Changes with Apache 2.0.25-dev
+ *) Add specified user attributes to the environment when using
+ mod_auth_ldap. This allows you to use mod_include to embed specified
+ user attributes in a page like so:
+ Hello <!--#echo var="AUTHENTICATE_CN"-->, how are you?
+ [Graham Leggett]
+
*) Fix a performance problem with the worker MPM. We now create
transaction pools once, and re-use them for each connection.
[Aaron Bannert <aaron@clove.org>]
* @param url The URL of the LDAP connection - used for deciding which cache to use.
* @param basedn The Base DN to search for the user in.
* @param scope LDAP scope of the search.
+ * @param attrs LDAP attributes to return in search.
* @param filter The user to search for in the form of an LDAP filter. This filter must return
* exactly one user for the check to be successful.
* @param bindpw The user password to bind as.
* @param binddn The DN of the user will be returned in this variable.
+ * @param retvals The values corresponding to the attributes requested in the attrs array.
* @tip The filter supplied will be searched for. If a single entry is returned, an attempt
* is made to bind as that user. If this bind succeeds, the user is not validated.
* @deffunc int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
- * char *url, const char *basedn, int scope,
- * char *filter, char *bindpw, char **binddn)
+ * char *url, const char *basedn, int scope, char **attrs,
+ * char *filter, char *bindpw, char **binddn, char ***retvals)
*/
int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
- const char *url, const char *basedn, int scope,
- const char *filter, const char *bindpw, const char **binddn);
+ const char *url, const char *basedn, int scope, char **attrs,
+ const char *filter, const char *bindpw, const char **binddn, const char ***retvals);
/* from apr_ldap_cache.c */
/* for getpid() */
#include <unistd.h>
#endif
+#include <ctype.h>
+
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
int port; /* Port of the LDAP server */
char *basedn; /* Base DN to do all searches from */
char *attribute; /* Attribute to search for */
+ char **attributes; /* Array of all the attributes to return */
int scope; /* Scope of the search */
char *filter; /* Filter to further limit the search */
deref_options deref; /* how to handle alias dereferening */
*/
int mod_auth_ldap_check_user_id(request_rec *r)
{
+ const char **vals = NULL;
char filtbuf[FILTER_LENGTH];
mod_auth_ldap_config_t *sec =
(mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, &auth_ldap_module);
mod_auth_ldap_build_filter(filtbuf, r, sec);
/* do the user search */
- result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, filtbuf, sent_pw, &dn);
+ result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
+ sec->attributes, filtbuf, sent_pw, &dn, &vals);
util_ldap_connection_close(ldc);
if (result != LDAP_SUCCESS) {
r->user = req->dn;
}
+ /* add environment variables */
+ if (sec->attributes && vals) {
+ apr_table_t *e = r->subprocess_env;
+ int i = 0;
+ while (sec->attributes[i]) {
+ char *str = apr_pstrcat(r->pool, "AUTHENTICATE_", sec->attributes[i], NULL);
+ int j = 13;
+ while (str[j]) {
+ if (str[j] >= 'a' && str[j] <= 'z') {
+ str[j] = str[j] - ('a' - 'A');
+ }
+ j++;
+ }
+ apr_table_setn(e, str, vals[i]);
+ i++;
+ }
+ }
+
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authenticate: accepting %s", getpid(), r->user);
}
sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : "";
if (urld->lud_attrs && urld->lud_attrs[0]) {
- sec->attribute = apr_pstrdup(cmd->pool, urld->lud_attrs[0]);
+ int i = 1;
+ while (urld->lud_attrs[i]) {
+ i++;
+ }
+ sec->attributes = apr_pcalloc(cmd->pool, sizeof(char *) * (i+1));
+ i = 0;
+ while (urld->lud_attrs[i]) {
+ sec->attributes[i] = apr_pstrdup(cmd->pool, urld->lud_attrs[i]);
+ i++;
+ }
+ sec->attribute = sec->attributes[0];
}
else {
sec->attribute = "uid";
}
int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
- const char *url, const char *basedn, int scope,
- const char *filter, const char *bindpw, const char **binddn)
+ const char *url, const char *basedn, int scope, char **attrs,
+ const char *filter, const char *bindpw, const char **binddn,
+ const char ***retvals)
{
+ const char **vals = NULL;
int result = 0;
LDAPMessage *res, *entry;
char *dn;
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
-
/* read lock this function */
if (!util_ldap_cache_lock) {
apr_lock_create(&util_ldap_cache_lock, APR_READWRITE, APR_INTRAPROCESS, NULL, st->pool);
else {
/* ...and entry is valid */
*binddn = search_nodep->dn;
+ *retvals = search_nodep->vals;
apr_lock_release(util_ldap_cache_lock);
ldc->reason = "Authentication successful (cached)";
return LDAP_SUCCESS;
/* try do the search */
if ((result = ldap_search_ext_s(ldc->ldap,
basedn, scope,
- filter, NULL, 1,
+ filter, attrs, 0,
NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) {
ldc->reason = "ldap_search_ext_s() for user failed with server down";
goto start_over;
return result;
}
- ldap_msgfree(res);
+ /*
+ * Get values for the provided attributes.
