Hi all,
Here is the other half of the LDAP authentication capability for Apache
v2.0 - mod_auth_ldap. It is designed to work with the LDAP extensions to
apr-util posted in the APR developers list.
Enable the module with --with-ldap --enable-auth-ldap.
The module works for me, but still needs a whole lot of testing,
tweaking and cleaning up (ignore mod_auth_ldap_handler() - it's still
being sorted out).
I'm keen on any comments people may have.
The files are:
modules/aaa/config.mp4
modules/aaa/mod_auth_ldap.h
modules/aaa/mod_auth_ldap.c
Regards,
Graham
--
-----------------------------------------
[EMAIL PROTECTED] "There's a moon
over Bourbon Street
tonight..."
dnl modules enabled in this directory by default
dnl APACHE_MODULE(name, helptext[, objects[, structname[, default[, config]]]])
APACHE_MODPATH_INIT(aaa)
APACHE_MODULE(access, host-based access control, , , yes)
APACHE_MODULE(auth, user-based access control, , , yes)
APACHE_MODULE(auth_anon, anonymous user access, , , most)
APACHE_MODULE(auth_dbm, DBM-based access databases, , , most)
APACHE_MODULE(auth_db, DB-based access databases, , , , [
AC_CHECK_HEADERS(db.h)
AC_CHECK_LIB(db,main)
])
APACHE_MODULE(auth_ldap, LDAP based authentication, , , $enable_auth_ldap)
APACHE_MODULE(auth_digest, RFC2617 Digest authentication, , , most)
APR_ADDTO(LT_LDFLAGS,-export-dynamic)
APACHE_MODPATH_FINISH
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2001 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*/
/*
*/
#ifndef MOD_AUTH_LDAP_H
#define MOD_AUTH_LDAP_H
/* for getpid() */
#include <unistd.h>
#include "apr_ldap.h"
#include <apr_strings.h>
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
/* The actual LDAP auth struct. */
typedef struct {
apr_pool_t *pool; /* Pool that this config is allocated from */
apr_lock_t *lock; /* Lock for this config */
int auth_authoritative; /* Is this auth method the one and only? */
int enabled; /* Is auth_ldap enabled in this directory? */
/* These parameters are all derived from the AuthLDAPURL directive */
char *url; /* String representation of the URL */
char *host; /* Name of the LDAP server (or space separated
list) */
int port; /* Port of the LDAP server */
char *basedn; /* Base DN to do all searches from */
char *attribute; /* Attribute to search for */
int scope; /* Scope of the search */
char *filter; /* Filter to further limit the search */
deref_options deref; /* how to handle alias dereferening */
char *binddn; /* DN to bind to server (can be NULL) */
char *bindpw; /* Password to bind to server (can be NULL) */
int frontpage_hack; /* Hack for frontpage support */
int user_is_dn; /* If true, connection->user is DN instead of
userid */
int compare_dn_on_server; /* If true, will use server to do DN compare */
int have_ldap_url; /* Set if we have found an LDAP url */
apr_array_header_t *groupattr; /* List of Group attributes */
int group_attrib_is_dn; /* If true, the group attribute is the DN,
otherwise,
it's the exact string passed by the HTTP
client */
int netscapessl; /* True if Netscape SSL is enabled */
int starttls; /* True if StartTLS is enabled */
} mod_auth_ldap_config_t;
typedef struct mod_auth_ldap_request_t {
char *dn; /* The saved dn from a successful search */
char *user; /* The username provided by the client */
} mod_auth_ldap_request_t;
/* maximum group elements supported */
#define GROUPATTR_MAX_ELTS 10
struct mod_auth_ldap_groupattr_entry_t {
char *name;
};
#endif /* MOD_AUTH_LDAP_H */
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2001 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*/
/*
* mod_auth_ldap.c: LDAP authentication module
*
* Original code from auth_ldap module for Apache v1.3:
* Copyright 1998, 1999 Enbridge Pipelines Inc.
