/*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
#ifdef APR_LDAP_OPT_VERIFY_CERT
- apr_ldap_set_option(r->pool, ldc->ldap,
- APR_LDAP_OPT_VERIFY_CERT, &(st->verify_svr_cert), &(result));
+ apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_VERIFY_CERT,
+ &(st->verify_svr_cert), &(result));
#else
#if defined(LDAPSSL_VERIFY_SERVER)
if (st->verify_svr_cert) {
/*
* Does an generic ldap_compare operation. It accepts a cache that it will use
* to lookup the compare in the cache. We cache two kinds of compares
- * (require group compares) and (require user compares). Each compare has a different
- * cache node: require group includes the DN; require user does not because the
- * require user cache is owned by the
+ * (require group compares) and (require user compares). Each compare has a
+ * different cache node: require group includes the DN; require user does not
+ * because the require user cache is owned by the
*
*/
static int uldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
{
void *junk;
- junk = util_ald_cache_insert(curl->compare_cache, &the_compare_node);
+ junk = util_ald_cache_insert(curl->compare_cache,
+ &the_compare_node);
if(junk == NULL) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] cache_compare: Cache insertion failure.", getpid());
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] cache_compare: Cache"
+ " insertion failure.", getpid());
}
}
else {
}
-static util_compare_subgroup_t* uldap_get_subgroups(request_rec *r, util_ldap_connection_t *ldc,
- const char *url, const char *dn,
- char **subgroupAttrs, apr_array_header_t *subgroupclasses) {
+static util_compare_subgroup_t* uldap_get_subgroups(request_rec *r,
+ util_ldap_connection_t *ldc,
+ const char *url,
+ const char *dn,
+ char **subgroupAttrs,
+ apr_array_header_t *subgroupclasses)
+{
int failures = 0;
int result = LDAP_COMPARE_FALSE;
util_compare_subgroup_t *res = NULL;
LDAPMessage *sga_res, *entry;
- struct mod_auth_ldap_groupattr_entry_t *sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
+ struct mod_auth_ldap_groupattr_entry_t *sgc_ents;
apr_array_header_t *subgroups = apr_array_make(r->pool, 20, sizeof(char *));
+ sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
+
if (!subgroupAttrs) {
return res;
}
start_over:
- /* 3.B. The cache didn't have any subgrouplist yet. Go check for subgroups. */
+ /*
+ * 3.B. The cache didn't have any subgrouplist yet. Go check for subgroups.
+ */
if (failures++ > 10) {
/* too many failures */
return res;
(char *)"cn=*", subgroupAttrs, 0,
NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
if (result == LDAP_SERVER_DOWN) {
- ldc->reason = "ldap_search_ext_s() for subgroups failed with server down";
+ ldc->reason = "ldap_search_ext_s() for subgroups failed with server"
+ " down";
uldap_connection_unbind(ldc);
goto start_over;
}
if (values) {
val_index = 0;
/*
- * Now we are going to pare the subgroup members of this group to *just*
- * the subgroups, add them to the compare_nodep, and then proceed to check
- * the new level of subgroups.
+ * Now we are going to pare the subgroup members of this group
+ * to *just* the subgroups, add them to the compare_nodep, and
+ * then proceed to check the new level of subgroups.
*/
while (values[val_index]) {
/* Check if this entry really is a group. */
tmp_sgcIndex = 0;
result = LDAP_COMPARE_FALSE;
- while ((tmp_sgcIndex < subgroupclasses->nelts) && (result != LDAP_COMPARE_TRUE)) {
- result = uldap_cache_compare(r, ldc, url, values[val_index], "objectClass",
- sgc_ents[tmp_sgcIndex].name);
+ while ((tmp_sgcIndex < subgroupclasses->nelts)
+ && (result != LDAP_COMPARE_TRUE)) {
+ result = uldap_cache_compare(r, ldc, url,
+ values[val_index],
+ "objectClass",
+ sgc_ents[tmp_sgcIndex].name
+ );
if (result != LDAP_COMPARE_TRUE) {
tmp_sgcIndex++;
int sgindex;
char **group;
res = apr_pcalloc(r->pool, sizeof(util_compare_subgroup_t));
- res->subgroupDNs = apr_pcalloc(r->pool, sizeof(char *) * (subgroups->nelts));
+ res->subgroupDNs = apr_pcalloc(r->pool,
+ sizeof(char *) * (subgroups->nelts));
for (sgindex = 0; (group = apr_array_pop(subgroups)); sgindex++) {
res->subgroupDNs[sgindex] = apr_pstrdup(r->pool, *group);
}
/*
- * Does a recursive lookup operation to try to find a user within (cached) nested
- * groups. It accepts a cache that it will use to lookup previous compare attempts.
