Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Le 18/11/2023 à 20:52, Yann Ylavic a écrit : On Wed, Apr 30, 2014 at 1:02 AM Yann Ylavic wrote: On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET wrote: Hi, doc does not build because of below: CJ Le 25/04/2014 13:14, minf...@apache.org a écrit : + +LocationMatch ^/dav/(?[^/]+)/ ^ There Hmm, won't LocationMatch itself be broken by the inner <>s ? Wow, fortunately I didn't hold my breath on this one :) Someone needs to answer to this former/younger/naive me though and since I'm on this commit again: look Yann, this match is double-quoted now so we should be fine! In fact, at that time, another solution was provided in r1591113. But what you propose above, should have worked as well, I guess. :). CJ
Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
On Wed, Apr 30, 2014 at 1:02 AM Yann Ylavic wrote: > > On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET > wrote: > > Hi, > > > > doc does not build because of below: > > > > CJ > > > > Le 25/04/2014 13:14, minf...@apache.org a écrit : > >> + > >> +LocationMatch ^/dav/(?[^/]+)/ > > > > ^ There > > > > Hmm, won't LocationMatch itself be broken by the inner <>s ? Wow, fortunately I didn't hold my breath on this one :) Someone needs to answer to this former/younger/naive me though and since I'm on this commit again: look Yann, this match is double-quoted now so we should be fine!
Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
On Fri, Apr 25, 2014 at 1:15 PM wrote:
>
> Author: minfrin
> Date: Fri Apr 25 11:14:36 2014
> New Revision: 1589993
>
> URL: http://svn.apache.org/r1589993
> Log:
> Add the ldap-search option to mod_authnz_ldap, allowing authorization
> to be based on arbitrary expressions that do not include the username.
[]
>
> --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 11:14:36
> 2014
[]
> @@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1
>
>
>
> +Require ldap-search
> +
> +The Require ldap-search directive allows the
> +administrator to grant access based on a generic LDAP search filter
> using an
> +expression. If there is exactly one match to
> the search filter,
> +regardless of the distinguished name, access is granted.
I get from this that there should be one match..
>
> --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
> +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri Apr 25 11:14:36 2014
[]
>
> +static authz_status ldapsearch_check_authorization(request_rec *r,
> + const char *require_args,
> + const void
> *parsed_require_args)
> +{
> +int result = 0;
> +authn_ldap_config_t *sec =
> +(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config,
> _ldap_module);
> +
> +util_ldap_connection_t *ldc = NULL;
> +
> +const char *err = NULL;
> +const ap_expr_info_t *expr = parsed_require_args;
> +const char *require;
> +const char *t;
> +const char *dn = NULL;
> +
> +if (!sec->have_ldap_url) {
> +return AUTHZ_DENIED;
> +}
> +
> +if (sec->host) {
> +ldc = get_connection_for_authz(r, LDAP_SEARCH);
> +apr_pool_cleanup_register(r->pool, ldc,
> + authnz_ldap_cleanup_connection_close,
> + apr_pool_cleanup_null);
> +}
> +else {
> +ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738)
> + "auth_ldap authorize: no sec->host - weird...?");
> +return AUTHZ_DENIED;
> +}
> +
> +require = ap_expr_str_exec(r, expr, );
> +if (err) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
> + "auth_ldap authorize: require ldap-search: Can't "
> + "evaluate require expression: %s", err);
> +return AUTHZ_DENIED;
> +}
> +
> +t = require;
> +
> +if (t[0]) {
> +const char **vals;
> +
> +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "auth_ldap authorize: checking filter %s", t);
> +
> +/* Search for the user DN */
> +result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
> + sec->scope, sec->attributes, t, , );
> +
> +/* Make sure that the filtered search returned a single dn */
And it's restated here..
> +if (result == LDAP_SUCCESS && dn) {
> +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "auth_ldap authorize: require ldap-search: "
> + "authorization successful");
> +return AUTHZ_GRANTED;
I get that for "ldap-filter" (unlike for "ldap-search here) we'll do a
util_ldap_cache_comparedn() to (double) check the returned DN somehow
(sorry I don't really know how LDAP works), not here though because we
don't require a particular DN but just a single one.
But what makes sure that it's the case here?
> +}
> +else {
> +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "auth_ldap authorize: require ldap-search: "
> + "%s authorization failed [%s][%s]",
> + t, ldc->reason, ldap_err2string(result));
> +}
> +}
> +
> +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "auth_ldap authorize filter: authorization denied for "
> + "to %s", r->uri);
> +
> +return AUTHZ_DENIED;
> +}
Regards;
Yann.
Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Hi,
doc does not build because of SITENAME below:
CJ
Le 25/04/2014 13:14, minf...@apache.org a écrit :
Author: minfrin
Date: Fri Apr 25 11:14:36 2014
New Revision: 1589993
URL: http://svn.apache.org/r1589993
Log:
Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/expr.xml
httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1589993r1=1589992r2=1589993view=diff
==
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 11:14:36
2014
@@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1
/section
+section id=reqsearchtitleRequire ldap-search/title
+
+pThe codeRequire ldap-search/code directive allows the
+administrator to grant access based on a generic LDAP search filter using
an
+a href=../expr.htmlexpression/a. If there is exactly one match to
the search filter,
+regardless of the distinguished name, access is granted./p
+
+pThe following directive would grant access to URLs that match the given
objects in the
+LDAP server:/p
+
+highlight language=config
+lt;LocationMatch ^/dav/(?SITENAME[^/]+)/gt;
^ There
+Require ldap-search (cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website)
+lt;/LocationMatchgt;
+/highlight
+
+pNote: care must be taken to ensure that any expressions are properly
escaped to guard
+against LDAP injection. The strongldap/strong function can be used as
per the example
+above./p
+
+/section
+
/section
section id=examplestitleExamples/title
Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET christophe.jail...@wanadoo.fr wrote: Hi, doc does not build because of SITENAME below: CJ Le 25/04/2014 13:14, minf...@apache.org a écrit : +highlight language=config +lt;LocationMatch ^/dav/(?SITENAME[^/]+)/gt; ^ There Hmm, won't LocationMatch itself be broken by the inner s ?