* Copyright 1999-2001 Dave Carrigan
*/
const char *auth_ldap_version = "1.6.0";
#include "mod_auth_ldap.h"
module AP_MODULE_DECLARE_DATA auth_ldap_module;
void mod_auth_ldap_build_filter(char *filtbuf,
request_rec *r,
mod_auth_ldap_config_t *sec);
int mod_auth_ldap_handler(request_rec *r);
int mod_auth_ldap_check_user_id(request_rec *r);
int mod_auth_ldap_auth_checker(request_rec *r);
void *mod_auth_ldap_create_dir_config(apr_pool_t *p, char *d);
apr_status_t mod_auth_ldap_module_kill(void *data);
apr_status_t mod_auth_ldap_child_kill(void *data);
void *mod_auth_ldap_create_config(apr_pool_t *p, server_rec *s);
/*
* Build the search filter, or at least as much of the search filter that
* will fit in the buffer. We don't worry about the buffer not being able
* to hold the entire filter. If the buffer wasn't big enough to hold the
* filter, ldap_search_s will complain, but the only situation where this
* is likely to happen is if the client sent a really, really long
* username, most likely as part of an attack.
*
* The search filter consists of the filter provided with the URL,
* combined with a filter made up of the attribute provided with the URL,
* and the actual username passed by the HTTP client. For example, assume
* that the LDAP URL is
*
* ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*)
*
* Further, assume that the userid passed by the client was `userj'. The
* search filter will be (&(posixid=*)(uid=userj)).
*/
#define FILTER_LENGTH MAX_STRING_LEN
void mod_auth_ldap_build_filter(char *filtbuf,
request_rec *r,
mod_auth_ldap_config_t *sec)
{
char *p, *q, *filtbuf_end;
/*
* Create the first part of the filter, which consists of the
* config-supplied portions.
*/
apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", sec->filter, sec->attribute);
/*
* Now add the client-supplied username to the filter, ensuring that any
* LDAP filter metachars are escaped.
*/
filtbuf_end = filtbuf + FILTER_LENGTH - 1;
for (p = r->user, q=filtbuf + strlen(filtbuf);
*p && q < filtbuf_end; *q++ = *p++) {
if (strchr("*()\\", *p) != NULL) {
*q++ = '\\';
if (q >= filtbuf_end) {
break;
}
}
}
*q = '\0';
/*
* Append the closing parens of the filter, unless doing so would
* overrun the buffer.
*/
if (q + 2 <= filtbuf_end)
strcat(filtbuf, "))");
}
/*
* Some definitions to help between various versions of apache.
*/
#ifndef DOCTYPE_HTML_2_0
#define DOCTYPE_HTML_2_0 "<!DOCTYPE HTML PUBLIC \"-//IETF//" \
"DTD HTML 2.0//EN\">\n"
#endif
#ifndef DOCTYPE_HTML_3_2
#define DOCTYPE_HTML_3_2 "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 3.2 Final//EN\">\n"
#endif
#ifndef DOCTYPE_HTML_4_0S
#define DOCTYPE_HTML_4_0S "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0//EN\"\n" \
"\"http://www.w3.org/TR/REC-html40/strict.dtd\";>\n"
#endif
#ifndef DOCTYPE_HTML_4_0T
#define DOCTYPE_HTML_4_0T "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0 Transitional//EN\"\n" \
"\"http://www.w3.org/TR/REC-html40/loose.dtd\";>\n"
#endif
#ifndef DOCTYPE_HTML_4_0F
#define DOCTYPE_HTML_4_0F "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0 Frameset//EN\"\n" \
"\"http://www.w3.org/TR/REC-html40/frameset.dtd\";>\n"
#endif
/* XXXXXXXXXXXXXXXXXXXXXXXXXX */
/* FIXME: rearchitect this routine to display info using filters */
int mod_auth_ldap_handler(request_rec *r)
{
#if 0
int i;
char buf[MAX_STRING_LEN];
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"mod_auth_ldap_check_user_id: [%d] Entering
mod_auth_ldap_display_info", (int)getpid());
r->allowed |= (1 << M_GET);
if (r->method_number != M_GET)
return DECLINED;
r->content_type = "text/html";
ap_send_http_header(r);
if (r->header_only)
return 0;
ap_hard_timeout("send auth_ldap info", r);
ap_rputs(DOCTYPE_HTML_3_2
"<html><head><title>Auth_LDAP Information</title></head>\n", r);
ap_rputs("<body bgcolor='#ffffff'><h1 align=center>Auth_LDAP Information</h1>\n",
