Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
+ *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
+ set, REMOTE_USER will be set to this attribute, rather than the
+ username supplied by the user. Useful for example when you want users
+ to log in using an email address, but need to supply a userid instead
+ to the backend. [Graham Leggett]
+
*) Allow mod_dumpio to log at other than DEBUG levels via
the new DumpIOLogLevel directive. [Jim Jagielski]
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>AuthLDAPRemoteUserAttribute</name>
+<description>Use the value of the attribute returned during the user
+query to set the REMOTE_USER environment variable</description>
+<syntax>AuthLDAPRemoteUserAttribute uid</syntax>
+<default>none</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>If this directive is set, the value of the
+ <code>REMOTE_USER</code> environment variable will be set to the
+ value of the attribute specified. Make sure that this attribute is
+ included in the list of attributes in the AuthLDAPUrl definition,
+ otherwise this directive will have no effect. This directive, if
+ present, takes precedence over AuthLDAPRemoteUserIsDN. This
+ directive is useful should you want people to log into a website
+ using an email address, but a backend application expects the
+ username as a userid.</p>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>AuthLDAPRemoteUserIsDN</name>
<description>Use the DN of the client username to set the REMOTE_USER
char *bindpw; /* Password to bind to server (can be NULL) */
int user_is_dn; /* If true, connection->user is DN instead of userid */
+ char *remote_user_attribute; /* If set, connection->user is this attribute instead of userid */
int compare_dn_on_server; /* If true, will use server to do DN compare */
int have_ldap_url; /* Set if we have found an LDAP url */
sec->secure = -1; /*Initialize to unset*/
sec->user_is_dn = 0;
+ sec->remote_user_attribute = NULL;
sec->compare_dn_on_server = 0;
return sec;
util_ldap_connection_t *ldc = NULL;
int result = 0;
+ int remote_user_attribute_set = 0;
const char *dn = NULL;
authn_ldap_request_t *req =
j++;
}
apr_table_setn(e, str, vals[i]);
+
+ /* handle remote_user_attribute, if set */
+ if (sec->remote_user_attribute &&
+ !strcmp(sec->remote_user_attribute, sec->attributes[i])) {
+ r->user = (char *)apr_pstrdup(r->pool, vals[i]);
+ remote_user_attribute_set = 1;
+ }
i++;
}
}
+ /* sanity check */
+ if (sec->remote_user_attribute && !remote_user_attribute_set) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
+ "REMOTE_USER was to be set with attribute '%s', "
+ "but this attribute was not requested for in the "
+ "LDAP query for the user. REMOTE_USER will fall "
+ "back to username or DN as appropriate.", getpid(),
+ sec->remote_user_attribute);
+ }
+
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: accepting %s", getpid(), user);
"DN of the remote user. By default, this is set to off, meaning that "
"the REMOTE_USER variable will contain whatever value the remote user sent."),
+ AP_INIT_TAKE1("AuthLDAPRemoteUserAttribute", ap_set_string_slot,
+ (void *)APR_OFFSETOF(authn_ldap_config_t,
+ remote_user_attribute), OR_AUTHCFG,
+ "Override the user supplied username and place the "
+ "contents of this attribute in the REMOTE_USER "
+ "environment variable."),
+
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "
projects / apache / commitdiff