From: Graham Leggett <minfrin@apache.org>
Date: Thu, 12 Oct 2006 20:52:37 +0000 (+0000)
Subject: mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
X-Git-Tag: 2.3.0~2073
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=488411491b227231576f3b28b01d266eebcb13fd;p=apache

mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
set, REMOTE_USER will be set to this attribute, rather than the
username supplied by the user. Useful for example when you want users
to log in using an email address, but need to supply a userid instead
to the backend.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@463427 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 5f25aa6f9d..ad27850e3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,12 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
+     set, REMOTE_USER will be set to this attribute, rather than the
+     username supplied by the user. Useful for example when you want users
+     to log in using an email address, but need to supply a userid instead
+     to the backend. [Graham Leggett]
+
   *) Allow mod_dumpio to log at other than DEBUG levels via
      the new DumpIOLogLevel directive. [Jim Jagielski]
 
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index d77a832a38..d58da98031 100644
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -774,6 +774,29 @@ group membership</description>
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>AuthLDAPRemoteUserAttribute</name>
+<description>Use the value of the attribute returned during the user
+query to set the REMOTE_USER environment variable</description>
+<syntax>AuthLDAPRemoteUserAttribute uid</syntax>
+<default>none</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override> 
+      
+<usage>
+    <p>If this directive is set, the value of the 
+    <code>REMOTE_USER</code> environment variable will be set to the
+    value of the attribute specified. Make sure that this attribute is
+    included in the list of attributes in the AuthLDAPUrl definition,
+    otherwise this directive will have no effect. This directive, if
+    present, takes precedence over AuthLDAPRemoteUserIsDN. This
+    directive is useful should you want people to log into a website
+    using an email address, but a backend application expects the
+    username as a userid.</p>
+</usage>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>AuthLDAPRemoteUserIsDN</name>
 <description>Use the DN of the client username to set the REMOTE_USER
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 9c149b0e08..eb3a1e511c 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -62,6 +62,7 @@ typedef struct {
     char *bindpw;                   /* Password to bind to server (can be NULL) */
 
     int user_is_dn;                 /* If true, connection->user is DN instead of userid */
+    char *remote_user_attribute;    /* If set, connection->user is this attribute instead of userid */
     int compare_dn_on_server;       /* If true, will use server to do DN compare */
 
     int have_ldap_url;              /* Set if we have found an LDAP url */
@@ -295,6 +296,7 @@ static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
     sec->secure = -1;   /*Initialize to unset*/
 
     sec->user_is_dn = 0;
+    sec->remote_user_attribute = NULL;
     sec->compare_dn_on_server = 0;
 
     return sec;
@@ -329,6 +331,7 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
 
     util_ldap_connection_t *ldc = NULL;
     int result = 0;
+    int remote_user_attribute_set = 0;
     const char *dn = NULL;
 
     authn_ldap_request_t *req =
@@ -439,10 +442,28 @@ start_over:
                 j++;
             }
             apr_table_setn(e, str, vals[i]);
+
+            /* handle remote_user_attribute, if set */
+            if (sec->remote_user_attribute && 
+                !strcmp(sec->remote_user_attribute, sec->attributes[i])) {
+                r->user = (char *)apr_pstrdup(r->pool, vals[i]);
+                remote_user_attribute_set = 1;
+            }
             i++;
         }
     }
 
+    /* sanity check */
+    if (sec->remote_user_attribute && !remote_user_attribute_set) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                  "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
+                  "REMOTE_USER was to be set with attribute '%s', "
+                  "but this attribute was not requested for in the "
+                  "LDAP query for the user. REMOTE_USER will fall "
+                  "back to username or DN as appropriate.", getpid(),
+                  sec->remote_user_attribute);
+    }
+
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                   "[%" APR_PID_T_FMT "] auth_ldap authenticate: accepting %s", getpid(), user);
 
@@ -1290,6 +1311,13 @@ static const command_rec authnz_ldap_cmds[] =
                  "DN of the remote user. By default, this is set to off, meaning that "
                  "the REMOTE_USER variable will contain whatever value the remote user sent."),
 
+    AP_INIT_TAKE1("AuthLDAPRemoteUserAttribute", ap_set_string_slot,
+                 (void *)APR_OFFSETOF(authn_ldap_config_t, 
+                                      remote_user_attribute), OR_AUTHCFG,
+                 "Override the user supplied username and place the "
+                 "contents of this attribute in the REMOTE_USER "
+                 "environment variable."),
+
     AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,
                  (void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,
                  "Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "