| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/C/Apache/docs/icons/ (Apache Software Stiftung Version 2.4.65©) Datei vom 20.10.2004 mit Größe 243 B |
|
Quelle mod_authnz_ldap.c Sprache: C |
|||||||||
|
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "ap_provider.h" #include "httpd.h" #include "http_config.h" #include "ap_provider.h" #include "http_core.h" #include "http_log.h" #include "http_protocol.h" #include "http_request.h" #include "util_ldap.h" #include "mod_auth.h" #include "apr_strings.h" #include "apr_xlate.h" #define APR_WANT_STRFUNC #include "apr_want.h" #include "apr_lib.h" #include <ctype.h> #if !APR_HAS_LDAP #error mod_authnz_ldap requires APR-util to have LDAP support built in. To fix add --with-lda #endif static char *default_attributes[3] = { "member", "uniqueMember", NULL }; typedef struct { apr_pool_t *pool; /* Pool that this config is allocated from */ #if APR_HAS_THREADS apr_thread_mutex_t *lock; /* Lock for this config */ #endif /* These parameters are all derived from the AuthLDAPURL directive */ char *url; /* String representation of the URL */ char *host; /* Name of the LDAP server (or space separated list) */ int port; /* Port of the LDAP server */ char *basedn; /* Base DN to do all searches from */ char *attribute; /* Attribute to search for */ char **attributes; /* Array of all the attributes to return */ int scope; /* Scope of the search */ char *filter; /* Filter to further limit the search */ deref_options deref; /* how to handle alias dereferening */ char *binddn; /* DN to bind to server (can be NULL) */ char *bindpw; /* Password to bind to server (can be NULL) */ int bind_authoritative; /* If true, will return errors when bind fails */ int user_is_dn; /* If true, r->user is replaced by DN during authn */ char *remote_user_attribute; /* If set, r->user is replaced by this attribute during authn */ int compare_dn_on_server; /* If true, will use server to do DN compare */ int have_ldap_url; /* Set if we have found an LDAP url */ apr_array_header_t *groupattr; /* List of Group attributes identifying user members. Defau int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise, it's the exact string passed by the HTTP client */ char **sgAttributes; /* Array of strings constructed (post-config) from subgroupattrs. Las apr_array_header_t *subgroupclasses; /* List of object classes of sub-groups. Default:"gr int maxNestingDepth; /* Maximum recursive nesting depth permitted during subgroup processi int secure; /* True if SSL connections are requested */ char *authz_prefix; /* Prefix for environment variables added during authz */ int initial_bind_as_user; /* true if we should try to bind (to lookup DN) directly with the basi ap_regex_t *bind_regex; /* basic auth -> bind'able username regex */ const char *bind_subst; /* basic auth -> bind'able username substitution */ int search_as_user; /* true if authz searches should be done with the users credentials (when w int compare_as_user; /* true if authz compares should be done with the users credentials (when } authn_ldap_config_t; typedef struct { const char *dn; /* The saved dn from a successful search */ const char *user; /* The username provided by the client */ const char **vals; /* The additional values pulled during the DN search*/ const char *password; /* if this module successfully authenticates, the basic auth password, } authn_ldap_request_t; enum auth_ldap_phase { LDAP_AUTHN, LDAP_AUTHZ }; enum auth_ldap_optype { LDAP_SEARCH, LDAP_COMPARE, LDAP_COMPARE_AND_SEARCH /* nested groups */ }; /* maximum group elements supported */ #define GROUPATTR_MAX_ELTS 10 module AP_MODULE_DECLARE_DATA authnz_ldap_module; static APR_OPTIONAL_FN_TYPE(uldap_connection_close) *util_ldap_connection_close; static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find; static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn; static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare; static APR_OPTIONAL_FN_TYPE(uldap_cache_check_subgroups) *util_ldap_cache_check_su static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid; static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn; static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported; static apr_hash_t *charset_conversions = NULL; static char *to_charset = NULL; /* UTF-8 identifier derived from the charset.conv file */ /* Derive a code page ID give a language name or ID */ static char* derive_codepage_from_lang (apr_pool_t *p, char *language) { char *charset; if (!language) /* our default codepage */ return apr_pstrdup(p, "ISO-8859-1"); charset = (char*) apr_hash_get(charset_conversions, language, APR_HASH_KEY_STRING); /* * Test if language values like 'en-US' return a match from the charset * conversion map when shortened to 'en'. */ if (!charset && strlen(language) > 3 && language[2] == '-') { char *language_short = apr_pstrndup(p, language, 2); charset = (char*) apr_hash_get(charset_conversions, language_short, APR_HASH_KEY_STRI } if (charset) { charset = apr_pstrdup(p, charset); } return charset; } static apr_xlate_t* get_conv_set (request_rec *r) { char *lang_line = (char*)apr_table_get(r->headers_in, "accept-language"); char *lang; apr_xlate_t *convset; if (lang_line) { lang_line = apr_pstrdup(r->pool, lang_line); for (lang = lang_line;*lang;lang++) { if ((*lang == ',') || (*lang == ';')) { *lang = '\0'; break; } } lang = derive_codepage_from_lang(r->pool, lang_line); if (lang && (apr_xlate_open(&convset, to_charset, lang, r->pool) == APR_SUCCESS)) { return convset; } } return