From: Graham Leggett Date: Sat, 18 Aug 2001 16:55:14 +0000 (+0000) Subject: Landing of mod_auth_ldap - the LDAP based authentication module. X-Git-Tag: 2.0.25~300 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a52f6ea839a3f6bac71e1b048dd56668f4a68082;p=apache Landing of mod_auth_ldap - the LDAP based authentication module. PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90324 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/aaa/mod_auth_ldap.c b/modules/aaa/mod_auth_ldap.c new file mode 100644 index 0000000000..bdb44122ae --- /dev/null +++ b/modules/aaa/mod_auth_ldap.c @@ -0,0 +1,828 @@ +/* ==================================================================== + * The Apache Software License, Version 1.1 + * + * Copyright (c) 2000-2001 The Apache Software Foundation. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The end-user documentation included with the redistribution, + * if any, must include the following acknowledgment: + * "This product includes software developed by the + * Apache Software Foundation (http://www.apache.org/)." + * Alternately, this acknowledgment may appear in the software itself, + * if and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Apache" and "Apache Software Foundation" must + * not be used to endorse or promote products derived from this + * software without prior written permission. For written + * permission, please contact apache@apache.org. + * + * 5. Products derived from this software may not be called "Apache", + * nor may "Apache" appear in their name, without prior written + * permission of the Apache Software Foundation. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + */ + +/* + * mod_auth_ldap.c: LDAP authentication module + * + * Original code from auth_ldap module for Apache v1.3: + * Copyright 1998, 1999 Enbridge Pipelines Inc. + * Copyright 1999-2001 Dave Carrigan + */ + +/* for getpid() */ +#include + +#include +#include + +#include "ap_config.h" +#include "httpd.h" +#include "http_config.h" +#include "http_core.h" +#include "http_log.h" +#include "http_protocol.h" +#include "http_request.h" +#include "util_ldap.h" + +/* per directory configuration */ +typedef struct { + apr_pool_t *pool; /* Pool that this config is allocated from */ + apr_lock_t *lock; /* Lock for this config */ + int auth_authoritative; /* Is this auth method the one and only? */ + int enabled; /* Is auth_ldap enabled in this directory? */ + + /* These parameters are all derived from the AuthLDAPURL directive */ + char *url; /* String representation of the URL */ + + char *host; /* Name of the LDAP server (or space separated list) */ + int port; /* Port of the LDAP server */ + char *basedn; /* Base DN to do all searches from */ + char *attribute; /* Attribute to search for */ + int scope; /* Scope of the search */ + char *filter; /* Filter to further limit the search */ + deref_options deref; /* how to handle alias dereferening */ + char *binddn; /* DN to bind to server (can be NULL) */ + char *bindpw; /* Password to bind to server (can be NULL) */ + + int frontpage_hack; /* Hack for frontpage support */ + int user_is_dn; /* If true, connection->user is DN instead of userid */ + int compare_dn_on_server; /* If true, will use server to do DN compare */ + + int have_ldap_url; /* Set if we have found an LDAP url */ + + apr_array_header_t *groupattr; /* List of Group attributes */ + int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise, + it's the exact string passed by the HTTP client */ + + int netscapessl; /* True if Netscape SSL is enabled */ + int starttls; /* True if StartTLS is enabled */ +} mod_auth_ldap_config_t; + +typedef struct mod_auth_ldap_request_t { + char *dn; /* The saved dn from a successful search */ + char *user; /* The username provided by the client */ +} mod_auth_ldap_request_t; + +/* maximum group elements supported */ +#define GROUPATTR_MAX_ELTS 10 + +struct mod_auth_ldap_groupattr_entry_t { + char *name; +}; + +module AP_MODULE_DECLARE_DATA auth_ldap_module; + +/* function prototypes */ +void mod_auth_ldap_build_filter(char *filtbuf, + request_rec *r, + mod_auth_ldap_config_t *sec); +int mod_auth_ldap_check_user_id(request_rec *r); +int mod_auth_ldap_auth_checker(request_rec *r); +void *mod_auth_ldap_create_dir_config(apr_pool_t *p, char *d); + +/* ---------------------------------------- */ + + +/* + * Build the search filter, or at least as much of the search filter that + * will fit in the buffer. We don't worry about the buffer not being able + * to hold the entire filter. If the buffer wasn't big enough to hold the + * filter, ldap_search_s will complain, but the only situation where this + * is likely to happen is if the client sent a really, really long + * username, most likely as part of an attack. + * + * The search filter consists of the filter provided with the URL, + * combined with a filter made up of the attribute provided with the URL, + * and the actual username