- * We cache two kinds of compares (require group compares) and (require user
- * compares). Each compare has a different cache node: require group includes the DN;
- * require user does not because the require user cache is owned by the
+ * Does a recursive lookup operation to try to find a user within (cached)
+ * nested groups. It accepts a cache that it will use to lookup previous
+ * compare attempts. We cache two kinds of compares (require group compares)
+ * and (require user compares). Each compare has a different cache node:
+ * require group includes the DN; require user does not because the require
+ * user cache is owned by the
*
* DON'T CALL THIS UNLESS YOU CALLED uldap_cache_compare FIRST!!!!!
+ *
+ *
+ * 1. Call uldap_cache_compare for each subgroupclass value to check the
+ * generic, user-agnostic, cached group entry. This will create a new generic
+ * cache entry if there
+ * wasn't one. If nothing returns LDAP_COMPARE_TRUE skip to step 5 since we
+ * have no groups.
+ * 2. Lock The cache and get the generic cache entry.
+ * 3. Check if there is already a subgrouplist in this generic group's cache
+ * entry.
+ * A. If there is, go to step 4.
+ * B. If there isn't:
+ * i) Use ldap_search to get the full list
+ * of subgroup "members" (which may include non-group "members").
+ * ii) Use uldap_cache_compare to strip the list down to just groups.
+ * iii) Lock and add this stripped down list to the cache of the generic
+ * group.
+ * 4. Loop through the sgl and call uldap_cache_compare (using the user info)
+ * for each
+ * subgroup to see if the subgroup contains the user and to get the subgroups
+ * added to the
+ * cache (with user-afinity, if they aren't already there).
+ * A. If the user is in the subgroup, then we'll be returning
+ * LDAP_COMPARE_TRUE.
+ * B. if the user isn't in the subgroup (LDAP_COMPARE_FALSE via
+ * uldap_cache_compare) then recursively call this function to get the
+ * sub-subgroups added...
+ * 5. Cleanup local allocations.
+ * 6. Return the final result.
*/
- /*
- * 1. Call uldap_cache_compare for each subgroupclass value to check the generic,
- * user-agnostic, cached group entry. This will create a new generic cache entry if there
- * wasn't one. If nothing returns LDAP_COMPARE_TRUE skip to step 5 since we have no groups.
- * 2. Lock The cache and get the generic cache entry.
- * 3. Check if there is already a subgrouplist in this generic group's cache entry.
- * A. If there is, go to step 4.
- * B. If there isn't:
- * i) Use ldap_search to get the full list
- * of subgroup "members" (which may include non-group "members").
- * ii) Use uldap_cache_compare to strip the list down to just groups.
- * iii) Lock and add this stripped down list to the cache of the generic group.
- * 4. Loop through the sgl and call uldap_cache_compare (using the user info) for each
- * subgroup to see if the subgroup contains the user and to get the subgroups added to the
- * cache (with user-afinity, if they aren't already there).
- * A. If the user is in the subgroup, then we'll be returning LDAP_COMPARE_TRUE.
- * B. if the user isn't in the subgroup (LDAP_COMPARE_FALSE via uldap_cache_compare) then
- * recursively call this function to get the sub-subgroups added...
- * 5. Cleanup local allocations.
- * 6. Return the final result.