r);
if (auth_ldap_cache == NULL) {
ap_rputs("<i>URL cache is NULL</i>", r);
ap_kill_timeout(r);
return 0;
}
ap_rputs("<p>\n"
"<table border='0'>\n"
"<tr bgcolor='#000000'>\n"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Cache
Name</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica'
color='#ffffff'><b>Entries</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Avg. Chain
Len.</b></font></td>"
"<td colspan='2'><font size='-1' face='Arial,Helvetica'
color='#ffffff'><b>Hits</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica'
color='#ffffff'><b>Ins/Rem</b></font></td>"
"<td colspan='2'><font size='-1' face='Arial,Helvetica'
color='#ffffff'><b>Purges</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Avg Purge
Time</b></font></td>"
"</tr>\n", r
);
apr_ald_cache_display_stats(apr_ldap_cache, r, "LDAP URL Cache");
for (i=0; i < auth_ldap_cache->size; ++i) {
cache_node *p;
for (p = auth_ldap_cache->nodes[i]; p != NULL; p = p->next) {
url_node *n;
n = (url_node *)p->payload;
ap_snprintf(buf, sizeof(buf), "%s (Searches)", n->url);
ald_cache_display_stats(n->search_cache, r, buf);
ap_snprintf(buf, sizeof(buf), "%s (Compares)", n->url);
ald_cache_display_stats(n->compare_cache, r, buf);
ap_snprintf(buf, sizeof(buf), "%s (DNCompares)", n->url);
ald_cache_display_stats(n->dn_compare_cache, r, buf);
}
}
ap_rputs("</table>\n</p>\n", r);
ap_kill_timeout(r);
#endif
return DECLINED;
}
/* authenticate user -
* is this user who they say they are? */
int mod_auth_ldap_check_user_id(request_rec *r)
{
char filtbuf[FILTER_LENGTH];
mod_auth_ldap_config_t *sec =
(mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config,
&auth_ldap_module);
apr_ldap_state_t *st =
(apr_ldap_state_t *)ap_get_module_config(r->server->module_config,
&auth_ldap_module);
apr_ldap_connection_t *ldc = NULL;
const char *sent_pw;
int result = 0;
const char *dn = NULL;
mod_auth_ldap_request_t *req =
(mod_auth_ldap_request_t *)apr_pcalloc(r->pool,
sizeof(mod_auth_ldap_request_t));
ap_set_module_config(r->request_config, &auth_ldap_module, req);
if (!sec->enabled) {
return DECLINED;
}
/*
* Basic sanity checks before any LDAP operations even happen.
*/
if (!sec->have_ldap_url) {
return DECLINED;
}
/* There is a good AuthLDAPURL, right? */
if (sec->host) {
ldc = apr_ldap_connection_find(st, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->netscapessl, sec->starttls);
}
else {
ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authenticate: no sec->host - weird...?",
getpid());
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authenticate: using URL %s", getpid(), sec->url);
/* Get the password that the client sent */
if ((result = ap_get_basic_auth_pw(r, &sent_pw))) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authenticate: "
"ap_get_basic_auth_pw() returns %d", getpid(), result);
apr_ldap_connection_close(ldc);
return result;
}
/* build the username filter */
mod_auth_ldap_build_filter(filtbuf, r, sec);
/* do the user search */
result = apr_ldap_cache_checkuserid(st, ldc, sec->url, sec->basedn, sec->scope,
filtbuf, sent_pw, &dn);
apr_ldap_connection_close(ldc);
if (result != LDAP_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authenticate: "
"user %s authentication failed; URI %s [%s][%s]",
getpid(), r->user, r->uri, ldc->reason, ldap_err2string(result));
if (LDAP_INVALID_CREDENTIALS == result) {
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
else {
return sec->auth_authoritative? HTTP_UNAUTHORIZED: DECLINED;
}
}
/* mark the user and DN */
req->dn = apr_pstrdup(r->pool, dn);
req->user = r->user;
if (sec->user_is_dn) {
r->user = req->dn;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authenticate: accepting %s", getpid(), r->user);
return OK;
}
/* authorise user
*
* is this user allowed to see what they want to see?