NULL; } static const char* authn_ldap_xlate_password(request_rec *r, const char* sent_password) { apr_xlate_t *convset = NULL; apr_size_t inbytes; apr_size_t outbytes; char *outbuf; if (charset_conversions && (convset = get_conv_set(r)) ) { inbytes = strlen(sent_password); outbytes = (inbytes+1)*3; outbuf = apr_pcalloc(r->pool, outbytes); /* Convert the password to UTF-8. */ if (apr_xlate_conv_buffer(convset, sent_password, &inbytes, outbuf, &outbytes) == APR_SUCCESS) return outbuf; } return sent_password; } /* * Build the search filter, or at least as much of the search filter that * will fit in the buffer, and return APR_EGENERAL if it won't fit, otherwise * APR_SUCCESS. * * The search filter consists of the filter provided with the URL, * combined with a filter made up of the attribute provided with the URL, * and the actual username passed by the HTTP client. For example, assume * that the LDAP URL is * * ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*) * * Further, assume that the userid passed by the client was `userj'. The * search filter will be (&(posixid=*)(uid=userj)). */ #define FILTER_LENGTH MAX_STRING_LEN static apr_status_t authn_ldap_build_filter(char filtbuf[FILTER_LENGTH], request_rec *r, const char *user, const char *filter, authn_ldap_config_t *sec) { char *q; const char *p, *filtbuf_end; apr_xlate_t *convset = NULL; apr_size_t inbytes; apr_size_t outbytes; char *outbuf; int nofilter = 0, len; apr_status_t rv = APR_SUCCESS; if (!filter) { filter = sec->filter; } if (charset_conversions) { convset = get_conv_set(r); } if (convset) { inbytes = strlen(user); outbytes = (inbytes+1)*3; outbuf = apr_pcalloc(r->pool, outbytes); /* Convert the user name to UTF-8. This is only valid for LDAP v3 */ if (apr_xlate_conv_buffer(convset, user, &inbytes, outbuf, &outbytes) == APR_SUCCESS) { user = outbuf; } } /* * Create the first part of the filter, which consists of the * config-supplied portions. */ if ((nofilter = (!filter || !*filter || !strcasecmp(filter, "none")))) { len = apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute); } else { len = apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute); } /* * Now add the client-supplied username to the filter, ensuring that any * LDAP filter metachars are escaped. */ filtbuf_end = filtbuf + FILTER_LENGTH - 1; for (p = user, q = filtbuf + len; *p; ) { if (strchr("*()\\", *p) != NULL) { #if APR_HAS_MICROSOFT_LDAPSDK if (q + 3 >= filtbuf_end) { /* accounts for final \0 */ rv = APR_EGENERAL; goto out; } *q++ = '\\'; switch ( *p++ ) { case '*': *q++ = '2'; *q++ = 'a'; break; case '(': *q++ = '2'; *q++ = '8'; break; case ')': *q++ = '2'; *q++ = '9'; break; case '\\': *q++ = '5'; *q++ = 'c'; break; } #else if (q + 2 >= filtbuf_end) { /* accounts for final \0 */ rv = APR_EGENERAL; goto out; } *q++ = '\\'; *q++ = *p++; #endif } else { if (q + 1 >= filtbuf_end) { /* accounts for final \0 */ rv = APR_EGENERAL; goto out; } *q++ = *p++; } } /* * Append the closing parens of the filter, unless doing so would * overrun the buffer. */ if (nofilter) { if (q + 1 >= filtbuf_end) { /* accounts for final \0 */ rv = APR_EGENERAL; goto out; } *q++ = ')'; } else { if (q + 2 >= filtbuf_end) { /* accounts for final \0 */ rv = APR_EGENERAL; goto out; } *q++ = ')'; *q++ = ')'; } out: *q = '\0'; return rv; } static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d) { authn_ldap_config_t *sec = (authn_ldap_config_t *)apr_pcalloc(p, sizeof(authn_ldap_config_t)); sec->pool = p; #if APR_HAS_THREADS apr_thread_mutex_create(&sec->lock, APR_THREAD_MUTEX_DEFAULT, p); #endif /* sec->authz_enabled = 1; */ sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS, sizeof(struct mod_auth_ldap_groupattr_entry_t)); sec->subgroupclasses = apr_array_make(p, GROUPATTR_MAX_ELTS, sizeof(struct mod_auth_ldap_groupattr_entry_t)); sec->have_ldap_url = 0; sec->url = ""; sec->host = NULL; sec->binddn = NULL; sec->bindpw = NULL; sec->bind_authoritative = 1; sec->deref = always; sec->group_attrib_is_dn = 1; sec->secure = -1; /*Initialize to unset*/ sec->maxNestingDepth = 10; sec->sgAttributes = apr_pcalloc(p, sizeof (char *) * (GROUPATTR_MAX_ELTS + 1)); sec->user_is_dn = 0; sec->remote_user_attribute = NULL; sec->compare_dn_on_server = 0; sec->authz_prefix = AUTHZ_PREFIX; return sec; } static apr_status_t authnz_ldap_cleanup_connection_close(void *param) { util_ldap_connection_t *ldc = param; util_ldap_connection_close(ldc); return APR_SUCCESS; } static int set_request_vars(request_rec *r, enum auth_ldap_phase phase, const char **vals char *prefix = NULL; int prefix_len; int remote_user_attribute_set = 0; authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); prefix = (phase == LDAP_AUTHN) ? AUTHN_PREFIX : sec->authz_prefix; prefix_len = strlen(prefix); if (sec->attributes && vals) { apr_table_t *e = r->subprocess_env; int i = 0; while (sec->attributes[i]) { char *str = apr_pstrcat(r->pool, prefix, sec->attributes[i], NULL); int j = prefix_len; while (str[j]) { str[j] = apr_toupper(str[j]); j++; } apr_table_setn(e, str, vals[i] ? vals[i] : ""); /* handle remote_user_attribute, if set */ if ((phase == LDAP_AUTHN) && sec->remote_user_attribute && !strcmp(sec->remote_user_attribute, sec->attributes[i])) { r->user = (char *)apr_pstrdup(r->pool, vals[i]); remote_user_attribute_set = 1; } i++; } } return remote_user_attribute_set; } static const char *ldap_determine_binddn(request_rec *r, const char *user) { authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); const char *result = user; ap_regmatch_t