+ */
+ if (attrs) {
+ int k = 0;
+ int i = 0;
+ while (attrs[k++]);
+ vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
+ while (attrs[i]) {
+ char **values;
+ int j = 0;
+ char *str = NULL;
+ /* get values */
+ values = ldap_get_values(ldc->ldap, entry, attrs[i]);
+ while (values && values[j]) {
+ str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL) : apr_pstrdup(r->pool, values[j]);
+ j++;
+ }
+ vals[i] = str;
+ i++;
+ }
+ *retvals = vals;
+ }
/*
* Add the new username to the search cache.
the_search_node.dn = *binddn;
the_search_node.bindpw = bindpw;
the_search_node.lastbind = apr_time_now();
+ the_search_node.vals = vals;
util_ald_cache_insert(curl->search_cache, &the_search_node);
+ ldap_msgfree(res);
apr_lock_release(util_ldap_cache_lock);
ldc->reason = "Authentication successful";
{
util_search_node_t *node = (util_search_node_t *)c;
util_search_node_t *newnode = util_ald_alloc(sizeof(util_search_node_t));
- newnode->username = util_ald_strdup(node->username);
- newnode->dn = util_ald_strdup(node->dn);
- newnode->bindpw = util_ald_strdup(node->bindpw);
- newnode->lastbind = node->lastbind;
+
+ /* safety check */
+ if (newnode) {
+
+ /* copy vals */
+ if (node->vals) {
+ int k = 0;
+ int i = 0;
+ while (node->vals[k++]);
+ if (!(newnode->vals = util_ald_alloc(sizeof(char *) * (k+1)))) {
+ util_ldap_search_node_free(newnode);
+ return NULL;
+ }
+ while (node->vals[i]) {
+ if (!(newnode->vals[i] = util_ald_strdup(node->vals[i]))) {
+ util_ldap_search_node_free(newnode);
+ return NULL;
+ }
+ i++;
+ }
+ }
+ else {
+ newnode->vals = NULL;
+ }
+ if (!(newnode->username = util_ald_strdup(node->username)) ||
+ !(newnode->dn = util_ald_strdup(node->dn)) ||
+ !(newnode->bindpw = util_ald_strdup(node->bindpw)) ) {
+ util_ldap_search_node_free(newnode);
+ return NULL;
+ }
+ newnode->lastbind = node->lastbind;
+
+ }
return (void *)newnode;
}
void util_ldap_search_node_free(void *n)
{
+ int i = 0;
util_search_node_t *node = (util_search_node_t *)n;
+ if (node->vals) {
+ while (node->vals[i]) {
+ util_ald_free(node->vals[i++]);
+ }
+ util_ald_free(node->vals);
+ }
util_ald_free(node->username);
util_ald_free(node->dn);
util_ald_free(node->bindpw);
typedef struct util_search_node_t {
const char *username; /* Cache key */
const char *dn; /* DN returned from search */
- const char *bindpw; /* The most recently used bind password;
- NULL if the bind failed */
- apr_time_t lastbind; /* Time of last successful bind */
+ const char *bindpw; /* The most recently used bind password;
+ NULL if the bind failed */
+ apr_time_t lastbind; /* Time of last successful bind */
+ const char **vals; /* Values of queried attributes */
} util_search_node_t;
/*
{
#if APR_HAS_SHARED_MEMORY
if (util_ldap_shm) {
- apr_shm_free(util_ldap_shm, (void *)ptr);
+ if (ptr)
+ apr_shm_free(util_ldap_shm, (void *)ptr);
} else {
- free((void *)ptr);
+ if (ptr)
+ free((void *)ptr);
}
#else
- free((void *)ptr);
+ if (ptr)
+ free((void *)ptr);
#endif
}
{
#if APR_HAS_SHARED_MEMORY
if (util_ldap_shm) {
- return (void *)apr_shm_malloc(util_ldap_shm, size);
+ return (void *)apr_shm_calloc(util_ldap_shm, size);
} else {
- return (void *)malloc(size);
+ return (void *)calloc(sizeof(char), size);
}
#else
- return (void *)malloc(size);
+ return (void *)calloc(size);
#endif
}
projects / apache / commitdiff