*/
int mod_auth_ldap_auth_checker(request_rec *r)
{
int result = 0;
mod_auth_ldap_request_t *req =
(mod_auth_ldap_request_t *)ap_get_module_config(r->request_config,
&auth_ldap_module);
mod_auth_ldap_config_t *sec =
(mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config,
&auth_ldap_module);
apr_ldap_state_t *st =
(apr_ldap_state_t *)ap_get_module_config(r->server->module_config,
&auth_ldap_module);
apr_ldap_connection_t *ldc = NULL;
int m = r->method_number;
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
register int x;
const char *t;
char *w;
int method_restricted = 0;
if (!sec->enabled) {
return DECLINED;
}
if (!sec->have_ldap_url) {
return DECLINED;
}
if (sec->host) {
ldc = apr_ldap_connection_find(st, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->netscapessl, sec->starttls);
}
else {
ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: no sec->host - weird...?", getpid());
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
}
/*
* If there are no elements in the group attribute array, the default should be
* member and uniquemember; populate the array now.
*/
if (sec->groupattr->nelts == 0) {
struct mod_auth_ldap_groupattr_entry_t *grp;
apr_lock_acquire(sec->lock);
grp = apr_array_push(sec->groupattr);
grp->name = "member";
grp = apr_array_push(sec->groupattr);
grp->name = "uniquemember";
apr_lock_release(sec->lock);
}
if (!reqs_arr) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: no requirements array", getpid());
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
}
/* Loop through the requirements array until there's no elements
* left, or something causes a return from inside the loop */
for(x=0; x < reqs_arr->nelts; x++) {
if (! (reqs[x].method_mask & (1 << m))) {
continue;
}
method_restricted = 1;
t = reqs[x].requirement;
w = ap_getword(r->pool, &t, ' ');
if (strcmp(w, "valid-user") == 0) {
/*
* Valid user will always be true if we authenticated with ldap,
* but when using front page, valid user should only be true if
* he exists in the frontpage password file. This hack will get
* auth_ldap to look up the user in the the pw file to really be
* sure that he's valid. Naturally, it requires mod_auth to be
* compiled in, but if mod_auth wasn't in there, then the need
* for this hack wouldn't exist anyway.
