You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ryan Morgan <rm...@pobox.com> on 2004/10/31 22:03:53 UTC
[PATCH]: LDAP Authz (was: Ldap Authorization)
I've opened an enhancement in bugzilla:
http://issues.apache.org/bugzilla/show_bug.cgi?id=31913
I have attached the patch here for review. I'd also like to get this
committed to the 2.0 tree so people can start taking advantage of the
feature without waiting for 2.2.
Thoughts?
Index: modules/aaa/mod_authnz_ldap.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_authnz_ldap.c,v
retrieving revision 1.5
diff -u -r1.5 mod_authnz_ldap.c
--- modules/aaa/mod_authnz_ldap.c 12 Oct 2004 12:27:18 -0000 1.5
+++ modules/aaa/mod_authnz_ldap.c 26 Oct 2004 23:52:04 -0000
@@ -466,7 +466,7 @@
register int x;
const char *t;
- char *w;
+ char *w, *value;
int method_restricted = 0;
/*
@@ -646,6 +646,34 @@
"[%d] auth_ldap authorise:
require group \"%s\": "
"authorisation failed [%s][%s]",
getpid(), t, ldc->reason,
ldap_err2string(result));
+ }
+ }
+ }
+ }
+ else if (strcmp(w, "ldap-attribute") == 0) {
+ while (t[0]) {
+ w = ap_getword(r->pool, &t, '=');
+ value = ap_getword_conf(r->pool, &t);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
0, r,
+ "[%d] auth_ldap authorise: checking
attribute"
+ " %s has value %s", getpid(), w, value);
+ result = util_ldap_cache_compare(r, ldc, sec->url,
req->dn,
+ w, value);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK,
APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise:
"
+ "require attribute:
authorisation "
+ "successful", getpid());
+ return OK;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK,
APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise:
"
+ "require attribute:
authorisation "
+ "failed [%s][%s]", getpid(),
+ ldc->reason,
ldap_err2string(result));
}
}
}
On Oct 27, 2004, at 5:15 AM, Jim Jagielski wrote:
> Graham Leggett wrote:
>>
>> AFAIR the default attributes for "require group" can be overridden
>> from
>> "member" and "uniqueMember" to anything you like. You are restricted
>> to
>> comparing against the distinguished name of the user though.
>>
>> If you have a patch, open an enhancement report inside Bugzilla and
>> upload it there so that it doesn't fall through the cracks. Extending
>> the support for filters in the authorisation phase is a definite win.
>>
>
> +1
> --
> =======================================================================
> ====
> Jim Jagielski [|] jim@jaguNET.com [|]
> http://www.jaguNET.com/
> "There 10 types of people: those who read binary and everyone
> else."
>