Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Le 18/11/2023 à 20:52, Yann Ylavic a écrit : On Wed, Apr 30, 2014 at 1:02 AM Yann Ylavic wrote: On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET wrote: Hi, doc does not build because of below: CJ Le 25/04/2014 13:14, minf...@apache.org a écrit : + +LocationMatch ^/dav/(?[^/]+)/ ^ There Hmm, won't LocationMatch itself be broken by the inner <>s ? Wow, fortunately I didn't hold my breath on this one :) Someone needs to answer to this former/younger/naive me though and since I'm on this commit again: look Yann, this match is double-quoted now so we should be fine! In fact, at that time, another solution was provided in r1591113. But what you propose above, should have worked as well, I guess. :). CJ
Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
On Wed, Apr 30, 2014 at 1:02 AM Yann Ylavic wrote: > > On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET > wrote: > > Hi, > > > > doc does not build because of below: > > > > CJ > > > > Le 25/04/2014 13:14, minf...@apache.org a écrit : > >> + > >> +LocationMatch ^/dav/(?[^/]+)/ > > > > ^ There > > > > Hmm, won't LocationMatch itself be broken by the inner <>s ? Wow, fortunately I didn't hold my breath on this one :) Someone needs to answer to this former/younger/naive me though and since I'm on this commit again: look Yann, this match is double-quoted now so we should be fine!
Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
On Fri, Apr 25, 2014 at 1:15 PM wrote: > > Author: minfrin > Date: Fri Apr 25 11:14:36 2014 > New Revision: 1589993 > > URL: http://svn.apache.org/r1589993 > Log: > Add the ldap-search option to mod_authnz_ldap, allowing authorization > to be based on arbitrary expressions that do not include the username. [] > > --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 11:14:36 > 2014 [] > @@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1 > > > > +Require ldap-search > + > +The Require ldap-search directive allows the > +administrator to grant access based on a generic LDAP search filter > using an > +expression. If there is exactly one match to > the search filter, > +regardless of the distinguished name, access is granted. I get from this that there should be one match.. > > --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original) > +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri Apr 25 11:14:36 2014 [] > > +static authz_status ldapsearch_check_authorization(request_rec *r, > + const char *require_args, > + const void > *parsed_require_args) > +{ > +int result = 0; > +authn_ldap_config_t *sec = > +(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, > _ldap_module); > + > +util_ldap_connection_t *ldc = NULL; > + > +const char *err = NULL; > +const ap_expr_info_t *expr = parsed_require_args; > +const char *require; > +const char *t; > +const char *dn = NULL; > + > +if (!sec->have_ldap_url) { > +return AUTHZ_DENIED; > +} > + > +if (sec->host) { > +ldc = get_connection_for_authz(r, LDAP_SEARCH); > +apr_pool_cleanup_register(r->pool, ldc, > + authnz_ldap_cleanup_connection_close, > + apr_pool_cleanup_null); > +} > +else { > +ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738) > + "auth_ldap authorize: no sec->host - weird...?"); > +return AUTHZ_DENIED; > +} > + > +require = ap_expr_str_exec(r, expr, ); > +if (err) { > +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() > + "auth_ldap authorize: require ldap-search: Can't " > + "evaluate require expression: %s", err); > +return AUTHZ_DENIED; > +} > + > +t = require; > + > +if (t[0]) { > +const char **vals; > + > +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() > + "auth_ldap authorize: checking filter %s", t); > + > +/* Search for the user DN */ > +result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, > + sec->scope, sec->attributes, t, , ); > + > +/* Make sure that the filtered search returned a single dn */ And it's restated here.. > +if (result == LDAP_SUCCESS && dn) { > +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() > + "auth_ldap authorize: require ldap-search: " > + "authorization successful"); > +return AUTHZ_GRANTED; I get that for "ldap-filter" (unlike for "ldap-search here) we'll do a util_ldap_cache_comparedn() to (double) check the returned DN somehow (sorry I don't really know how LDAP works), not here though because we don't require a particular DN but just a single one. But what makes sure that it's the case here? > +} > +else { > +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() > + "auth_ldap authorize: require ldap-search: " > + "%s authorization failed [%s][%s]", > + t, ldc->reason, ldap_err2string(result)); > +} > +} > + > +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() > + "auth_ldap authorize filter: authorization denied for " > + "to %s", r->uri); > + > +return AUTHZ_DENIED; > +} Regards; Yann.
Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Hi, doc does not build because of SITENAME below: CJ Le 25/04/2014 13:14, minf...@apache.org a écrit : Author: minfrin Date: Fri Apr 25 11:14:36 2014 New Revision: 1589993 URL: http://svn.apache.org/r1589993 Log: Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username. Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/docs/manual/expr.xml httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1589993r1=1589992r2=1589993view=diff == --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 11:14:36 2014 @@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1 /section +section id=reqsearchtitleRequire ldap-search/title + +pThe codeRequire ldap-search/code directive allows the +administrator to grant access based on a generic LDAP search filter using an +a href=../expr.htmlexpression/a. If there is exactly one match to the search filter, +regardless of the distinguished name, access is granted./p + +pThe following directive would grant access to URLs that match the given objects in the +LDAP server:/p + +highlight language=config +lt;LocationMatch ^/dav/(?SITENAME[^/]+)/gt; ^ There +Require ldap-search (cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website) +lt;/LocationMatchgt; +/highlight + +pNote: care must be taken to ensure that any expressions are properly escaped to guard +against LDAP injection. The strongldap/strong function can be used as per the example +above./p + +/section + /section section id=examplestitleExamples/title
Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET christophe.jail...@wanadoo.fr wrote: Hi, doc does not build because of SITENAME below: CJ Le 25/04/2014 13:14, minf...@apache.org a écrit : +highlight language=config +lt;LocationMatch ^/dav/(?SITENAME[^/]+)/gt; ^ There Hmm, won't LocationMatch itself be broken by the inner s ?