*/
if (sec->frontpage_hack) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"deferring authorisation to mod_auth (FP Hack)",
getpid());
return OK;
}
else {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"successful authorisation because user "
"is valid-user", getpid());
return OK;
}
}
else if (strcmp(w, "user") == 0) {
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require user: user's DN has not been defined; failing
authorisation",
getpid());
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
}
/*
* First do a whole-line compare, in case it's something like
* require user Babs Jensen
*/
result = apr_ldap_cache_compare(st, ldc, sec->url, req->dn,
sec->attribute, t);
switch(result) {
case LDAP_COMPARE_TRUE: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require user: authorisation successful", getpid());
return OK;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require user: "
"authorisation failed [%s][%s]", getpid(),
ldc->reason, ldap_err2string(result));
}
}
/*
* Now break apart the line and compare each word on it
*/
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
result = apr_ldap_cache_compare(st, ldc, sec->url, req->dn,
sec->attribute, w);
switch(result) {
case LDAP_COMPARE_TRUE: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require user: authorisation successful",
getpid());
return OK;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require user: authorisation failed [%s][%s]",
getpid(), ldc->reason, ldap_err2string(result));
}
}
}
}
else if (strcmp(w, "dn") == 0) {
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require dn: user's DN has not been defined; failing
authorisation",
getpid());
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
}
result = apr_ldap_cache_comparedn(st, ldc, sec->url, req->dn, t,
sec->compare_dn_on_server);
switch(result) {
case LDAP_COMPARE_TRUE: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require dn: authorisation successful", getpid());
return OK;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require dn: LDAP error [%s][%s]",
getpid(), ldc->reason, ldap_err2string(result));
}
}
}
else if (strcmp(w, "group") == 0) {
struct mod_auth_ldap_groupattr_entry_t *ent = (struct
mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
int i;
if (sec->group_attrib_is_dn) {
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: user's DN
has not been defined; failing authorisation",
getpid());
return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
}
}
else {
if (req->user == NULL || strlen(req->user) == 0) {
/* We weren't called in the authentication phase, so we didn't
have a
* chance to set the user field. Do so now. */
req->user = r->user;
}
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: testing for group
membership in `%s'",
getpid(), t);
for (i = 0; i < sec->groupattr->nelts; i++) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: testing for
%s: %s (%s)", getpid(),
ent[i].name, sec->group_attrib_is_dn ? req->dn :
req->user, t);
result = apr_ldap_cache_compare(st, ldc, sec->url, t, ent[i].name,
sec->group_attrib_is_dn ? req->dn : req->user);
switch(result) {
case LDAP_COMPARE_TRUE: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: "
"authorisation successful (attribute %s)",
getpid(), ent[i].name);
return OK;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: "
"authorisation failed [%s][%s]",
getpid(), ldc->reason, ldap_err2string(result));
}
}
}
}
}
if (!method_restricted) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: agreeing because non-restricted",
getpid());
return OK;
}
if (!sec->auth_authoritative) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: declining to authorise", getpid());
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: authorisation denied", getpid());
ap_note_basic_auth_failure (r);
return HTTP_UNAUTHORIZED;
}
/* ---------------------------------------- */
/* config directives */
void *mod_auth_ldap_create_dir_config(apr_pool_t *p, char *d)
{
mod_auth_ldap_config_t *sec =
(mod_auth_ldap_config_t *)apr_pcalloc(p, sizeof(mod_auth_ldap_config_t));
sec->pool = p;
apr_lock_create(&sec->lock, APR_MUTEX, APR_INTRAPROCESS, NULL, p);
sec->auth_authoritative = 1;
sec->enabled = 1;
sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS,
sizeof(struct mod_auth_ldap_groupattr_entry_t));
sec->have_ldap_url = 0;
sec->url = "";
sec->host = NULL;
sec->binddn = NULL;
sec->bindpw = NULL;
sec->deref = always;
sec->group_attrib_is_dn = 1;
sec->frontpage_hack = 0;
sec->netscapessl = 0;
sec->starttls = 0;
sec->user_is_dn = 0;
sec->compare_dn_on_server = 0;
return sec;
}
/*
* Use the ldap url parsing routines to break up the ldap url into
* host and port.
*/
static const char *mod_auth_ldap_parse_url(cmd_parms *cmd,
void *config,
const char *url)
{
int result;
LDAPURLDesc *urld;
mod_auth_ldap_config_t *sec = config;
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "Trying to parse an url `%s'",
url);
result = ldap_url_parse(url, &(urld));
if (result != LDAP_SUCCESS) {
switch (result) {
case LDAP_URL_ERR_NOTLDAP:
return "LDAP URL does not begin with ldap://";;
case LDAP_URL_ERR_NODN:
return "LDAP URL does not have a DN";
case LDAP_URL_ERR_BADSCOPE:
return "LDAP URL has an invalid scope";
case LDAP_URL_ERR_MEM:
return "Out of memory parsing LDAP URL";
default:
return "Could not parse LDAP URL";
}
}
sec->url = apr_pstrdup(cmd->pool, url);
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "Url parse: Host: %s", urld->lud_host);
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "Url parse: Port: %d", urld->lud_port);
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "Url parse: DN: %s", urld->lud_dn);
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "Url parse: Attrib: %s", urld->lud_attrs?
