On 07/27/2007 10:34 PM, wrote: > Author: rederpj > Date: Fri Jul 27 13:34:41 2007 > New Revision: 560373 > > URL: http://svn.apache.org/viewvc?view=rev&rev=560373 > Log: > mod_ldap, mod_authnzldap: Add support for nested groups (i.e. the ability > to authorize an authenticated user via a "require ldap-group X" directive > where the user is not in group X, but is in a subgroup contained in X. > PR 42891 [Paul J. Reder] > > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/include/util_ldap.h > httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c > httpd/httpd/trunk/modules/ldap/util_ldap.c > httpd/httpd/trunk/modules/ldap/util_ldap_cache.c > httpd/httpd/trunk/modules/ldap/util_ldap_cache.h > httpd/httpd/trunk/modules/ldap/util_ldap_cache_mgr.c >
> Modified: httpd/httpd/trunk/include/util_ldap.h > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/include/util_ldap.h?view=diff&rev=560373&r1=560372&r2=560373 > ============================================================================== > --- httpd/httpd/trunk/include/util_ldap.h (original) > +++ httpd/httpd/trunk/include/util_ldap.h Fri Jul 27 13:34:41 2007 > @@ -144,6 +144,10 @@ > > } util_ldap_state_t; > > +/* Used to store arrays of attribute labels/values. */ > +struct mod_auth_ldap_groupattr_entry_t { > + char *name; > +}; > > /** > * Open a connection to an LDAP server > @@ -244,12 +248,43 @@ > * @param attrib The attribute within the object we are comparing for. > * @param value The value of the attribute we are trying to compare for. > * @tip Use this function to determine whether an attribute/value pair > exists within an > - * object. Typically this would be used to determine LDAP group > membership. > + * object. Typically this would be used to determine LDAP top-level > group > + * membership. > * @fn int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t > *ldc, > * const char *url, const char *dn, > const char *attrib, const char *value) > */ > APR_DECLARE_OPTIONAL_FN(int,uldap_cache_compare,(request_rec *r, > util_ldap_connection_t *ldc, > const char *url, const char *dn, const char > *attrib, const char *value)); > + > +/** > + * An LDAP function that checks if the specified user is a member of a > subgroup. > + * @param r The request record > + * @param ldc The LDAP connection being used. > + * @param url The URL of the LDAP connection - used for deciding which cache > to use. > + * @param dn The DN of the object in which we find subgroups to search > within. > + * @param attrib The attribute within group objects that identify users. > + * @param value The user attribute value we are trying to compare for. > + * @param subgroupAttrs The attributes within group objects that identify > subgroups. > + * Array of strings. > + * @param subgroupclasses The objectClass values used to identify groups (and > + * subgroups). apr_array_header_t *. > + * @param cur_subgroup_depth Current recursive depth during subgroup > processing. > + * @param max_subgroup_depth Maximum depth of recursion allowed during > subgroup > + * processing. > + * @tip Use this function to determine whether an attribute/value pair > exists within a > + * starting group object or one of its nested subgroups. Typically this > would be > + * used to determine LDAP nested group membership. > + * @deffunc int util_ldap_cache_check_subgroups(request_rec *r, > util_ldap_connection_t > + * *ldc, const char *url, const char > *dn, > + * const char *attrib, const char value, > + * char **subgroupAttrs, > apr_array_header_t > + * *subgroupclasses, int > cur_subgroup_depth, int > + * max_subgroup_depth ) > + */ > +APR_DECLARE_OPTIONAL_FN(int,uldap_cache_check_subgroups,(request_rec *r, > util_ldap_connection_t *ldc, > + const char *url, const char *dn, > const char *attrib, const char *value, > + char **subgroupAttrs, > apr_array_header_t *subgroupclasses, > + int cur_subgroup_depth, int > max_subgroup_depth)); > > /** > * Checks a username/password combination by binding to the LDAP server As this adds a struct and an optional function to a public API, I guess this requires a minor bump. > Modified: httpd/httpd/trunk/modules/ldap/util_ldap.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap.c?view=diff&rev=560373&r1=560372&r2=560373 > ============================================================================== > --- httpd/httpd/trunk/modules/ldap/util_ldap.c (original) > +++ httpd/httpd/trunk/modules/ldap/util_ldap.c Fri Jul 27 13:34:41 2007 > @@ -849,6 +859,293 @@ > return result; > } > > +/* > + * Does a recursive lookup operation to try to find a user within (cached) > nested > + * groups. It accepts a cache that it will use to lookup previous compare > attempts. > + * We cache two kinds of compares (require group compares) and (require user > + * compares). Each compare has a different cache node: require group > includes the DN; > + * require user does not because the require user cache is owned by the I think the remaining part of the sentence is missing. > Modified: httpd/httpd/trunk/modules/ldap/util_ldap_cache_mgr.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap_cache_mgr.c?view=diff&rev=560373&r1=560372&r2=560373 > ============================================================================== > --- httpd/httpd/trunk/modules/ldap/util_ldap_cache_mgr.c (original) > +++ httpd/httpd/trunk/modules/ldap/util_ldap_cache_mgr.c Fri Jul 27 13:34:41 > 2007 > @@ -135,6 +136,44 @@ > #endif > } > > +/* > + * Duplicate a subgroupList from one compare entry to another. > + * Returns: ptr to a new copy of the subgroupList or NULL if allocation > failed. > + */ > +util_compare_subgroup_t *util_ald_sgl_dup(util_ald_cache_t *cache, > util_compare_subgroup_t *sgl_in) > +{ > + int i = 0; > + util_compare_subgroup_t *sgl_out = NULL; > + > + if (!sgl_in) return NULL; > + > + sgl_out = (util_compare_subgroup_t *) util_ald_alloc(cache, > sizeof(util_compare_subgroup_t)); > + sgl_out->subgroupDNs = util_ald_alloc(cache, sizeof(char *) * > sgl_in->len); > + sgl_out->len = sgl_in->len; > + > + for (i = 0; i < sgl_in->len; i++) { > + fprintf(stderr, "sgl_dup: Adding %s to sgl\n", > sgl_in->subgroupDNs[i]); fflush(stderr); How about using ap_log_error here? Regards RĂ¼diger