passed by the HTTP client. For example, assume + * that the LDAP URL is + * + * ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*) + * + * Further, assume that the userid passed by the client was `userj'. The + * search filter will be (&(posixid=*)(uid=userj)). + */ +#define FILTER_LENGTH MAX_STRING_LEN +void mod_auth_ldap_build_filter(char *filtbuf, + request_rec *r, + mod_auth_ldap_config_t *sec) +{ + char *p, *q, *filtbuf_end; + /* + * Create the first part of the filter, which consists of the + * config-supplied portions. + */ + apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", sec->filter, sec->attribute); + + /* + * Now add the client-supplied username to the filter, ensuring that any + * LDAP filter metachars are escaped. + */ + filtbuf_end = filtbuf + FILTER_LENGTH - 1; + for (p = r->user, q=filtbuf + strlen(filtbuf); + *p && q < filtbuf_end; *q++ = *p++) { + if (strchr("*()\\", *p) != NULL) { + *q++ = '\\'; + if (q >= filtbuf_end) { + break; + } + } + } + *q = '\0'; + + /* + * Append the closing parens of the filter, unless doing so would + * overrun the buffer. + */ + if (q + 2 <= filtbuf_end) + strcat(filtbuf, "))"); +} + + +/* + * Authentication Phase + * -------------------- + * + * This phase authenticates the credentials the user has sent with + * the request (ie the username and password are checked). This is done + * by making an attempt to bind to the LDAP server using this user's + * DN and the supplied password. + * + */ +int mod_auth_ldap_check_user_id(request_rec *r) +{ + char filtbuf[FILTER_LENGTH]; + mod_auth_ldap_config_t *sec = + (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, &auth_ldap_module); + + util_ldap_connection_t *ldc = NULL; + const char *sent_pw; + int result = 0; + const char *dn = NULL; + + mod_auth_ldap_request_t *req = + (mod_auth_ldap_request_t *)apr_pcalloc(r->pool, sizeof(mod_auth_ldap_request_t)); + ap_set_module_config(r->request_config, &auth_ldap_module, req); + + if (!sec->enabled) { + return DECLINED; + } + + /* + * Basic sanity checks before any LDAP operations even happen. + */ + if (!sec->have_ldap_url) { + return DECLINED; + } + + /* There is a good AuthLDAPURL, right? */ + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->netscapessl, sec->starttls); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: no sec->host - weird...?", getpid()); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: using URL %s", getpid(), sec->url); + + /* Get the password that the client sent */ + if ((result = ap_get_basic_auth_pw(r, &sent_pw))) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: " + "ap_get_basic_auth_pw() returns %d", getpid(), result); + util_ldap_connection_close(ldc); + return result; + } + + /* build the username filter */ + mod_auth_ldap_build_filter(filtbuf, r, sec); + + /* do the user search */ + result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, filtbuf, sent_pw, &dn); + util_ldap_connection_close(ldc); + + if (result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: " + "user %s authentication failed; URI %s [%s][%s]", + getpid(), r->user, r->uri, ldc->reason, ldap_err2string(result)); + if (LDAP_INVALID_CREDENTIALS == result) { + ap_note_basic_auth_failure(r); + return HTTP_UNAUTHORIZED; + } + else { + return sec->auth_authoritative? HTTP_UNAUTHORIZED: DECLINED; + } + } + + /* mark the user and DN */ + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + if (sec->user_is_dn) { + r->user = req->dn; + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: accepting %s", getpid(), r->user); + + return OK; +} + + +/* + * Authorisation Phase + * ------------------- + * + * After checking whether the username and password are correct, we need + * to check whether that user is authorised to view this resource. The + * require directive is used to do this: + * + * require valid-user Any authenticated is allowed in. + * require user This particular user is allowed in. + * require group The user must be a member of this group + * in order to be allowed in. + * require dn The user must have the following DN in the + * LDAP tree to be let in. + * + */ +int mod_auth_ldap_auth_checker(request_rec *r) +{ + int result = 0; + mod_auth_ldap_request_t *req = + (mod_auth_ldap_request_t *)ap_get_module_config(r->request_config, + &auth_ldap_module); + mod_auth_ldap_config_t *sec = + (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, + &auth_ldap_module); + + util_ldap_connection_t *ldc = NULL; + int m = r->method_number; + + const apr_array_header_t *reqs_arr = ap_requires(r); + require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL; + + register int x; + const char *t; + char *w; + int method_restricted = 0; + + if (!sec->enabled) { + return DECLINED; + } + + if (!sec->have_ldap_url) { + return DECLINED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->netscapessl, sec->starttls); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: no sec->host - weird...?", getpid()); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + + /* + * If there are no elements in the group attribute array, the default should be + * member and uniquemember; populate the array now. + */ + if (sec->groupattr->nelts == 0) { + struct mod_auth_ldap_groupattr_entry_t *grp; + apr_lock_acquire(sec->lock); + grp = apr_array_push(sec->groupattr); + grp->name = "member"; + grp = apr_array_push(sec->groupattr); + grp->name = "uniquemember"; + apr_lock_release(sec->lock); + } + + if (!reqs_arr) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: no requirements array", getpid()); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + + /* Loop through the requirements array until there's no elements + * left, or something causes a return from inside the loop */ + for(x=0; x < reqs_arr->nelts; x++) { + if (! (reqs[x].method_mask & (1 << m))) { + continue; + } + method_restricted = 1; + + t = reqs[x].requirement; + w = ap_getword(r->pool, &t, ' '); + + if (strcmp(w, "valid-user") == 0) { + /* + * Valid user will always be true if we authenticated with ldap, + * but when using front page, valid user should only be true if + * he exists in the frontpage password file. This hack will get + * auth_ldap to look up the user in the the pw file to really be + * sure that he's valid. Naturally, it requires mod_auth to be + * compiled in, but if mod_auth wasn't in there, then the need + * for this hack wouldn't exist anyway. + */ + if (sec->frontpage_hack) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "deferring authorisation to mod_auth (FP Hack)", + getpid()); + return OK; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "successful authorisation because user " + "is valid-user", getpid()); + return OK; + } + } + else if (strcmp(w, "user") == 0) { + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "require user: user's DN has not been defined; failing authorisation", + getpid()); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + /* + * First do a whole-line compare, in case it's something like + * require user Babs Jensen + */ + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, t); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "require user: authorisation successful", getpid()); + return OK; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: require user: " + "authorisation failed [%s][%s]", getpid(), + ldc->reason, ldap_err2string(result)); + } + } + /* + * Now break apart the line and compare each word on it + */ + while (t[0]) { + w = ap_getword_conf(r->pool, &t); + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "require user: authorisation successful", getpid()); + return OK; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "require user: authorisation failed [%s][%s]", + getpid(), ldc->reason, ldap_err2string(result)); + } + } + } + } + else if (strcmp(w, "dn") == 0) { + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "require dn: user's DN has not been defined; failing authorisation", + getpid()); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + + result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "require dn: authorisation successful", getpid()); + return OK; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: " + "require dn: LDAP error [%s][%s]", + getpid(), ldc->reason, ldap_err2string(result)); + } + } + } + else if (strcmp(w, "group") == 0) { + struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts; + int i; + + if (sec->group_attrib_is_dn) { + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: require group: user's DN has not been defined; failing authorisation", + getpid()); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + } + else { + if (req->user == NULL || strlen(req->user) == 0) { + /* We weren't called in the authentication phase, so we didn't have a + * chance to set the user field. Do so now. */ + req->user = r->user; + } + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: require group: testing for group membership in `%s'", + getpid(), t); + + for (i = 0; i < sec->groupattr->nelts; i++) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: require group: testing for %s: %s (%s)", getpid(), + ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); + + result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, + sec->group_attrib_is_dn ? req->dn : req->user); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: require group: " + "authorisation successful (attribute %s)", + getpid(), ent[i].name); + return OK; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: require group: " + "authorisation failed [%s][%s]", + getpid(), ldc->reason, ldap_err2string(result)); + } + } + } + } + } + + if (!method_restricted) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: agreeing because non-restricted", + getpid()); + return OK; + } + + if (!sec->auth_authoritative) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: declining to authorise", getpid()); + return