You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bn...@apache.org on 2004/11/03 23:05:25 UTC
cvs commit: httpd-2.0/modules/aaa mod_authnz_ldap.c
bnicholes 2004/11/03 14:05:25
Modified: . CHANGES
docs/manual/mod mod_authnz_ldap.xml
modules/aaa mod_authnz_ldap.c
Log:
Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. PR 31913
Submitted by: Ryan Morgan <rmorgan pobox.com>
Reviewd by: Brad Nicholes
Revision Changes Path
1.1624 +5 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.1623
retrieving revision 1.1624
diff -u -r1.1623 -r1.1624
--- CHANGES 2 Nov 2004 00:11:20 -0000 1.1623
+++ CHANGES 3 Nov 2004 22:05:24 -0000 1.1624
@@ -2,6 +2,11 @@
[Remove entries to the current 2.0 section below, when backported]
+ *) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that
+ allows the module to only authorize a user if the attribute value
+ specified matches the value of the user object. PR 31913
+ [Ryan Morgan <rmorgan pobox.com>]
+
*) Allow mod_authnz_ldap authorization functionality to be used
without requiring the user to also be authenticated through
mod_authnz_ldap. This allows other authentication modules to
1.3 +39 -4 httpd-2.0/docs/manual/mod/mod_authnz_ldap.xml
Index: mod_authnz_ldap.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_authnz_ldap.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- mod_authnz_ldap.xml 7 Oct 2004 21:51:27 -0000 1.2
+++ mod_authnz_ldap.xml 3 Nov 2004 22:05:25 -0000 1.3
@@ -87,6 +87,7 @@
<li><a href="#requser">require ldap-user</a></li>
<li><a href="#reqgroup">require ldap-group</a></li>
<li><a href="#reqdn">require ldap-dn</a></li>
+ <li><a href="#reqattribute">require ldap-attribute</a></li>
</ul>
</li>
@@ -210,6 +211,11 @@
the DN fetched from the LDAP directory (or the username
passed by the client) occurs in the LDAP group.</li>
+ <li>Grant access if there is a <a href="#reqattribute">
+ <code>require ldap-attribute</code></a>
+ directive, and the attribute fetched from the LDAP directory
+ matches the given value.</li>
+
<li>otherwise, deny or decline access</li>
</ul>
@@ -278,9 +284,10 @@
<p>Apache's <directive module="core">Require</directive>
directives are used during the authorization phase to ensure that
a user is allowed to access a resource. mod_authnz_ldap extends the
- authorization types with <code>ldap-user</code>, <code>ldap-dn</code>
- and <code>ldap-group</code>. Other authorization types may also be
- used but may require that additional authorization modules be loaded.</p>
+ authorization types with <code>ldap-user</code>, <code>ldap-dn</code>,
+ <code>ldap-group</code> and <code>ldap-attribute</code>. Other
+ authorization types may also be used but may require that additional
+ authorization modules be loaded.</p>
<section id="reqvaliduser"><title>require valid-user</title>
@@ -371,6 +378,34 @@
module="mod_authnz_ldap">AuthLDAPCompareDNOnServer</directive>
directive.</p>
</section>
+
+<section id="reqattribute"><title>require ldap-attribute</title>
+
+ <p>The <code>require ldap-attribute</code> directive allows the
+ administrator to grant access based on attributes of the authenticated
+ user in the LDAP directory. If the attribute in the directory
+ matches the value given in the configuration, access is granted.</p>
+
+ <p>The following directive would grant access to anyone with
+ the attribute employeeType = active</p>
+
+ <example>require ldap-attribute employeeType=active</example>
+
+ <p>Multiple attribute/value pairs can be specified on the same line
+ separated by spaces or they can be specified in multiple
+ <code>require ldap-attribute</code> directives. The effect of listing
+ multiple attribute/values pairs is an OR operation. Access will be
+ granted if any of the listed attribute values match the value of the
+ corresponding attribute in the user object. If the value of the
+ attribute contains a space, only the value must be within double quotes.</p>
+
+ <p>The following directive would grant access to anyone with
+ the city attribute equal to "San Jose" or status equal to "Active"</p>
+
+ <example>require ldap-attribute city="San Jose" status=active</example>
+
+</section>
+
</section>
<section id="examples"><title>Examples</title>
1.7 +29 -1 httpd-2.0/modules/aaa/mod_authnz_ldap.c
Index: mod_authnz_ldap.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_authnz_ldap.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- mod_authnz_ldap.c 2 Nov 2004 00:08:21 -0000 1.6
+++ mod_authnz_ldap.c 3 Nov 2004 22:05:25 -0000 1.7
@@ -466,7 +466,7 @@
register int x;
const char *t;
- char *w;
+ char *w, *value;
int method_restricted = 0;
char filtbuf[FILTER_LENGTH];
@@ -690,6 +690,34 @@
"[%d] auth_ldap authorise: require group \"%s\": "
"authorisation failed [%s][%s]",
getpid(), t, ldc->reason, ldap_err2string(result));
+ }
+ }
+ }
+ }
+ else if (strcmp(w, "ldap-attribute") == 0) {
+ while (t[0]) {
+ w = ap_getword(r->pool, &t, '=');
+ value = ap_getword_conf(r->pool, &t);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: checking attribute"
+ " %s has value %s", getpid(), w, value);
+ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
+ w, value);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require attribute: authorisation "
+ "successful", getpid());
+ return OK;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require attribute: authorisation "
+ "failed [%s][%s]", getpid(),
+ ldc->reason, ldap_err2string(result));
}
}
}