[PATCH] useful ldap feature

Tue, 17 Nov 2009 19:34:32 -0800 

This patch applies against the 2.2 branch
and adds the AuthLDAPBindAuthoritative directive,
which allows infra to failover login requests
to file based authentication.  Normally what
happens is that LDAP is authoritative when
it can locate the dn for the user.  This patch
allows *both* passwords, LDAP and file, to be checked
if the user is in both LDAP and the file.

Thanks for looking it over.



      
Index: mod_authnz_ldap.c
===================================================================
--- mod_authnz_ldap.c   (revision 832264)
+++ mod_authnz_ldap.c   (working copy)
@@ -63,6 +63,7 @@
     deref_options deref;            /* how to handle alias dereferening */
     char *binddn;                   /* DN to bind to server (can be NULL) */
     char *bindpw;                   /* Password to bind to server (can be NULL) */
+    int bind_authoritative;         /* If true, will return errors when bind fails */
 
     int user_is_dn;                 /* If true, connection->user is DN instead of userid */
     char *remote_user_attribute;    /* If set, connection->user is this attribute instead of userid */
@@ -296,6 +297,7 @@
     sec->host = NULL;
     sec->binddn = NULL;
     sec->bindpw = NULL;
+    sec->bind_authoritative = 1;
     sec->deref = always;
     sec->group_attrib_is_dn = 1;
     sec->secure = -1;   /*Initialize to unset*/
@@ -407,6 +409,14 @@
 
     /* handle bind failure */
     if (result != LDAP_SUCCESS) {
+        if (!sec->bind_authoritative) {
+           ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
+                      "user %s authentication failed; URI %s [%s][%s] (not authoritative)",
+                      getpid(), user, r->uri, ldc->reason, ldap_err2string(result));
+           return AUTH_USER_NOT_FOUND;
+        }
+
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
                       "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
                       "user %s authentication failed; URI %s [%s][%s]",
@@ -1425,6 +1435,10 @@
                   (void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG,
                   "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
 
+    AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot,
+                  (void *)APR_OFFSETOF(authn_ldap_config_t, bind_authoritative), OR_AUTHCFG,
+                  "Set to 'on' to return failures when user-specific bind fails - defaults to on."),
+
     AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
                  (void *)APR_OFFSETOF(authn_ldap_config_t, user_is_dn), OR_AUTHCFG,
                  "Set to 'on' to set the REMOTE_USER environment variable to be the full "

Reply via email to