- */
-
-static int uldap_cache_check_subgroups(request_rec *r, util_ldap_connection_t *ldc,
+static int uldap_cache_check_subgroups(request_rec *r,
+ util_ldap_connection_t *ldc,
const char *url, const char *dn,
const char *attrib, const char *value,
- char **subgroupAttrs, apr_array_header_t *subgroupclasses,
- int cur_subgroup_depth, int max_subgroup_depth)
+ char **subgroupAttrs,
+ apr_array_header_t *subgroupclasses,
+ int cur_subgroup_depth,
+ int max_subgroup_depth)
{
int result = LDAP_COMPARE_FALSE;
util_url_node_t *curl;
util_compare_node_t the_compare_node;
util_compare_subgroup_t *tmp_local_sgl = NULL;
int lcl_sgl_processedFlag = 0, sgindex = 0, base_sgcIndex = 0;
- struct mod_auth_ldap_groupattr_entry_t *sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
+ struct mod_auth_ldap_groupattr_entry_t *sgc_ents;
+
+ sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
util_ldap_state_t *st = (util_ldap_state_t *)
ap_get_module_config(r->server->module_config,
&ldap_module);
- /* Stop looking at deeper levels of nested groups if we have reached the max.
- * Since we already checked the top-level group in uldap_cache_compare, we don't
- * need to check it again here - so if max_subgroup_depth is set to 0, we won't
- * check it (i.e. that is why we check < rather than <=).
- * We'll be calling uldap_cache_compare from here to check if the user is in the
- * next level before we recurse into that next level looking for more subgroups.
+ /*
+ * Stop looking at deeper levels of nested groups if we have reached the
+ * max. Since we already checked the top-level group in uldap_cache_compare,
+ * we don't need to check it again here - so if max_subgroup_depth is set
+ * to 0, we won't check it (i.e. that is why we check < rather than <=).
+ * We'll be calling uldap_cache_compare from here to check if the user is
+ * in the next level before we recurse into that next level looking for
+ * more subgroups.
*/
if (cur_subgroup_depth >= max_subgroup_depth) {
return LDAP_COMPARE_FALSE;
}
- /* 1. Check the "groupiness" of the specified basedn. Stopping at the first TRUE return. */
- while ((base_sgcIndex < subgroupclasses->nelts) && (result != LDAP_COMPARE_TRUE)) {
- result = uldap_cache_compare(r, ldc, url, dn, "objectClass", sgc_ents[base_sgcIndex].name);
+ /*
+ * 1. Check the "groupiness" of the specified basedn. Stopping at the first
+ * TRUE return.
+ */
+ while ((base_sgcIndex < subgroupclasses->nelts)
+ && (result != LDAP_COMPARE_TRUE)) {
+ result = uldap_cache_compare(r, ldc, url, dn, "objectClass",
+ sgc_ents[base_sgcIndex].name);
if (result != LDAP_COMPARE_TRUE) {
base_sgcIndex++;
}
return result;
}
- /* 2. Find previously created cache entry and check if there is already a subgrouplist. */
+ /*
+ * 2. Find previously created cache entry and check if there is already a
+ * subgrouplist.
+ */
LDAP_CACHE_LOCK();
curnode.url = url;
curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
the_compare_node.sgl_processed = 0;
the_compare_node.subgroupList = NULL;
- compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
+ compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+ &the_compare_node);
if (compare_nodep != NULL) {
- /* Found the generic group entry... but the user isn't in this group or we wouldn't be here. */
+ /*
+ * Found the generic group entry... but the user isn't in this
+ * group or we wouldn't be here.
+ */
lcl_sgl_processedFlag = compare_nodep->sgl_processed;
if(compare_nodep->sgl_processed && compare_nodep->subgroupList) {
/* Make a local copy of the subgroup list */
int i;
- tmp_local_sgl = apr_pcalloc(r->pool, sizeof(util_compare_subgroup_t));
+ tmp_local_sgl = apr_pcalloc(r->pool,
+ sizeof(util_compare_subgroup_t));
tmp_local_sgl->len = compare_nodep->subgroupList->len;
- tmp_local_sgl->subgroupDNs = apr_pcalloc(r->pool, sizeof(char *) * compare_nodep->subgroupList->len);
+ tmp_local_sgl->subgroupDNs =
+ apr_pcalloc(r->pool,
+ sizeof(char *) * compare_nodep->subgroupList->len);
for (i = 0; i < compare_nodep->subgroupList->len; i++) {
- tmp_local_sgl->subgroupDNs[i] = apr_pstrdup(r->pool, compare_nodep->subgroupList->subgroupDNs[i]);
+ tmp_local_sgl->subgroupDNs[i] =
+ apr_pstrdup(r->pool,
+ compare_nodep->subgroupList->subgroupDNs[i]);
}
}
}
LDAP_CACHE_UNLOCK();
}
else {
- /* If we get here, something is wrong. Caches should have been created and
- this group entry should be found in the cache. */
+ /*
+ * If we get here, something is wrong. Caches should have been
+ * created and this group entry should be found in the cache.
