<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
-<!-- $Revision: 1.3 $ -->
+<!-- $Revision: 1.4 $ -->
<!--
Copyright 2002-2004 The Apache Software Foundation
<li><a href="#reqgroup">require ldap-group</a></li>
<li><a href="#reqdn">require ldap-dn</a></li>
<li><a href="#reqattribute">require ldap-attribute</a></li>
+ <li><a href="#reqfilter">require ldap-filter</a></li>
</ul>
</li>
directive, and the attribute fetched from the LDAP directory
matches the given value.</li>
+ <li>Grant access if there is a <a href="#reqfilter">
+ <code>require ldap-filter</code></a>
+ directive, and the search filter successfully finds a single user
+ object that matches the dn of the authenticated user.</li>
+
<li>otherwise, deny or decline access</li>
</ul>
directives are used during the authorization phase to ensure that
a user is allowed to access a resource. mod_authnz_ldap extends the
authorization types with <code>ldap-user</code>, <code>ldap-dn</code>,
- <code>ldap-group</code> and <code>ldap-attribute</code>. Other
- authorization types may also be used but may require that additional
- authorization modules be loaded.</p>
+ <code>ldap-group</code>, <code>ldap-attribute</code> and
+ <code>ldap-filter</code>. Other authorization types may also be
+ used but may require that additional authorization modules be loaded.</p>
<section id="reqvaliduser"><title>require valid-user</title>
</section>
+<section id="reqfilter"><title>require ldap-filter</title>
+
+ <p>The <code>require ldap-filter</code> directive allows the
+ administrator to grant access based on a complex LDAP search filter.
+ If the dn returned by the filter search matches the authenticated user
+ dn, access is granted.</p>
+
+ <p>The following directive would grant access to anyone having a cell phone
+ and is in the marketing department</p>
+
+ <example>require ldap-filter &(cell=*)(department=marketing)</example>
+
+ <p>The difference between the <code>require ldap-filter</code> directive and the
+ <code>require ldap-attribute</code> directive is that <code>ldap-filter</code>
+ performs a search operation on the LDAP directory using the specified search
+ filter rather than a simple attribute comparison. If a simple attribute
+ comparison is all that is required, the comparison operation performed by
+ <code>ldap-attribute</code> will be faster than the search operation
+ used by <code>ldap-filter</code> especially within a large directory.</p>
+
+</section>
+
</section>
<section id="examples"><title>Examples</title>
static void authn_ldap_build_filter(char *filtbuf,
request_rec *r,
const char* sent_user,
+ const char* sent_filter,
authn_ldap_config_t *sec)
{
char *p, *q, *filtbuf_end;
- char *user;
+ char *user, *filter;
apr_xlate_t *convset = NULL;
apr_size_t inbytes;
apr_size_t outbytes;
else
return;
+ if (sent_filter != NULL) {
+ filter = apr_pstrdup (r->pool, sent_filter);
+ }
+ else
+ filter = sec->filter;
+
if (charset_conversions) {
convset = get_conv_set(r);
}
* Create the first part of the filter, which consists of the
* config-supplied portions.
*/
- apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", sec->filter, sec->attribute);
+ apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
/*
* Now add the client-supplied username to the filter, ensuring that any
}
/* build the username filter */
- authn_ldap_build_filter(filtbuf, r, user, sec);
+ authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
/* do the user search */
result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
"ldap authorize: Creating LDAP req structure");
/* Build the username filter */
- authn_ldap_build_filter(filtbuf, r, r->user, sec);
+ authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
/* Search for the user DN */
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
}
}
}
+ else if (strcmp(w, "ldap-filter") == 0) {
+ if (t[0]) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: checking filter %s",
+ getpid(), t);
+
+ /* Build the username filter */
+ authn_ldap_build_filter(filtbuf, r, req->user, t, sec);
+
+ /* Search for the user DN */
+ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
+ sec->scope, sec->attributes, filtbuf, &dn, &vals);
+
+ /* Make sure that the filtered search returned the correct user dn */
+ if (result == LDAP_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: checking dn match %s",
+ getpid(), dn);
+ result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,
+ sec->compare_dn_on_server);
+ }
+
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require ldap-filter: authorisation "
+ "successful", getpid());
+ return OK;
+ }
+ case LDAP_FILTER_ERROR: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require ldap-filter: %s authorisation "
+ "failed [%s][%s]", getpid(),
+ filtbuf, ldc->reason, ldap_err2string(result));
+ break;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require ldap-filter: authorisation "
+ "failed [%s][%s]", getpid(),
+ ldc->reason, ldap_err2string(result));
+ }
+ }
+ }
+ }
}
if (!method_restricted) {
projects / apache / commitdiff