</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
+<li><img alt="" src="../images/down.gif" /> <a href="#authldapauthorizeprefix">AuthLDAPAuthorizePrefix</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbindauthoritative">AuthLDAPBindAuthoritative</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbinddn">AuthLDAPBindDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbindpassword">AuthLDAPBindPassword</a></li>
<div class="section">
<h2><a name="exposed" id="exposed">Exposing Login Information</a></h2>
- <p>When this module performs authentication, LDAP attributes specified
- in the <code class="directive"><a href="#authldapurl">AuthLDAPUrl</a></code>
+ <p>when this module performs <em>authentication</em>, ldap attributes specified
+ in the <code class="directive"><a href="#authldapurl">authldapurl</a></code>
directive are placed in environment variables with the prefix "AUTHENTICATE_".</p>
+ <p>when this module performs <em>authorization</em>, ldap attributes specified
+ in the <code class="directive"><a href="#authldapurl">authldapurl</a></code>
+ directive are placed in environment variables with the prefix "AUTHORIZE_".</p>
+
<p>If the attribute field contains the username, common name
and telephone number of a user, a CGI program will have access to
this information without the need to make a second independent LDAP
and won't be able to find the FrontPage-managed user file.</li>
</ul>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="AuthLDAPAuthorizePrefix" id="AuthLDAPAuthorizePrefix">AuthLDAPAuthorizePrefix</a> <a name="authldapauthorizeprefix" id="authldapauthorizeprefix">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the prefix for environment variables set during
+authorization</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPAuthorizePrefix <em>prefix</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPAuthorizePrefix AUTHORIZE_</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.3.7 and later</td></tr>
+</table>
+ <p>This directive allows you to override the prefix used for environment
+ variables set during LDAP authorization. If <em>AUTHENTICATE_</em> is
+ specified, consumers of these environment variables see the same information
+ whether LDAP has performed authentication, authorization, or both.</p>
+
+ <div class="note"><h3>Note</h3>
+ No authorization variables are set when a user is authorized on the basis of
+ <code>Require valid-user</code>.
+ </div>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthLDAPBindAuthoritative" id="AuthLDAPBindAuthoritative">AuthLDAPBindAuthoritative</a> <a name="authldapbindauthoritative" id="authldapbindauthoritative">Directive</a></h2>
int maxNestingDepth; /* Maximum recursive nesting depth permitted during subgroup processing. Default: 10 */
int secure; /* True if SSL connections are requested */
+ char *authz_prefix; /* Prefix for environment variables added during authz */
} authn_ldap_config_t;
typedef struct {
char *dn; /* The saved dn from a successful search */
char *user; /* The username provided by the client */
+ const char **vals; /* The additional values pulled during the DN search*/
} authn_ldap_request_t;
+enum auth_ldap_phase{
+ LDAP_AUTHN, LDAP_AUTHZ
+};
+
/* maximum group elements supported */
#define GROUPATTR_MAX_ELTS 10
sec->remote_user_attribute = NULL;
sec->compare_dn_on_server = 0;
+ sec->authz_prefix = AUTHZ_PREFIX;
+
return sec;
}
return APR_SUCCESS;
}
+static int set_request_vars(request_rec *r, enum auth_ldap_phase phase) {
+ char *prefix = NULL;
+ int prefix_len, remote_user_attribute_set;
+ authn_ldap_request_t *req =
+ (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
+ authn_ldap_config_t *sec =
+ (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+ const char **vals = req->vals;
+
+ prefix = (phase == LDAP_AUTHN) ? AUTHN_PREFIX : sec->authz_prefix;
+ prefix_len = strlen(prefix);
+
+ if (sec->attributes && vals) {
+ apr_table_t *e = r->subprocess_env;
+ int i = 0;
+ while (sec->attributes[i]) {
+ char *str = apr_pstrcat(r->pool, prefix, sec->attributes[i], NULL);
+ int j = prefix_len;
+ while (str[j]) {
+ str[j] = apr_toupper(str[j]);
+ j++;
+ }
+ apr_table_setn(e, str, vals[i] ? vals[i] : "");
+
+ /* handle remote_user_attribute, if set */
+ if ((phase == LDAP_AUTHN) &&
+ sec->remote_user_attribute &&
+ !strcmp(sec->remote_user_attribute, sec->attributes[i])) {
+ r->user = (char *)apr_pstrdup(r->pool, vals[i]);
+ remote_user_attribute_set = 1;
+ }
+ i++;
+ }
+ }
+ return remote_user_attribute_set;
+}
/*
* Authentication Phase
const char *password)
{
int failures = 0;
- const char **vals = NULL;
char filtbuf[FILTER_LENGTH];
authn_ldap_config_t *sec =
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
/* do the user search */
result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
sec->attributes, filtbuf, utfpassword,
- &dn, &vals);
+ &dn, &(req->vals));
util_ldap_connection_close(ldc);
/* sanity check - if server is down, retry it up to 5 times */
}
/* add environment variables */
- if (sec->attributes && vals) {
- apr_table_t *e = r->subprocess_env;
- int i = 0;
- while (sec->attributes[i]) {
- char *str = apr_pstrcat(r->pool, AUTHN_PREFIX, sec->attributes[i], NULL);
- int j = sizeof(AUTHN_PREFIX)-1; /* string length of "AUTHENTICATE_", excluding the trailing NIL */
