DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=31352>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31352 RFE, Bind to LDAP server with browser supplier user/pass Summary: RFE, Bind to LDAP server with browser supplier user/pass Product: Apache httpd-2.0 Version: 2.0.51 Platform: Sun OS/Version: Solaris Status: NEW Severity: Enhancement Priority: Other Component: mod_auth_ldap AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] In environments where the Access Control to the LDAP DIT is protected from anonymous binds and bound users are only able to read their user entries possible binding options for mod_auth_ldap will either fail to authenticate a user, or there are security implications if the <Directory/> sections contain a suitably powerful binddn/bindpw. The browser supplies a username and password for the auth check. This patch extends the AuthLDAPBindDN and AuthLDAPBindPasswd directives to accept $USER and $PASSWORD respectively and substitute for user/pass eg: AuthLDAPBindDN uid=$USER,ou=people,ou=common,l=lon,c=gb,o=dis AuthLDAPBindPassword $PASSWORD for user/pass of 'klyne'/'password' becomes: AuthLDAPBindDN uid=klyne,ou=people,ou=common,l=lon,c=gb,o=dis AuthLDAPBindPassword password The rest of mod_auth_ldap continues as before. --- httpd-2.0.51/modules/experimental/mod_auth_ldap.c-dist 2004-05-22 01:39: 41.000000000 +0200 +++ httpd-2.0.51/modules/experimental/mod_auth_ldap.c 2004-09-21 23:40:53. 728681000 +0200 @@ -161,6 +161,83 @@ /* + * + * Read per directory module config, and substitute for variables in binddn and bindpw + * This is just a wrapper around the call to + * ap_get_module_config(r->per_dir_config, &auth_ldap_module); + * + * If the binddn and bindpw set by the AuthLDAPBindDN and AuthLDAPBindPassword directives + * contain $USER and $PASSWORD then substitute these with the browser supplied user/pass, + * otherwise just return the mod_auth_ldap_config_t. + * + */ +#define BIND_USER "$USER" +#define BIND_PASSWD "$PASSWORD" +static mod_auth_ldap_config_t *auth_ldap_get_per_dir_module_config(request_rec *r) +{ + const char *sent_pw; + int bad_sent_pw = 0; + + char *bind_user; /* set to start of BIND_USER if binddn requires username subst */ + + int doSubst = 0; /* set to true if we have values to substitute */ + + mod_auth_ldap_config_t *s = + (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, &auth_ldap_module); + + /* check client sent a username and a password */ + if ( ! r->user ) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: auth_ldap_get_per_dir_module_config()" + " : Client sent no username", + getpid()); + /* Substitute for client supplied USER in binddn if directory configured for BIND_USER + * eg. if "AuthLDAPBindDN uid=$USER,ou=people,l=lon,c=gb,o=dis" + * send binddn to "uid=<user>,ou=people,l=lon,c=gb,o=dis" + */ + } else { + if ((s->binddn) && ((bind_user = strstr(s->binddn, BIND_USER)) !=NULL)) { + char *attr; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: auth_ldap_get_per_dir_module_config()" + ": binddn %s", + getpid(), s->binddn); + attr = apr_pstrndup(r->pool, s->binddn, bind_user - s->binddn); + s->binddn = apr_pstrcat(r->pool, attr, r->user, bind_user + strlen(BIND_USER), NULL ); + doSubst++; + } + } + + if ((bad_sent_pw = ap_get_basic_auth_pw(r, &sent_pw))) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap_get_per_dir_module_config() auth_ldap authenticate: " + "ap_get_basic_auth_pw() returns %d", getpid(), bad_sent_pw); + + /* set bindpw to client suppled password if directory configured for bindpw + to BIND_PASSWD */ + } else { + if ( s->bindpw && strcmp(s->bindpw, BIND_PASSWD) ==0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: auth_ldap_get_per_dir_module_config()" + ": bindpw USER SUPPLIED", + getpid()); + s->bindpw = (char *)sent_pw; + doSubst++; + } + } + + if (doSubst) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap_get_per_dir_module_config() : SUBST", + getpid()); + + ap_set_module_config(r->per_dir_config, &auth_ldap_module, s); + } + + return s; +} + +/* * Build the search filter, or at least as much of the search filter that * will fit in the buffer. We don't worry about the buffer not being able * to hold the entire filter. If the buffer wasn't big enough to hold the @@ -269,7 +346,7 @@ const char **vals = NULL; char filtbuf[FILTER_LENGTH]; mod_auth_ldap_config_t *sec = - (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, &auth_ldap_module); + (mod_auth_ldap_config_t *)auth_ldap_get_per_dir_module_config(r); util_ldap_connection_t *ldc = NULL; const char *sent_pw; @@ -409,8 +486,7 @@ (mod_auth_ldap_request_t *)ap_get_module_config(r->request_config, &auth_ldap_module); mod_auth_ldap_config_t *sec = - (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, - &auth_ldap_module); + (mod_auth_ldap_config_t *)auth_ldap_get_per_dir_module_config(r); util_ldap_connection_t *ldc = NULL; int m = r->method_number; --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