+ */
ldc->reason = "check_subgroups failed to find any caches.";
return LDAP_COMPARE_FALSE;
}
if ((lcl_sgl_processedFlag == 0) && (!tmp_local_sgl)) {
/* No Cached SGL, retrieve from LDAP */
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] util_ldap: no cached SGL for %s, retrieving from LDAP" , getpid(), dn);
- tmp_local_sgl = uldap_get_subgroups(r, ldc, url, dn, subgroupAttrs, subgroupclasses);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] util_ldap: no cached SGL for %s,"
+ " retrieving from LDAP" , getpid(), dn);
+ tmp_local_sgl = uldap_get_subgroups(r, ldc, url, dn, subgroupAttrs,
+ subgroupclasses);
if (!tmp_local_sgl) {
/* No SGL aailable via LDAP either */
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] util_ldap: no subgroups for %s" , getpid(), dn);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+ " util_ldap: no subgroups for %s" , getpid(), dn);
}
lcl_sgl_processedFlag = 1;
- /* Find the generic group cache entry and add the sgl we just retrieved. */
+ /*
+ * Find the generic group cache entry and add the sgl we just retrieved.
+ */
LDAP_CACHE_LOCK();
the_compare_node.dn = (char *)dn;
the_compare_node.sgl_processed = 0;
the_compare_node.subgroupList = NULL;
- compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
+ compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+ &the_compare_node);
if (compare_nodep == NULL) {
- /* Didn't find it. This shouldn't happen since we just called uldap_cache_compare. */
+ /*
+ * Didn't find it. This shouldn't happen since we just called
+ * uldap_cache_compare.
+ */
LDAP_CACHE_UNLOCK();
- ldc->reason = "check_subgroups failed to find the cache entry to add sub-group list to.";
+ ldc->reason = "check_subgroups failed to find the cache entry to"
+ " add sub-group list to.";
return LDAP_COMPARE_FALSE;
}
/*
*/
compare_nodep->sgl_processed = 1;
if (tmp_local_sgl) {
- compare_nodep->subgroupList = util_ald_sgl_dup(curl->compare_cache, tmp_local_sgl);
+ compare_nodep->subgroupList = util_ald_sgl_dup(curl->compare_cache,
+ tmp_local_sgl);
}
else {
- /* We didn't find a single subgroup, next time save us from looking */
+ /*
+ * We didn't find a single subgroup, next time save us from looking
+ */
compare_nodep->subgroupList = NULL;
}
LDAP_CACHE_UNLOCK();
}
- /* tmp_local_sgl has either been created, or copied out of the cache */
- /* If tmp_local_sgl is NULL, there are no subgroups to process and we'll return false */
+ /*
+ * tmp_local_sgl has either been created, or copied out of the cache
+ * If tmp_local_sgl is NULL, there are no subgroups to process and we'll
+ * return false
+ */
result = LDAP_COMPARE_FALSE;
if (!tmp_local_sgl) {
return result;
while ((result != LDAP_COMPARE_TRUE) && (sgindex < tmp_local_sgl->len)) {
const char *group = NULL;
group = tmp_local_sgl->subgroupDNs[sgindex];
- /* 4. Now loop through the subgroupList and call uldap_cache_compare to check for the user. */
+ /*
+ * 4. Now loop through the subgroupList and call uldap_cache_compare
+ * to check for the user.
