", getpid());
+ return AUTHZ_GRANTED;
+ }
+ case LDAP_FILTER_ERROR: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+ 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require ldap-filter: %s authorization "
+ "failed [%s][%s]", getpid(),
+ filtbuf, ldc->reason, ldap_err2string(result));
+ break;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG,
+ 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
+ "require ldap-filter: authorization "
+ "failed [%s][%s]", getpid(),
+ ldc->reason, ldap_err2string(result));
+ }
+ }
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorise: authorization denied", getpid());
+
+ return AUTHZ_DENIED;
+}
/*
@@ -1160,6 +1797,30 @@
&authn_ldap_check_password,
};
+static const authz_provider authz_ldapuser_provider =
+{
+ &ldapuser_check_authorization,
+};
+static const authz_provider authz_ldapgroup_provider =
+{
+ &ldapgroup_check_authorization,
+};
+
+static const authz_provider authz_ldapdn_provider =
+{
+ &ldapdn_check_authorization,
+};
+
+static const authz_provider authz_ldapattribute_provider =
+{
+ &ldapattribute_check_authorization,
+};
+
+static const authz_provider authz_ldapfilter_provider =
+{
+ &ldapfilter_check_authorization,
+};
+
static void ImportULDAPOptFn(void)
{
util_ldap_connection_close = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_close);
@@ -1173,12 +1834,23 @@
static void register_hooks(apr_pool_t *p)
{
- static const char * const aszPost[]={ "mod_authz_user.c", NULL };
-
+ /* Register authn provider */
ap_register_provider(p, AUTHN_PROVIDER_GROUP, "ldap", "0",
&authn_ldap_provider);
+
+ /* Register authz providers */
+ ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-user", "0",
+ &authz_ldapuser_provider);
+ ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-group", "0",
+ &authz_ldapgroup_provider);
+ ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-dn", "0",
+ &authz_ldapdn_provider);
+ ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-attribute", "0",
+ &authz_ldapattribute_provider);
+ ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-filter", "0",
+ &authz_ldapfilter_provider);
+
ap_hook_post_config(authnz_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE);
- ap_hook_auth_checker(authz_ldap_check_user_access, NULL, aszPost, APR_HOOK_MIDDLE);
ap_hook_optional_fn_retrieve(ImportULDAPOptFn,NULL,NULL,APR_HOOK_MIDDLE);
}