regm[AP_MAX_REG_MATCH]; if (NULL == user || NULL == sec || !sec->bind_regex || !sec->bind_subst) { return result; } if (!ap_regexec(sec->bind_regex, user, AP_MAX_REG_MATCH, regm, 0)) { char *substituted = ap_pregsub(r->pool, sec->bind_subst, user, AP_MAX_REG_MATCH, regm); if (NULL != substituted) { result = substituted; } } apr_table_set(r->subprocess_env, "LDAP_BINDASUSER", result); return result; } /* Some LDAP servers restrict who can search or compare, and the hard-coded ID * might be good for the DN lookup but not for later operations. */ static util_ldap_connection_t *get_connection_for_authz(request_rec *r, enum auth_lda authn_ldap_request_t *req = (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); const char *binddn = sec->binddn; const char *bindpw = sec->bindpw; /* If the per-request config isn't set, we didn't authenticate this user, and leave the default if (req && req->password && ((type == LDAP_SEARCH && sec->search_as_user) || (type == LDAP_COMPARE && sec->compare_as_user) || (type == LDAP_COMPARE_AND_SEARCH && sec->compare_as_user && sec->search_as_user))){ binddn = req->dn; bindpw = req->password; } return util_ldap_connection_find(r, sec->host, sec->port, binddn, bindpw, sec->deref, sec->secure); } /* * Authentication Phase * -------------------- * * This phase authenticates the credentials the user has sent with * the request (ie the username and password are checked). This is done * by making an attempt to bind to the LDAP server using this user's * DN and the supplied password. * */ static authn_status authn_ldap_check_password(request_rec *r, const char *user, const char *password) { char filtbuf[FILTER_LENGTH]; authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; int result = 0; int remote_user_attribute_set = 0; const char *dn = NULL; const char *utfpassword; authn_ldap_request_t *req = (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t)); ap_set_module_config(r->request_config, &authnz_ldap_module, req); /* if (!sec->enabled) { return AUTH_USER_NOT_FOUND; } */ /* * Basic sanity checks before any LDAP operations even happen. */ if (!sec->have_ldap_url) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02558) "no AuthLDAPURL"); return AUTH_GENERAL_ERROR; } /* Get the password that the client sent */ if (password == NULL) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) "auth_ldap authenticate: no password specified"); return AUTH_GENERAL_ERROR; } if (user == NULL) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) "auth_ldap authenticate: no user specified"); return AUTH_GENERAL_ERROR; } /* * A bind to the server with an empty password always succeeds, so * we check to ensure that the password is not empty. This implies * that users who actually do have empty passwords will never be * able to authenticate with this module. I don't see this as a big * problem. */ if (!(*password)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10263) "auth_ldap authenticate: empty password specified"); return AUTH_DENIED; } /* There is a good AuthLDAPURL, right? */ if (sec->host) { const char *binddn = sec->binddn; const char *bindpw = sec->bindpw; if (sec->initial_bind_as_user) { bindpw = password; binddn = ldap_determine_binddn(r, user); } ldc = util_ldap_connection_find(r, sec->host, sec->port, binddn, bindpw, sec->deref, sec->secure); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01690) "auth_ldap authenticate: no sec->host - weird...?"); return AUTH_GENERAL_ERROR; } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691) "auth_ldap authenticate: using URL %s", sec->url); /* build the username filter */ if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, user, NULL, sec)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02622) "auth_ldap authenticate: ldap filter too long (>%d): %s", FILTER_LENGTH, filtbuf); util_ldap_connection_close(ldc); return AUTH_GENERAL_ERROR; } ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "auth_ldap authenticate: final authn filter is %s", filtbuf); /* convert password to utf-8 */ utfpassword = authn_ldap_xlate_password(r, password); /* do the user search */ result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, filtbuf, utfpassword, &dn, &(req->vals)); util_ldap_connection_close(ldc); /* handle bind failure */ if (result != LDAP_SUCCESS) { if (!sec->bind_authoritative) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01694) "auth_ldap authenticate: user %s authentication failed; " "URI %s [%s][%s] (not authoritative)", user, r->uri, ldc->reason, ldap_err2string(result)); return AUTH_USER_NOT_FOUND; } ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01695) "auth_ldap authenticate: " "user %s authentication failed; URI %s [%s][%s]", user, r->uri, ldc->reason, ldap_err2string(result)); /* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific erro if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) { return AUTH_USER_NOT_FOUND; } return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND #ifdef LDAP_SECURITY_ERROR : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED #else : (LDAP_INAPPROPRIATE_AUTH == result) ? AUTH_DENIED : (LDAP_INVALID_CREDENTIALS == result) ? AUTH_DENIED #ifdef LDAP_INSUFFICIENT_ACCESS : (LDAP_INSUFFICIENT_ACCESS == result) ? AUTH_DENIED #endif #ifdef LDAP_INSUFFICIENT_RIGHTS : (LDAP_INSUFFICIENT_RIGHTS == result) ? AUTH_DENIED #endif #endif #ifdef LDAP_CONSTRAINT_VIOLATION /* At least Sun Directory Server sends this if a user is * locked. This is not covered by LDAP_SECURITY_ERROR. */ : (LDAP_CONSTRAINT_VIOLATION == result) ? AUTH_DENIED #endif : AUTH_GENERAL_ERROR; } /* mark the user and DN */ req->dn = dn; req->user = user; req->password = password; if (sec->user_is_dn) { r->user = (char *)req->dn; } /* add environment variables */ remote_user_attribute_set = set_request_vars(r, LDAP_AUTHN, req->vals); /* sanity check */ if (sec->remote_user_attribute && !remote_user_attribute_set) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01696) "auth_ldap authenticate: " "REMOTE_USER was to be set with attribute '%s', " "but this attribute was not requested for in the " "LDAP query for the user. REMOTE_USER will fall " "back to username or DN as appropriate.", sec->remote_user_attribute); } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01697) "auth_ldap authenticate: accepting %s", user); return AUTH_GRANTED; } static authz_status ldapuser_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; const char *err = NULL; const ap_expr_info_t *expr = parsed_require_args; const char *require; const char *t; char *w; char filtbuf[FILTER_LENGTH]; const char *dn = NULL; if (!r->user) { return AUTHZ_DENIED_NO_USER; } if (!sec->have_ldap_url) { return AUTHZ_DENIED; } if (sec->host) { ldc = get_connection_for_authz(r, LDAP_COMPARE); apr_pool_cleanup_register(r->pool, ldc, authnz_ldap_cleanup_connection_close, apr_pool_cleanup_null); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01698) "auth_ldap authorize: no sec->host - weird...?"); return AUTHZ_DENIED; } /* * If we have been authenticated by some other module than mod_authnz_ldap, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699) "ldap authorize: Userid is blank, AuthType=%s", r->ap_auth_type); } if(!req) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01700) "ldap authorize: Creating LDAP req structure"); req = (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t)); /* Build the username filter */ if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02623) "auth_ldap authorize: ldap filter too long (>%d): %s", FILTER_LENGTH, filtbuf); return AUTHZ_DENIED; } /* Search for the user DN */ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, filtbuf, &dn, &(req->vals)); /* Search failed, log error and return failure */ if(result != LDAP_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01701) "auth_ldap authorise: User DN not found, %s", ldc->reason); return AUTHZ_DENIED; } ap_set_module_config(r->request_config, &authnz_ldap_module, req); req->dn = dn; req->user = r->user; } if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01702) "auth_ldap authorize: require user: user's DN has not " "been defined; failing authorization"); return AUTHZ_DENIED; } require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585) "auth_ldap authorize: require user: Can't evaluate expression: %s", err); return AUTHZ_DENIED; } /* * First do a whole-line compare, in case it's something like * require user Babs Jensen */ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703) "auth_ldap authorize: require user: authorization " "successful"); set_request_vars(r, LDAP_AUTHZ, req->vals); return AUTHZ_GRANTED; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01704) "auth_ldap authorize: require user: " "authorization failed [%s][%s]", ldc->reason, ldap_err2string(result)); } } /* * Now break apart the line and compare each word on it */ t = require; while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01705) "auth_ldap authorize: " "require user: authorization successful"); set_request_vars(r, LDAP_AUTHZ, req->vals); return AUTHZ_GRANTED; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01706) "auth_ldap authorize: " "require user: authorization failed [%s][%s]", ldc->reason, ldap_err2string(result)); } } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01707) "auth_ldap authorize user: authorization denied for " "user %s to %s", r->user, r->uri); return AUTHZ_DENIED; } static authz_status ldapgroup_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; const char *err = NULL; const ap_expr_info_t *expr = parsed_require_args; const char *require; const char *t; char filtbuf[FILTER_LENGTH]; const char *dn = NULL; struct mod_auth_ldap_groupattr_entry_t *ent; int i; if (!r->user) { return AUTHZ_DENIED_NO_USER; } if (!sec->have_ldap_url) { return AUTHZ_DENIED; } if (sec->host) { ldc = get_connection_for_authz(r, LDAP_COMPARE); /* for the top-level group only */ apr_pool_cleanup_register(r->pool, ldc, authnz_ldap_cleanup_connection_close, apr_pool_cleanup_null); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01708) "auth_ldap authorize: no sec->host - weird...?"); return AUTHZ_DENIED; } /* * If there are no elements in the group attribute array, the default should be * member and uniquemember; populate the array now. */ if (sec->groupattr->nelts == 0) { struct mod_auth_ldap_groupattr_entry_t *grp; #if APR_HAS_THREADS apr_thread_mutex_lock(sec->lock); #endif grp = apr_array_push(sec->groupattr); grp->name = "member"; grp = apr_array_push(sec->groupattr); grp->name = "uniqueMember"; #if APR_HAS_THREADS apr_thread_mutex_unlock(sec->lock); #endif } /* * If there are no elements in the sub group classes array, the default * should be groupOfNames and groupOfUniqueNames; populate the array now. */ if (sec->subgroupclasses->nelts == 0) { struct mod_auth_ldap_groupattr_entry_t *grp; #if APR_HAS_THREADS apr_thread_mutex_lock(sec->lock); #endif grp = apr_array_push(sec->subgroupclasses); grp->name = "groupOfNames"; grp = apr_array_push(sec->subgroupclasses); grp->name = "groupOfUniqueNames"; #if