- while (str[j]) {
- str[j] = apr_toupper(str[j]);
- j++;
- }
- apr_table_setn(e, str, vals[i] ? vals[i] : "");
-
- /* handle remote_user_attribute, if set */
- if (sec->remote_user_attribute &&
- !strcmp(sec->remote_user_attribute, sec->attributes[i])) {
- r->user = (char *)apr_pstrdup(r->pool, vals[i]);
- remote_user_attribute_set = 1;
- }
- i++;
- }
- }
+ remote_user_attribute_set = set_request_vars(r, LDAP_AUTHN);
/* sanity check */
if (sec->remote_user_attribute && !remote_user_attribute_set) {
char filtbuf[FILTER_LENGTH];
const char *dn = NULL;
- const char **vals = NULL;
if (!sec->have_ldap_url) {
return AUTHZ_DENIED;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"ldap authorize: Creating LDAP req structure");
+ req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(authn_ldap_request_t));
+
/* Build the username filter */
authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
/* Search for the user DN */
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
- sec->scope, sec->attributes, filtbuf, &dn, &vals);
+ sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
/* Search failed, log error and return failure */
if(result != LDAP_SUCCESS) {
return AUTHZ_DENIED;
}
- req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
- sizeof(authn_ldap_request_t));
ap_set_module_config(r->request_config, &authnz_ldap_module, req);
req->dn = apr_pstrdup(r->pool, dn);
req->user = r->user;
+
}
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorize: "
"require user: authorization successful", getpid());
+ set_request_vars(r, LDAP_AUTHZ);
return AUTHZ_GRANTED;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorize: "
"require user: authorization successful", getpid());
+ set_request_vars(r, LDAP_AUTHZ);
return AUTHZ_GRANTED;
}
default: {
char filtbuf[FILTER_LENGTH];
const char *dn = NULL;
- const char **vals = NULL;
struct mod_auth_ldap_groupattr_entry_t *ent;
int i;
/* Search for the user DN */
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
- sec->scope, sec->attributes, filtbuf, &dn, &vals);
+ sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
/* Search failed, log error and return failure */
if(result != LDAP_SUCCESS) {
"[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
"authorization successful (attribute %s) [%s][%d - %s]",
getpid(), ent[i].name, ldc->reason, result, ldap_err2string(result));
+ set_request_vars(r, LDAP_AUTHZ);
return AUTHZ_GRANTED;
}
case LDAP_COMPARE_FALSE: {
"[%" APR_PID_T_FMT "] auth_ldap authorise: require group (sub-group): "
"authorisation successful (attribute %s) [%s][%d - %s]",
getpid(), ent[i].name, ldc->reason, result, ldap_err2string(result));
- return AUTHZ_GRANTED;
+ set_request_vars(r, LDAP_AUTHZ);
+ return AUTHZ_GRANTED;
}
else {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
char filtbuf[FILTER_LENGTH];
const char *dn = NULL;
- const char **vals = NULL;
if (!sec->have_ldap_url) {
return AUTHZ_DENIED;
/* Search for the user DN */
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
- sec->scope, sec->attributes, filtbuf, &dn, &vals);
+ sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
/* Search failed, log error and return failure */
if(result != LDAP_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorize: "
"require dn: authorization successful", getpid());
+ set_request_vars(r, LDAP_AUTHZ);
return AUTHZ_GRANTED;
}
default: {
char filtbuf[FILTER_LENGTH];
const char *dn = NULL;
- const char **vals = NULL;
if (!sec->have_ldap_url) {
return AUTHZ_DENIED;
/* Search for the user DN */
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
- sec->scope, sec->attributes, filtbuf, &dn, &vals);
+ sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
/* Search failed, log error and return failure */
if(result != LDAP_SUCCESS) {
0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
"require attribute: authorization successful",
getpid());
+ set_request_vars(r, LDAP_AUTHZ);
return AUTHZ_GRANTED;
}
default: {
char filtbuf[FILTER_LENGTH];
const char *dn = NULL;
- const char **vals = NULL;
if (!sec->have_ldap_url) {
return AUTHZ_DENIED;
/* Search for the user DN */
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
- sec->scope, sec->attributes, filtbuf, &dn, &vals);
+ sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
/* Search failed, log error and return failure */
if(result != LDAP_SUCCESS) {
/* Search for the user DN */
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
- sec->scope, sec->attributes, filtbuf, &dn, &vals);
+ sec->scope, sec->attributes, filtbuf, &dn, &(req->vals));
/* Make sure that the filtered search returned the correct user dn */
if (result == LDAP_SUCCESS) {
0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: "
"require ldap-filter: authorization "
"successful", getpid());
+ set_request_vars(r, LDAP_AUTHZ);
return AUTHZ_GRANTED;
}
case LDAP_FILTER_ERROR: {
"Character set conversion configuration file. If omitted, character set"
"conversion is disabled."),
+ AP_INIT_TAKE1("AuthLDAPAuthorizePrefix", ap_set_string_slot,
+ (void *)APR_OFFSETOF(authn_ldap_config_t, authz_prefix), OR_AUTHCFG,
+ "The prefix to add to environment variables set during "
+ "successful authorization, default '" AUTHZ_PREFIX "'"),
{NULL}
};
projects / apache / commitdiff