Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c

2023-11-23 Thread Christophe JAILLET 

Le 18/11/2023 à 20:52, Yann Ylavic a écrit :

On Wed, Apr 30, 2014 at 1:02 AM Yann Ylavic  wrote:


On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET
 wrote:

Hi,

doc does not build because of  below:

CJ

Le 25/04/2014 13:14, [email protected] a écrit :

+
+


   ^ There



Hmm, won't LocationMatch itself be broken by the inner <>s ?


Wow, fortunately I didn't hold my breath on this one :)
Someone needs to answer to this former/younger/naive me though and
since I'm on this commit again: look Yann, this match is double-quoted
now so we should be fine!



In fact, at that time, another solution was provided in r1591113.

But what you propose above, should have worked as well, I guess. :).

CJ

Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c

2023-11-18 Thread Yann Ylavic 
On Wed, Apr 30, 2014 at 1:02 AM Yann Ylavic  wrote:
>
> On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET
>  wrote:
> > Hi,
> >
> > doc does not build because of  below:
> >
> > CJ
> >
> > Le 25/04/2014 13:14, [email protected] a écrit :
> >> +
> >> +
> >
> >   ^ There
> >
>
> Hmm, won't LocationMatch itself be broken by the inner <>s ?

Wow, fortunately I didn't hold my breath on this one :)
Someone needs to answer to this former/younger/naive me though and
since I'm on this commit again: look Yann, this match is double-quoted
now so we should be fine!

Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c

2023-11-18 Thread Yann Ylavic 
On Fri, Apr 25, 2014 at 1:15 PM  wrote:
>
> Author: minfrin
> Date: Fri Apr 25 11:14:36 2014
> New Revision: 1589993
>
> URL: http://svn.apache.org/r1589993
> Log:
> Add the ldap-search option to mod_authnz_ldap, allowing authorization
> to be based on arbitrary expressions that do not include the username.
[]
>
> --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 11:14:36 
> 2014
[]
> @@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1
>
>  
>
> +Require ldap-search
> +
> +The Require ldap-search directive allows the
> +administrator to grant access based on a generic LDAP search filter 
> using an
> +expression. If there is exactly one match to 
> the search filter,
> +regardless of the distinguished name, access is granted.

I get from this that there should be one match..

>
> --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
> +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri Apr 25 11:14:36 2014
[]
>
> +static authz_status ldapsearch_check_authorization(request_rec *r,
> +   const char *require_args,
> +   const void 
> *parsed_require_args)
> +{
> +int result = 0;
> +authn_ldap_config_t *sec =
> +(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, 
> &authnz_ldap_module);
> +
> +util_ldap_connection_t *ldc = NULL;
> +
> +const char *err = NULL;
> +const ap_expr_info_t *expr = parsed_require_args;
> +const char *require;
> +const char *t;
> +const char *dn = NULL;
> +
> +if (!sec->have_ldap_url) {
> +return AUTHZ_DENIED;
> +}
> +
> +if (sec->host) {
> +ldc = get_connection_for_authz(r, LDAP_SEARCH);
> +apr_pool_cleanup_register(r->pool, ldc,
> +  authnz_ldap_cleanup_connection_close,
> +  apr_pool_cleanup_null);
> +}
> +else {
> +ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738)
> +  "auth_ldap authorize: no sec->host - weird...?");
> +return AUTHZ_DENIED;
> +}
> +
> +require = ap_expr_str_exec(r, expr, &err);
> +if (err) {
> +ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
> +  "auth_ldap authorize: require ldap-search: Can't "
> +  "evaluate require expression: %s", err);
> +return AUTHZ_DENIED;
> +}
> +
> +t = require;
> +
> +if (t[0]) {
> +const char **vals;
> +
> +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> +  "auth_ldap authorize: checking filter %s", t);
> +
> +/* Search for the user DN */
> +result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
> + sec->scope, sec->attributes, t, &dn, &vals);
> +
> +/* Make sure that the filtered search returned a single dn */

And it's restated here..

> +if (result == LDAP_SUCCESS && dn) {
> +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> +  "auth_ldap authorize: require ldap-search: "
> +  "authorization successful");
> +return AUTHZ_GRANTED;

I get that for "ldap-filter" (unlike for "ldap-search here) we'll do a
util_ldap_cache_comparedn() to (double) check the returned DN somehow
(sorry I don't really know how LDAP works), not here though because we
don't require a particular DN but just a single one.
But what makes sure that it's the case here?

> +}
> +else {
> +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> +  "auth_ldap authorize: require ldap-search: "
> +  "%s authorization failed [%s][%s]",
> +  t, ldc->reason, ldap_err2string(result));
> +}
> +}
> +
> +ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> +  "auth_ldap authorize filter: authorization denied for "
> +  "to %s", r->uri);
> +
> +return AUTHZ_DENIED;
> +}


Regards;
Yann.

Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c

2014-04-29 Thread Yann Ylavic 
On Tue, Apr 29, 2014 at 10:54 PM, Christophe JAILLET
 wrote:
> Hi,
>
> doc does not build because of  below:
>
> CJ
>
> Le 25/04/2014 13:14, [email protected] a écrit :
>> +
>> +
>
>   ^ There
>

Hmm, won't LocationMatch itself be broken by the inner <>s ?

Re: svn commit: r1589993 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c

2014-04-29 Thread Christophe JAILLET 

Hi,

doc does not build because of  below:

CJ

Le 25/04/2014 13:14, [email protected] a écrit :

Author: minfrin
Date: Fri Apr 25 11:14:36 2014
New Revision: 1589993

URL: http://svn.apache.org/r1589993
Log:
Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.

Modified:
 httpd/httpd/trunk/CHANGES
 httpd/httpd/trunk/docs/manual/expr.xml
 httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
 httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1589993&r1=1589992&r2=1589993&view=diff
==
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 11:14:36 
2014
@@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1
  
  
  
+Require ldap-search

+
+The Require ldap-search directive allows the
+administrator to grant access based on a generic LDAP search filter using 
an
+expression. If there is exactly one match to 
the search filter,
+regardless of the distinguished name, access is granted.
+
+The following directive would grant access to URLs that match the given 
objects in the
+LDAP server:
+
+
+

  ^ There

+Require ldap-search (cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website)
+
+
+
+Note: care must be taken to ensure that any expressions are properly 
escaped to guard
+against LDAP injection. The ldap function can be used as 
per the example
+above.
+
+
+
  
  
  Examples