urld->lud_attrs[0] : "(null)");
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "Url parse: Scope: %s",
(urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" :
urld->lud_scope == LDAP_SCOPE_BASE? "base" :
urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown"));
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "Url parse: Filter: %s", urld->lud_filter);
/* Set all the values, or at least some sane defaults */
if (sec->host) {
char *p = apr_palloc(cmd->pool, strlen(sec->host) + strlen(urld->lud_host) +
2);
strcpy(p, urld->lud_host);
strcat(p, " ");
strcat(p, sec->host);
sec->host = p;
}
else {
sec->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) :
"localhost";
}
sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : "";
if (urld->lud_attrs && urld->lud_attrs[0]) {
sec->attribute = apr_pstrdup(cmd->pool, urld->lud_attrs[0]);
}
else {
sec->attribute = "uid";
}
sec->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ?
LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE;
if (urld->lud_filter) {
if (urld->lud_filter[0] == '(') {
/*
* Get rid of the surrounding parens; later on when generating the
* filter, they'll be put back.
*/
sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter+1);
sec->filter[strlen(sec->filter)-1] = '\0';
}
else {
sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter);
}
}
else {
sec->filter = "objectclass=*";
}
if (strncmp(url, "ldaps", 5) == 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "[%d] auth_ldap parse url: requesting secure LDAP",
getpid());
#ifdef APU_HAS_LDAP_STARTTLS
sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
sec->starttls = 1;
#else
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
sec->netscapessl = 1;
#else
return "Secure LDAP (ldaps://) not supported. Rebuild APR-Util";
#endif
#endif
}
else {
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
cmd->server, "[%d] auth_ldap parse url: not requesting secure
LDAP", getpid());
sec->netscapessl = 0;
sec->starttls = 0;
sec->port = urld->lud_port? urld->lud_port : LDAP_PORT;
}
sec->have_ldap_url = 1;
ldap_free_urldesc(urld);
return NULL;
}
static const char *mod_auth_ldap_set_deref(cmd_parms *cmd, void *config, const char
*arg)
{
mod_auth_ldap_config_t *sec = config;
if (strcmp(arg, "never") == 0 || strcasecmp(arg, "off") == 0) {
sec->deref = never;
}
else if (strcmp(arg, "searching") == 0) {
sec->deref = searching;
}
else if (strcmp(arg, "finding") == 0) {
sec->deref = finding;
}
else if (strcmp(arg, "always") == 0 || strcasecmp(arg, "on") == 0) {
sec->deref = always;
}
else {
return "Unrecognized value for AuthLDAPAliasDereference directive";
}
return NULL;
}
static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config,
const char *arg)
{
struct mod_auth_ldap_groupattr_entry_t *new;
mod_auth_ldap_config_t *sec = config;
if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS)
return "Too many AuthLDAPGroupAttribute directives";
new = apr_array_push(sec->groupattr);
new->name = apr_pstrdup(cmd->pool, arg);
return NULL;
}
static const char *mod_auth_ldap_set_cache_ttl(cmd_parms *cmd, void *dummy, const char
*ttl)
{
apr_ldap_state_t *st =
(apr_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&auth_ldap_module);
st->search_cache_ttl = atol(ttl) * 1000;
return NULL;
}
static const char *mod_auth_ldap_set_cache_size(cmd_parms *cmd, void *dummy, const
char *size)
{
apr_ldap_state_t *st =
(apr_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&auth_ldap_module);
st->search_cache_size = atol(size);
if (st->search_cache_size < 0) {
st->search_cache_size = 0;
}
return NULL;
}
static const char *mod_auth_ldap_set_opcache_ttl(cmd_parms *cmd, void *dummy, const
char *ttl)
{