DECLINED; + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: authorisation denied", getpid()); + ap_note_basic_auth_failure (r); + + return HTTP_UNAUTHORIZED; +} + + +/* ---------------------------------------- */ +/* config directives */ + + +void *mod_auth_ldap_create_dir_config(apr_pool_t *p, char *d) +{ + mod_auth_ldap_config_t *sec = + (mod_auth_ldap_config_t *)apr_pcalloc(p, sizeof(mod_auth_ldap_config_t)); + + sec->pool = p; + apr_lock_create(&sec->lock, APR_MUTEX, APR_INTRAPROCESS, NULL, p); + sec->auth_authoritative = 1; + sec->enabled = 1; + sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS, + sizeof(struct mod_auth_ldap_groupattr_entry_t)); + + sec->have_ldap_url = 0; + sec->url = ""; + sec->host = NULL; + sec->binddn = NULL; + sec->bindpw = NULL; + sec->deref = always; + sec->group_attrib_is_dn = 1; + + sec->frontpage_hack = 0; + sec->netscapessl = 0; + sec->starttls = 0; + + sec->user_is_dn = 0; + sec->compare_dn_on_server = 0; + + return sec; +} + +/* + * Use the ldap url parsing routines to break up the ldap url into + * host and port. + */ +static const char *mod_auth_ldap_parse_url(cmd_parms *cmd, + void *config, + const char *url) +{ + int result; + LDAPURLDesc *urld; + + mod_auth_ldap_config_t *sec = config; + + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "Trying to parse an url `%s'", + url); + + result = ldap_url_parse(url, &(urld)); + if (result != LDAP_SUCCESS) { + switch (result) { + case LDAP_URL_ERR_NOTLDAP: + return "LDAP URL does not begin with ldap://"; + case LDAP_URL_ERR_NODN: + return "LDAP URL does not have a DN"; + case LDAP_URL_ERR_BADSCOPE: + return "LDAP URL has an invalid scope"; + case LDAP_URL_ERR_MEM: + return "Out of memory parsing LDAP URL"; + default: + return "Could not parse LDAP URL"; + } + } + sec->url = apr_pstrdup(cmd->pool, url); + + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "Url parse: Host: %s", urld->lud_host); + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "Url parse: Port: %d", urld->lud_port); + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "Url parse: DN: %s", urld->lud_dn); + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "Url parse: Attrib: %s", urld->lud_attrs? urld->lud_attrs[0] : "(null)"); + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "Url parse: Scope: %s", + (urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" : + urld->lud_scope == LDAP_SCOPE_BASE? "base" : + urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown")); + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "Url parse: Filter: %s", urld->lud_filter); + + /* Set all the values, or at least some sane defaults */ + if (sec->host) { + char *p = apr_palloc(cmd->pool, strlen(sec->host) + strlen(urld->lud_host) + 2); + strcpy(p, urld->lud_host); + strcat(p, " "); + strcat(p, sec->host); + sec->host = p; + } + else { + sec->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost"; + } + sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : ""; + if (urld->lud_attrs && urld->lud_attrs[0]) { + sec->attribute = apr_pstrdup(cmd->pool, urld->lud_attrs[0]); + } + else { + sec->attribute = "uid"; + } + + sec->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ? + LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE; + + if (urld->lud_filter) { + if (urld->lud_filter[0] == '(') { + /* + * Get rid of the surrounding parens; later on when generating the + * filter, they'll be put back. + */ + sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter+1); + sec->filter[strlen(sec->filter)-1] = '\0'; + } + else { + sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter); + } + } + else { + sec->filter = "objectclass=*"; + } + if (strncmp(url, "ldaps", 5) == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "[%d] auth_ldap parse url: requesting secure LDAP", getpid()); +#ifdef APU_HAS_LDAP_STARTTLS + sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT; + sec->starttls = 1; +#else +#ifdef APU_HAS_LDAP_NETSCAPE_SSL + sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT; + sec->netscapessl = 1; +#else + return "Secure LDAP (ldaps://) not supported. Rebuild APR-Util"; +#endif +#endif + } + else { + ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, + cmd->server, "[%d] auth_ldap parse url: not requesting secure LDAP", getpid()); + sec->netscapessl = 0; + sec->starttls = 0; + sec->port = urld->lud_port? urld->lud_port : LDAP_PORT; + } + + sec->have_ldap_url = 1; + ldap_free_urldesc(urld); + return NULL; +} + +static const char *mod_auth_ldap_set_deref(cmd_parms *cmd, void *config, const char *arg) +{ + mod_auth_ldap_config_t *sec = config; + + if (strcmp(arg, "never") == 0 || strcasecmp(arg, "off") == 0) { + sec->deref = never; + } + else if (strcmp(arg, "searching") == 0) { + sec->deref = searching; + } + else if (strcmp(arg, "finding") == 0) { + sec->deref = finding; + } + else if (strcmp(arg, "always") == 0 || strcasecmp(arg, "on") == 0) { + sec->deref = always; + } + else { + return "Unrecognized value for AuthLDAPAliasDereference directive"; + } + return NULL; +} + +static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg) +{ + struct mod_auth_ldap_groupattr_entry_t *new; + + mod_auth_ldap_config_t *sec = config; + + if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS) + return "Too many AuthLDAPGroupAttribute directives"; + + new = apr_array_push(sec->groupattr); + new->name = apr_pstrdup(cmd->pool, arg); + + return NULL; +} + +command_rec mod_auth_ldap_cmds[] = { + AP_INIT_TAKE1("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG, + "URL to define LDAP connection. This should be an RFC 2255 complaint\n" + "URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n" + "