APR_HAS_THREADS apr_thread_mutex_unlock(sec->lock); #endif } /* * If we have been authenticated by some other module than mod_auth_ldap, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01709) "ldap authorize: Userid is blank, AuthType=%s", r->ap_auth_type); } if(!req) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01710) "ldap authorize: Creating LDAP req structure"); req = (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t)); /* Build the username filter */ if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02624) "auth_ldap authorize: ldap filter too long (>%d): %s", FILTER_LENGTH, filtbuf); return AUTHZ_DENIED; } /* Search for the user DN */ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, filtbuf, &dn, &(req->vals)); /* Search failed, log error and return failure */ if(result != LDAP_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01711) "auth_ldap authorise: User DN not found, %s", ldc->reason); return AUTHZ_DENIED; } ap_set_module_config(r->request_config, &authnz_ldap_module, req); req->dn = dn; req->user = r->user; } ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts; if (sec->group_attrib_is_dn) { if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01712) "auth_ldap authorize: require group: user's DN has " "not been defined; failing authorization for user %s", r->user); return AUTHZ_DENIED; } } else { if (req->user == NULL || strlen(req->user) == 0) { /* We weren't called in the authentication phase, so we didn't have a * chance to set the user field. Do so now. */ req->user = r->user; } } require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586) "auth_ldap authorize: require group: Can't evaluate expression: %s", err); return AUTHZ_DENIED; } t = require; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713) "auth_ldap authorize: require group: testing for group " "membership in \"%s\"", t); /* PR52464 exhaust attrs in base group before checking subgroups */ for (i = 0; i < sec->groupattr->nelts; i++) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714) "auth_ldap authorize: require group: testing for %s: " "%s (%s)", ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user); if (result == LDAP_COMPARE_TRUE) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) "auth_ldap authorize: require group: " "authorization successful (attribute %s) " "[%s][%d - %s]", ent[i].name, ldc->reason, result, ldap_err2string(result)); set_request_vars(r, LDAP_AUTHZ, req->vals); return AUTHZ_GRANTED; } else { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) "auth_ldap authorize: require group \"%s\": " "didn't match with attr %s [%s][%d - %s]", t, ent[i].name, ldc->reason, result, ldap_err2string(result)); } } for (i = 0; i < sec->groupattr->nelts; i++) { /* nested groups need searches and compares, so grab a new handle */ authnz_ldap_cleanup_connection_close(ldc); apr_pool_cleanup_kill(r->pool, ldc,authnz_ldap_cleanup_connection_close); ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH); apr_pool_cleanup_register(r->pool, ldc, authnz_ldap_cleanup_connection_close, apr_pool_cleanup_null); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01716) "auth_ldap authorise: require group \"%s\": " "failed [%s][%d - %s], checking sub-groups", t, ldc->reason, result, ldap_err2string(result)); result = util_ldap_cache_check_subgroups(r, ldc, sec->url, t, ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, sec->sgAttributes[0] ? sec->sgAttributes : default_attributes, sec->subgroupclasses, 0, sec->maxNestingDepth); if (result == LDAP_COMPARE_TRUE) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717) "auth_ldap authorise: require group " "(sub-group): authorisation successful " "(attribute %s) [%s][%d - %s]", ent[i].name, ldc->reason, result, ldap_err2string(result)); set_request_vars(r, LDAP_AUTHZ, req->vals); return AUTHZ_GRANTED; } else { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718) "auth_ldap authorise: require group " "(sub-group) \"%s\": didn't match with attr %s " "[%s][%d - %s]", t, ldc->reason, ent[i].name, result, ldap_err2string(result)); } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720) "auth_ldap authorize group: authorization denied for " "user %s to %s", r->user, r->uri); return AUTHZ_DENIED; } static authz_status ldapdn_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; const char *err = NULL; const ap_expr_info_t *expr = parsed_require_args; const char *require; const char *t; char filtbuf[FILTER_LENGTH]; const char *dn = NULL; if (!r->user) { return AUTHZ_DENIED_NO_USER; } if (!sec->have_ldap_url) { return AUTHZ_DENIED; } if (sec->host) { ldc = get_connection_for_authz(r, LDAP_SEARCH); /* _comparedn is a searche */ apr_pool_cleanup_register(r->pool, ldc, authnz_ldap_cleanup_connection_close, apr_pool_cleanup_null); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01721) "auth_ldap authorize: no sec->host - weird...?"); return AUTHZ_DENIED; } /* * If we have been authenticated by some other module than mod_auth_ldap, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722) "ldap authorize: Userid is blank, AuthType=%s", r->ap_auth_type); } if(!req) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01723) "ldap authorize: Creating LDAP req structure"); req = (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t)); /* Build the username filter */ if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02625) "auth_ldap authorize: ldap filter too long (>%d): %s", FILTER_LENGTH, filtbuf); return AUTHZ_DENIED; } /* Search for the user