+ */
result = uldap_cache_compare(r, ldc, url, group, attrib, value);
if (result == LDAP_COMPARE_TRUE) {
- /* 4.A. We found the user in the subgroup. Return LDAP_COMPARE_TRUE. */
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] util_ldap:"
- " Found user %s in a subgroup (%s) at level %d of %d.",
- getpid(), r->user, group, cur_subgroup_depth+1, max_subgroup_depth);
+ /*
+ * 4.A. We found the user in the subgroup. Return
+ * LDAP_COMPARE_TRUE.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+ " util_ldap: Found user %s in a subgroup (%s) at"
+ " level %d of %d.", getpid(), r->user, group,
+ cur_subgroup_depth+1, max_subgroup_depth);
}
else {
- /* 4.B. We didn't find the user in this subgroup, so recurse into it and keep looking. */
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] util_ldap:"
- " user %s not found in subgroup (%s) at level %d of %d.",
- getpid(), r->user, group, cur_subgroup_depth+1, max_subgroup_depth);
+ /*
+ * 4.B. We didn't find the user in this subgroup, so recurse into
+ * it and keep looking.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+ " util_ldap: user %s not found in subgroup (%s) at"
+ " level %d of %d.", getpid(), r->user, group,
+ cur_subgroup_depth+1, max_subgroup_depth);
result = uldap_cache_check_subgroups(r, ldc, url, group, attrib,
- value, subgroupAttrs, subgroupclasses,
- cur_subgroup_depth+1, max_subgroup_depth);
+ value, subgroupAttrs,
+ subgroupclasses,
+ cur_subgroup_depth+1,
+ max_subgroup_depth);
}
sgindex++;
}
while (attrs[k++]);
*retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
while (search_nodep->vals[i]) {
- (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
+ (*retvals)[i] = apr_pstrdup(r->pool,
+ search_nodep->vals[i]);
i++;
}
}
while (attrs[k++]);
*retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
while (search_nodep->vals[i]) {
- (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
+ (*retvals)[i] = apr_pstrdup(r->pool,
+ search_nodep->vals[i]);
i++;
}
}
st->search_cache_ttl = atol(ttl) * 1000000;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap cache: Setting cache TTL to %ld microseconds.",
- getpid(), st->search_cache_ttl);
+ "[%" APR_PID_T_FMT "] ldap cache: Setting cache TTL to %ld"
+ " microseconds.", getpid(), st->search_cache_ttl);
return NULL;
}
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap cache: Setting search cache size to %ld entries.",
- getpid(), st->search_cache_size);
+ "[%" APR_PID_T_FMT "] ldap cache: Setting search cache size"
+ " to %ld entries.", getpid(), st->search_cache_size);
return NULL;
}
st->compare_cache_ttl = atol(ttl) * 1000000;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache TTL to %ld microseconds.",
- getpid(), st->compare_cache_ttl);
+ "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache TTL"
+ " to %ld microseconds.", getpid(), st->compare_cache_ttl);
return NULL;
}
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache size to %ld "
- "entries.", getpid(), st->compare_cache_size);
+ "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache size"
+ " to %ld entries.", getpid(), st->compare_cache_size);
return NULL;
}
st->connectionTimeout = atol(ttl);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap connection: Setting connection timeout to "
- "%ld seconds.", getpid(), st->connectionTimeout);
+ "[%" APR_PID_T_FMT "] ldap connection: Setting connection"
+ " timeout to %ld seconds.", getpid(), st->connectionTimeout);
#else
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
"LDAP: Connection timout option not supported by the "
AP_INIT_FLAG("LDAPVerifyServerCert", util_ldap_set_verify_srv_cert,
NULL, RSRC_CONF,
- "Set to 'ON' requires that the server certificate be verified "
- "before a secure LDAP connection can be establish. Default 'ON'"),
+ "Set to 'ON' requires that the server certificate be verified"
+ " before a secure LDAP connection can be establish. Default"
+ " 'ON'"),
AP_INIT_TAKE1("LDAPConnectionTimeout", util_ldap_set_connection_timeout,
NULL, RSRC_CONF,
projects / apache / commitdiff