apr_ldap_state_t *st =
(apr_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&auth_ldap_module);
st->compare_cache_ttl = atol(ttl) * 1000;
return NULL;
}
static const char *mod_auth_ldap_set_opcache_size(cmd_parms *cmd, void *dummy, const
char *size)
{
apr_ldap_state_t *st =
(apr_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&auth_ldap_module);
st->compare_cache_size = atol(size);
if (st->compare_cache_size < 0) {
st->compare_cache_size = 0;
}
return NULL;
}
#ifdef APU_HAS_LDAPSSL_CLIENT_INIT
static const char *mod_auth_ldap_set_certdbpath(cmd_parms *cmd, void *dummy, const
char *path)
{
apr_ldap_state_t *st =
(apr_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&auth_ldap_module);
st->have_certdb = 1;
if (ldapssl_client_init(path, NULL) != 0)
return "Could not initialize SSL client";
else
return NULL;
}
#endif
void *mod_auth_ldap_create_config(apr_pool_t *p, server_rec *s)
{
apr_ldap_state_t *st =
(apr_ldap_state_t *)apr_pcalloc(p, sizeof(apr_ldap_state_t));
st->pool = p;
st->search_cache_ttl = 600000;
st->search_cache_size = 1024;
st->compare_cache_ttl = 600000;
st->compare_cache_size = 1024;
st->connections = NULL;
#ifdef APU_HAS_LDAP_STARTSSL
st->have_certdb = 0;
#endif
return st;
}
static void mod_auth_ldap_init_module(apr_pool_t *p, server_rec *s)
{
apr_ldap_cache_init(p);
}
command_rec mod_auth_ldap_cmds[] = {
AP_INIT_TAKE1("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG,
"URL to define LDAP connection. This should be an RFC 2255
complaint\n"
"URL of the form
ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n";
"<ul>\n"
"<li>Host is the name of the LDAP server. Use a space separated list
of hosts \n"
"to specify redundant servers.\n"
"<li>Port is optional, and specifies the port to connect to.\n"
"<li>basedn specifies the base DN to start searches from\n"
"<li>Attrib specifies what attribute to search for in the directory.
If not "
"provided, it defaults to <b>uid</b>.\n"
"<li>Scope is the scope of the search, and can be either <b>sub</b>
or "
"<b>one</b>. If not provided, the default is <b>sub</b>.\n"
"<li>Filter is a filter to use in the search. If not provided, "
"defaults to <b>(objectClass=*)</b>.\n"
"</ul>\n"
"Searches are performed using the attribute and the filter combined.
"
"For example, assume that the\n"
"LDAP URL is <b>ldap://ldap.airius.com/ou=People,
o=Airius?uid?sub?(posixid=*)</b>. "
"Searches will\n"
"be done using the filter
<b>(&((posixid=*))(uid=<i>username</i>))</b>, "
"where <i>username</i>\n"
"is the user name passed by the HTTP client. The search will be a
subtree "
"search on the branch <b>ou=People, o=Airius</b>."),
AP_INIT_TAKE1("AuthLDAPBindDN", ap_set_string_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, binddn), OR_AUTHCFG,
"DN to use to bind to LDAP server. If not provided, will do an
anonymous bind."),
AP_INIT_TAKE1("AuthLDAPBindPassword", ap_set_string_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, bindpw), OR_AUTHCFG,
"Password to use to bind to LDAP server. If not provided, will do an
anonymous bind."),
AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, user_is_dn), OR_AUTHCFG,
"Set to 'on' to set the REMOTE_USER environment variable to be the
full "
"DN of the remote user. By default, this is set to off, meaning that "
"the REMOTE_USER variable will contain whatever value the remote user
sent."),
AP_INIT_FLAG("AuthLDAPAuthoritative", ap_set_flag_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, auth_authoritative),
OR_AUTHCFG,
"Set to 'off' to allow access control to be passed along to lower
modules if "
"the UserID and/or group is not known to this module"),
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, compare_dn_on_server),