DN */ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, filtbuf, &dn, &(req->vals)); /* Search failed, log error and return failure */ if(result != LDAP_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01724) "auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason); return AUTHZ_DENIED; } ap_set_module_config(r->request_config, &authnz_ldap_module, req); req->dn = dn; req->user = r->user; } require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587) "auth_ldap authorize: require dn: Can't evaluate expression: %s", err); return AUTHZ_DENIED; } t = require; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725) "auth_ldap authorize: require dn: user's DN has not " "been defined; failing authorization"); return AUTHZ_DENIED; } result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01726) "auth_ldap authorize: " "require dn: authorization successful"); set_request_vars(r, LDAP_AUTHZ, req->vals); return AUTHZ_GRANTED; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01727) "auth_ldap authorize: " "require dn \"%s\": LDAP error [%s][%s]", t, ldc->reason, ldap_err2string(result)); } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01728) "auth_ldap authorize dn: authorization denied for " "user %s to %s", r->user, r->uri); return AUTHZ_DENIED; } static authz_status ldapattribute_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; const char *err = NULL; const ap_expr_info_t *expr = parsed_require_args; const char *require; const char *t; char *w, *value; char filtbuf[FILTER_LENGTH]; const char *dn = NULL; if (!r->user) { return AUTHZ_DENIED_NO_USER; } if (!sec->have_ldap_url) { return AUTHZ_DENIED; } if (sec->host) { ldc = get_connection_for_authz(r, LDAP_COMPARE); apr_pool_cleanup_register(r->pool, ldc, authnz_ldap_cleanup_connection_close, apr_pool_cleanup_null); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01729) "auth_ldap authorize: no sec->host - weird...?"); return AUTHZ_DENIED; } /* * If we have been authenticated by some other module than mod_auth_ldap, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730) "ldap authorize: Userid is blank, AuthType=%s", r->ap_auth_type); } if(!req) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01731) "ldap authorize: Creating LDAP req structure"); req = (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t)); /* Build the username filter */ if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02626) "auth_ldap authorize: ldap filter too long (>%d): %s", FILTER_LENGTH, filtbuf); return AUTHZ_DENIED; } /* Search for the user DN */ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, filtbuf, &dn, &(req->vals)); /* Search failed, log error and return failure */ if(result != LDAP_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01732) "auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason); return AUTHZ_DENIED; } ap_set_module_config(r->request_config, &authnz_ldap_module, req); req->dn = dn; req->user = r->user; } if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01733) "auth_ldap authorize: require ldap-attribute: user's DN " "has not been defined; failing authorization"); return AUTHZ_DENIED; } require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588) "auth_ldap authorize: require ldap-attribute: Can't " "evaluate expression: %s", err); return AUTHZ_DENIED; } t = require; while (t[0]) { w = ap_getword(r->pool, &t, '='); value = ap_getword_conf(r->pool, &t); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01734) "auth_ldap authorize: checking attribute %s has value %s", w, value); result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01735) "auth_ldap authorize: " "require attribute: authorization successful"); set_request_vars(r, LDAP_AUTHZ, req->vals); return AUTHZ_GRANTED; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01736) "auth_ldap authorize: require attribute: " "authorization failed [%s][%s]", ldc->reason, ldap_err2string(result)); } } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01737) "auth_ldap authorize attribute: authorization denied for " "user %s to %s", r->user, r->uri); return AUTHZ_DENIED; } static authz_status ldapfilter_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; const char *err = NULL; const ap_expr_info_t *expr = parsed_require_args; const char *require; const char *t; char filtbuf[FILTER_LENGTH]; const char *dn = NULL; if (!r->user) { return AUTHZ_DENIED_NO_USER; } if (!sec->have_ldap_url) { return AUTHZ_DENIED; } if (sec->host) { ldc = get_connection_for_authz(r, LDAP_SEARCH); apr_pool_cleanup_register(r->pool, ldc, authnz_ldap_cleanup_connection_close, apr_pool_cleanup_null); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738) "auth_ldap authorize: no sec->host - weird...?"); return AUTHZ_DENIED; } /* * If we have been authenticated by some other module than mod_auth_ldap, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739) "ldap authorize: Userid is blank, AuthType=%s", r->ap_auth_type); } if(!req) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01740) "ldap authorize: Creating LDAP req structure"); req = (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t)); /* Build the username filter */ if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02627) "auth_ldap authorize: ldap filter too long (>%d): %s", FILTER_LENGTH, filtbuf); return AUTHZ_DENIED; } /* Search for the user DN */ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, filtbuf, &dn, &(req->vals)); /* Search failed, log error and return failure */ if(result != LDAP_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01741) "auth_ldap authorise: User DN not found with filter %s: %s", filtbuf, ldc->reason); return AUTHZ_DENIED; } ap_set_module_config(r->request_config, &authnz_ldap_module, req); req->dn = dn; req->user = r->user; } if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742) "auth_ldap authorize: require ldap-filter: user's DN " "has not been defined; failing authorization"); return AUTHZ_DENIED; } require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589) "auth_ldap authorize: require ldap-filter: Can't " "evaluate require expression: %s", err); return AUTHZ_DENIED; } t = require; if (t[0]) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743) "auth_ldap authorize: checking filter %s", t); /* Build the username filter */ if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, req->user, t, sec)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02628) "auth_ldap authorize: ldap filter too long (>%d): %s", FILTER_LENGTH, filtbuf); return AUTHZ_DENIED; } /* Search for the user DN */ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, filtbuf, &dn, &(req->vals)); /* Make sure that the filtered search returned the correct user dn */ if (result == LDAP_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01744) "auth_ldap authorize: checking dn match %s", dn); if (sec->compare_as_user) { /* ldap-filter is the only authz that requires a search and a compare */ apr_pool_cleanup_kill(r->pool, ldc, authnz_ldap_cleanup_connection_close); authnz_ldap_cleanup_connection_close(ldc); ldc = get_connection_for_authz(r, LDAP_COMPARE); } result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn, sec->compare_dn_on_server); } switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01745) "auth_ldap authorize: require ldap-filter: " "authorization successful"); set_request_vars(r, LDAP_AUTHZ, req->vals); return AUTHZ_GRANTED; } case LDAP_FILTER_ERROR: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01746) "auth_ldap authorize: require ldap-filter: " "%s authorization failed [%s][%s]", filtbuf, ldc->reason, ldap_err2string(result)); break; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01747) "auth_ldap authorize: require ldap-filter: " "authorization failed [%s][%s]", ldc->reason, ldap_err2string(result)); } } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01748) "auth_ldap authorize filter: authorization denied for " "user %s to %s", r->user, r->uri); return AUTHZ_DENIED; } static authz_status ldapsearch_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { int result = 0; authn_ldap_request_t *req = (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; const char *err = NULL; const ap_expr_info_t *expr = parsed_require_args; const char *require; const char *t; const char *dn = NULL; if (!sec->have_ldap_url) { return AUTHZ_DENIED; } if (sec->host) { ldc = get_connection_for_authz(r, LDAP_SEARCH); apr_pool_cleanup_register(r->pool, ldc, authnz_ldap_cleanup_connection_close, apr_pool_cleanup_null); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02636) "auth_ldap authorize: no sec->host - weird...?"); return AUTHZ_DENIED; } require = ap_expr_str_exec(r, expr, &err); if (err) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02629) "auth_ldap authorize: require ldap-search: Can't " "evaluate require expression: %s", err); return AUTHZ_DENIED; } t = require; if (t[0]) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02630) "auth_ldap authorize: checking filter %s", t); /* Search for the user DN */ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, t, &dn, &(req->vals)); /* Make sure that the filtered search returned a single dn */ if (result == LDAP_SUCCESS && dn) { req->dn = dn; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631) "auth_ldap authorize: require ldap-search: " "authorization successful"); set_request_vars(r, LDAP_AUTHZ, req->vals); return AUTHZ_GRANTED; } else { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02632) "auth_ldap authorize: require ldap-search: " "%s authorization failed [%s][%s]", t, ldc->reason, ldap_err2string(result)); } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02633) "auth_ldap authorize search: authorization denied for " "to %s", r->uri); return AUTHZ_DENIED; } static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line, const void **parsed_require_line) { const char *expr_err = NULL; ap_expr_info_t *expr; expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT, &expr_err, NULL); if (expr_err) return apr_pstrcat(cmd->temp_pool, "Cannot parse expression in require line: ", expr_err, NULL); *parsed_require_line = expr; return NULL; } /* * Use the ldap url parsing routines to break up the ldap url into * host and port. */ static const char *mod_auth_ldap_parse_url(cmd_parms *cmd, void *config, const char *url, const char *mode) { int rc; apr_ldap_url_desc_t *urld; apr_ldap_err_t *result; authn_ldap_config_t *sec = config; rc = apr_ldap_url_parse(cmd->pool, url, &(urld), &(result)); if (rc != APR_SUCCESS) { return result->reason; } sec->url = apr_pstrdup(cmd->pool, url); /* Set all the values, or at least some sane defaults */ if (sec->host) { sec->host = apr_pstrcat(cmd->pool, urld->lud_host, " ", sec->host, NULL); } else { sec->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost"; } sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : ""; if (urld->lud_attrs && urld->lud_attrs[0]) { int i = 1; while (urld->lud_attrs[i]) { i++; } sec->attributes = apr_pcalloc(cmd->pool, sizeof(char *) * (i+1)); i = 0; while (urld->lud_attrs[i]) { sec->attributes[i] = apr_pstrdup(cmd->pool, urld->lud_attrs[i]); i++; } sec->attribute = sec->attributes[0]; } else { sec->attribute = "uid"; } sec->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ? LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE; if (urld->lud_filter) { if (urld->lud_filter[0] == '(') { /* * Get rid of the surrounding parens; later on when generating the * filter, they'll be put back. */ sec->filter = apr_pstrmemdup(cmd->pool, urld->lud_filter+1, strlen(urld->lud_filter)-2); } else { sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter); } } else { sec->filter = "objectclass=*"; } if (mode) { if (0 == strcasecmp("NONE", mode)) { sec->secure = APR_LDAP_NONE; } else if (0 == strcasecmp("SSL", mode)) { sec->secure = APR_LDAP_SSL; } else if (0 == strcasecmp("TLS", mode) || 0 == strcasecmp("STARTTLS", mode)) { sec->secure = APR_LDAP_STARTTLS; } else { return "Invalid LDAP connection mode setting: must be one of NONE, " "SSL, or TLS/STARTTLS"; } } /* "ldaps" indicates secure ldap connections desired */ if (strncasecmp(url, "ldaps", 5) == 0) { sec->secure = APR_LDAP_SSL; sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT; } else { sec->port = urld->lud_port? urld->lud_port : LDAP_PORT; } sec->have_ldap_url = 1; ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, cmd->server, "auth_ldap url parse: `%s', Host: %s, Port: %d, DN: %s, " "attrib: %s, scope: %s, filter: %s, connection mode: %s", url, urld->lud_host, urld->lud_port, urld->lud_dn, urld->lud_attrs? urld->lud_attrs[0] : "(null)", (urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" : urld->lud_scope == LDAP_SCOPE_BASE? "base" : urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown"), urld->lud_filter, sec->secure == APR_LDAP_SSL ? "using SSL": "not using SSL" ); return NULL; } static const char *mod_auth_ldap_set_deref(cmd_parms *cmd, void *config, const char *arg) { authn_ldap_config_t *sec = config; if (strcmp(arg, "never") == 0 || strcasecmp(arg, "off") == 0) { sec->deref = never; } else if (strcmp(arg, "searching") == 0) { sec->deref = searching; } else if (strcmp(arg, "finding") == 0) { sec->deref = finding; } else if (strcmp(arg, "always") == 0 || strcasecmp(arg, "on") == 0) { sec->deref = always; } else { return "Unrecognized value for AuthLDAPDereferenceAliases directive"; } return NULL; } static const char *mod_auth_ldap_add_subgroup_attribute(cmd_parms *cmd, void *config, c { int i = 0; authn_ldap_config_t *sec = config; for (i = 0; sec->sgAttributes[i]; i++) { ; } if (i == GROUPATTR_MAX_ELTS) return "Too many AuthLDAPSubGroupAttribute values"; sec->sgAttributes[i] = apr_pstrdup(cmd->pool, arg); return NULL; } static const char *mod_auth_ldap_add_subgroup_class(cmd_parms *cmd, void *config, const { struct mod_auth_ldap_groupattr_entry_t *new; authn_ldap_config_t *sec = config; if (sec->subgroupclasses->nelts > GROUPATTR_MAX_ELTS) return "Too many AuthLDAPSubGroupClass values"; new = apr_array_push(sec->subgroupclasses); new->name = apr_pstrdup(cmd->pool, arg); return NULL; } static const char *mod_auth_ldap_set_subgroup_maxdepth(cmd_parms *cmd, void *config, const char *max_depth) { authn_ldap_config_t *sec = config; sec->maxNestingDepth = atol(max_depth); return NULL; } static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, cons { struct mod_auth_ldap_groupattr_entry_t *new; authn_ldap_config_t *sec = config; if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS) return "Too many AuthLDAPGroupAttribute directives"; new = apr_array_push(sec->groupattr); new->name = apr_pstrdup(cmd->pool, arg); return NULL; } static const char *set_charset_config(cmd_parms *cmd, void *config, const char *arg) { ap_set_module_config(cmd->server->module_config, &authnz_ldap_module, (void *)arg); return NULL; } static const char *set_bind_pattern(cmd_parms *cmd, void *_cfg, const char *exp, const char { authn_ldap_config_t *sec = _cfg; ap_regex_t *regexp; regexp = ap_pregcomp(cmd->pool, exp, AP_REG_EXTENDED); if (!regexp) { return apr_pstrcat(cmd->pool, "AuthLDAPInitialBindPattern: cannot compile regular " "expression '", exp, "'", NULL); } sec->bind_regex = regexp; sec->bind_subst = subst; return NULL; } static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg) { authn_ldap_config_t *sec = _cfg; int arglen = strlen(arg); char **argv; char *result; if ((arglen > 5) && strncmp(arg, "exec:", 5) == 0) { if (apr_tokenize_to_argv(arg+5, &argv, cmd->temp_pool) != APR_SUCCESS) { return apr_pstrcat(cmd->pool, "Unable to parse exec arguments from ", arg+5, NULL); } argv[0] = ap_server_root_relative(cmd->temp_pool, argv[0]); if (!argv[0]) { return apr_pstrcat(cmd->pool, "Invalid AuthLDAPBindPassword exec location:", arg+5, NULL); } result = ap_get_exec_line(cmd->pool, (const char*)argv[0], (const char * const *)argv); if (!result) { return apr_pstrcat(cmd->pool, "Unable to get bind password from exec of ", arg+5, NULL); } sec->bindpw = result; } else { sec->bindpw = (char *)arg; } if (!(*sec->bindpw)) { return "Empty passwords are invalid for AuthLDAPBindPassword"; } return NULL; } static const command_rec authnz_ldap_cmds[] = { AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG, "URL to define LDAP connection. This should be an RFC 2255 compliant\n" "URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n" "
" "to specify redundant servers.\n" --> -------------------- --> maximum size reached --> -------------------- ¤ Dauer der Verarbeitung: 0.16 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
2026-03-28