    \n" + "
  • Host is the name of the LDAP server. Use a space separated list of hosts \n" + "to specify redundant servers.\n" + "
  • Port is optional, and specifies the port to connect to.\n" + "
  • basedn specifies the base DN to start searches from\n" + "
  • Attrib specifies what attribute to search for in the directory. If not " + "provided, it defaults to uid.\n" + "
  • Scope is the scope of the search, and can be either sub or " + "one. If not provided, the default is sub.\n" + "
  • Filter is a filter to use in the search. If not provided, " + "defaults to (objectClass=*).\n" + "
\n" + "Searches are performed using the attribute and the filter combined. " + "For example, assume that the\n" + "LDAP URL is ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*). " + "Searches will\n" + "be done using the filter (&((posixid=*))(uid=username)), " + "where username\n" + "is the user name passed by the HTTP client. The search will be a subtree " + "search on the branch ou=People, o=Airius."), + + AP_INIT_TAKE1("AuthLDAPBindDN", ap_set_string_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, binddn), OR_AUTHCFG, + "DN to use to bind to LDAP server. If not provided, will do an anonymous bind."), + + AP_INIT_TAKE1("AuthLDAPBindPassword", ap_set_string_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, bindpw), OR_AUTHCFG, + "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."), + + AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, user_is_dn), OR_AUTHCFG, + "Set to 'on' to set the REMOTE_USER environment variable to be the full " + "DN of the remote user. By default, this is set to off, meaning that " + "the REMOTE_USER variable will contain whatever value the remote user sent."), + + AP_INIT_FLAG("AuthLDAPAuthoritative", ap_set_flag_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, auth_authoritative), OR_AUTHCFG, + "Set to 'off' to allow access control to be passed along to lower modules if " + "the UserID and/or group is not known to this module"), + + AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, + "Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " + "directive) using the server, and set it 'off' to do the compares locally " + "(at the expense of possible false matches). See the documentation for " + "a complete description of this option."), + + AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG, + "A list of attributes used to define group membership - defaults to " + "member and uniquemember"), + + AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG, + "If set to 'on', auth_ldap uses the DN that is retrieved from the server for" + "subsequent group comparisons. If set to 'off', auth_ldap uses the string" + "provided by the client directly. Defaults to 'on'."), + + AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, + "Determines how aliases are handled during a search. Can bo one of the" + "values \"never\", \"searching\", \"finding\", or \"always\". " + "Defaults to always."), + + AP_INIT_FLAG("AuthLDAPEnabled", ap_set_flag_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, enabled), OR_AUTHCFG, + "Set to off to disable auth_ldap, even if it's been enabled in a higher tree"), + + AP_INIT_FLAG("AuthLDAPFrontPageHack", ap_set_flag_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, frontpage_hack), OR_AUTHCFG, + "Set to 'on' to support Microsoft FrontPage"), + +#ifdef APU_HAS_LDAP_STARTTLS + AP_INIT_FLAG("AuthLDAPStartTLS", ap_set_flag_slot, + (void *)XtOffsetOf(mod_auth_ldap_config_t, starttls), OR_AUTHCFG, + "Set to 'on' to start TLS after connecting to the LDAP server."), +#endif /* APU_HAS_LDAP_STARTTLS */ + + {NULL} +}; + +static void mod_auth_ldap_register_hooks(apr_pool_t *p) +{ + ap_hook_check_user_id(mod_auth_ldap_check_user_id, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_auth_checker(mod_auth_ldap_auth_checker, NULL, NULL, APR_HOOK_MIDDLE); +} + +module auth_ldap_module = { + STANDARD20_MODULE_STUFF, + mod_auth_ldap_create_dir_config, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + NULL, /* server config */ + NULL, /* merge server config */ + mod_auth_ldap_cmds, /* command table */ + mod_auth_ldap_register_hooks, /* set up request processing hooks */ +};