OR_AUTHCFG,
"Set to 'on' to force auth_ldap to do DN compares (for the \"require
dn\" "
"directive) using the server, and set it 'off' to do the compares
locally "
"(at the expense of possible false matches). See the documentation
for "
"a complete description of this option."),
AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL,
OR_AUTHCFG,
"A list of attributes used to define group membership - defaults
to "
"member and uniquemember"),
AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, group_attrib_is_dn),
OR_AUTHCFG,
"If set to 'on', auth_ldap uses the DN that is retrieved from the
server for"
"subsequent group comparisons. If set to 'off', auth_ldap uses the
string"
"provided by the client directly. Defaults to 'on'."),
#ifdef APU_HAS_LDAPSSL_CLIENT_INIT
AP_INIT_TAKE1("AuthLDAPCertDBPath", mod_auth_ldap_set_certdbpath, NULL, RSRC_CONF,
"Specifies the file containing Certificate Authority certificates "
"for validating secure LDAP server certificates. This file must be
the "
"cert7.db database used by Netscape Communicator"),
#endif
AP_INIT_TAKE1("AuthLDAPCacheSize", mod_auth_ldap_set_cache_size, NULL, RSRC_CONF,
"Sets the maximum amount of memory in bytes that the LDAP search
cache will use. "
"Zero means no limit; -1 disables the cache. Defaults to 10KB."),
AP_INIT_TAKE1("AuthLDAPCacheTTL", mod_auth_ldap_set_cache_ttl, NULL, RSRC_CONF,
"Sets the maximum time (in seconds) that an item can be cached in
the LDAP "
"search cache. Zero means no limit. Defaults to 600 seconds (10
minutes)."),
AP_INIT_TAKE1("AuthLDAPOpCacheSize", mod_auth_ldap_set_opcache_size, NULL,
RSRC_CONF,
"Sets the initial size of the LDAP operation cache (for bind and
compare "
"operations). Set to 0 to disable the cache. The default is 1024,
which is "
"sufficient to efficiently cache approximately 3000 distinct DNs."),
AP_INIT_TAKE1("AuthLDAPOpCacheTTL", mod_auth_ldap_set_opcache_ttl, NULL, RSRC_CONF,
"Sets the maximum time (in seconds) that an item is cached in the
LDAP "
"operation cache. Zero means no limit. Defaults to 600 seconds (10
minutes)."),
AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL,
OR_AUTHCFG,
"Determines how aliases are handled during a search. Can bo one of
the"
"values \"never\", \"searching\", \"finding\", or \"always\". "
"Defaults to always."),
AP_INIT_FLAG("AuthLDAPEnabled", ap_set_flag_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, enabled), OR_AUTHCFG,
"Set to off to disable auth_ldap, even if it's been enabled in a
higher tree"),
AP_INIT_FLAG("AuthLDAPFrontPageHack", ap_set_flag_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, frontpage_hack),
OR_AUTHCFG,
"Set to 'on' to support Microsoft FrontPage"),
#ifdef APU_HAS_LDAP_STARTTLS
AP_INIT_FLAG("AuthLDAPStartTLS", ap_set_flag_slot,
(void *)XtOffsetOf(mod_auth_ldap_config_t, starttls), OR_AUTHCFG,
"Set to 'on' to start TLS after connecting to the LDAP server."),
#endif /* APU_HAS_LDAP_STARTTLS */
{NULL}
};
static void mod_auth_ldap_register_hooks(apr_pool_t *p)
{
ap_hook_child_init(mod_auth_ldap_init_module, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_handler(mod_auth_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id(mod_auth_ldap_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker(mod_auth_ldap_auth_checker, NULL, NULL, APR_HOOK_MIDDLE);
}
module auth_ldap_module = {
STANDARD20_MODULE_STUFF,
mod_auth_ldap_create_dir_config, /* dir config creater */
NULL, /* dir merger --- default is to override */
mod_auth_ldap_create_config, /* server config */
NULL, /* merge server config */
mod_auth_ldap_cmds, /* command table */
mod_auth_ldap_register_hooks, /* set up request processing hooks */
};
S/MIME Cryptographic Signature
