From: Eric Covener <covener@apache.org>
Date: Sat, 29 May 2010 20:19:10 +0000 (+0000)
Subject: mod_authnz_ldap: Allow the initial DN lookup to bind with a
X-Git-Tag: 2.3.6~84
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d15983f1d14b675226bbd8bca61c5db24314ebf0;p=apache

mod_authnz_ldap: Allow the initial DN lookup to bind with a
transformation of the basic auth username.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@949436 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index ca7bc90031..a468fa732e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,6 +28,11 @@ Changes with Apache 2.3.7
      processing is completed, avoiding orphaned callback pointers.
      [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
 
+  *) mod_authnz_ldap: Allow the initial DN search during authentication
+     to use the HTTP username/pass instead of an anonymous or hard-coded
+     LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).  
+     [Eric Covener]
+
   *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
      when this module is used for authorization. See AuthLDAPAuthorizePrefix.
      PR 45584 [Eric Covener]
diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en
index 0a0f4df0a4..e4d8fe88bc 100644
--- a/docs/manual/mod/mod_authnz_ldap.html.en
+++ b/docs/manual/mod/mod_authnz_ldap.html.en
@@ -68,6 +68,8 @@ for HTTP Basic authentication.</td></tr>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authldapinitialbindpattern">AuthLDAPInitialBindPattern</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapmaxsubgroupdepth">AuthLDAPMaxSubGroupDepth</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserattribute">AuthLDAPRemoteUserAttribute</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li>
@@ -950,6 +952,79 @@ group membership</td></tr>
     directive is not set, then <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will
     check if the group has <code>bjenson</code> as a member.</p>
 
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="AuthLDAPInitialBindAsUser" id="AuthLDAPInitialBindAsUser">AuthLDAPInitialBindAsUser</a> <a name="authldapinitialbindasuser" id="authldapinitialbindasuser">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines if the server does the initial DN lookup using the basic authentication users'
+own username, instead of anonymously or with hard-coded credentials for the server</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPInitialBindAsUser <em>off|on</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPInitialBindAsUser off</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.3.7 and later</td></tr>
+</table>
+    <p>By default, the server either anonymously, or with a dedicated user and
+     password, converts the basic authentication username into an LDAP
+     distinguished name (DN).  This directive forces the server to use the verbatim username
+     and password provided by the incoming user to perform the initial DN
+     search.</p>
+ 
+     <p> If the verbatim username can't directly bind, but needs some
+     cosmetic transformation, see <code class="directive"><a href="#&#10;     authldapinitialbindpattern">
+     AuthLDAPInitialBindPattern</a></code>.</p>
+
+     <div class="note"><h3>Not available with authorization-only</h3>
+         This directive can only be used if this module authenticates the user, and
+         has no effect when this module is used exclusively for authorization.
+     </div>
+
+<h3>See also</h3>
+<ul>
+<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapinitialbindpattern">AuthLDAPInitialBindPattern</a></code></li>
+<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapbinddn">AuthLDAPBindDN</a></code></li>
+</ul>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="AuthLDAPInitialBindPattern" id="AuthLDAPInitialBindPattern">AuthLDAPInitialBindPattern</a> <a name="authldapinitialbindpattern" id="authldapinitialbindpattern">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the transformation of the basic authentication username to be used when binding to the LDAP server
+to perform a DN lookup</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPInitialBindPattern<em><var>regex</var> <var>substitution</var></em></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPInitialBindPattern (.*) $1 (remote username used verbatim)</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.3.7 and later</td></tr>
+</table>
+    <p>If <code class="directive"><a href="#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></code> is set to
+       <em>ON</em>, the basic authentication username will be transformed according to the
+       regular expression and substituion arguments.</p>
+
+    <p> The regular expression argument is compared against the current basic authentication username.
+        The substitution argument may contain backreferences, but has no other variable interpolation.</p>
+     
+    <div class="example"><p><code> AuthLDAPInitialBindPattern (.+) $1@example.com </code></p></div>
+    <div class="example"><p><code> AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</code></p></div>
+
+    <div class="note"><h3>Not available with authorization-only</h3>
+        This directive can only be used if this module authenticates the user, and
+        has no effect when this module is used exclusively for authorization.
+    </div>
+    <div class="note"><h3>debugging</h3>
+        The substituted DN is recorded in the environment variable 
+        <em>LDAP_BINDASUSER</em>.  If the regular expression does not match the input, 
+        the verbatim username is used.
+    </div>
+
+<h3>See also</h3>
+<ul>
+<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></code></li>
+<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapbinddn">AuthLDAPBindDN</a></code></li>
+</ul>
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="AuthLDAPMaxSubGroupDepth" id="AuthLDAPMaxSubGroupDepth">AuthLDAPMaxSubGroupDepth</a> <a name="authldapmaxsubgroupdepth" id="authldapmaxsubgroupdepth">Directive</a></h2>
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index 7b931bced7..430cbb2367 100644
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -804,6 +804,71 @@ authorization</description>
 <seealso><directive module="mod_auth_basic">AuthBasicProvider</directive></seealso>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>AuthLDAPInitialBindAsUser</name>
+<description>Determines if the server does the initial DN lookup using the basic authentication users'
+own username, instead of anonymously or with hard-coded credentials for the server</description>
+<syntax>AuthLDAPInitialBindAsUser <em>off|on</em></syntax>
+<default>AuthLDAPInitialBindAsUser off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<compatibility>Available in version 2.3.7 and later</compatibility>
+<override>AuthConfig</override>
+<usage>
+    <p>By default, the server either anonymously, or with a dedicated user and
+     password, converts the basic authentication username into an LDAP
+     distinguished name (DN).  This directive forces the server to use the verbatim username
+     and password provided by the incoming user to perform the initial DN
+     search.</p>
+ 
+     <p> If the verbatim username can't directly bind, but needs some
+     cosmetic transformation, see <directive module="mod_authnz_ldap">
+     AuthLDAPInitialBindPattern</directive>.</p>
+
+     <note><title>Not available with authorization-only</title>
+         This directive can only be used if this module authenticates the user, and
+         has no effect when this module is used exclusively for authorization.
+     </note>
+</usage>
+<seealso><directive module="mod_authnnz_ldap">AuthLDAPInitialBindPattern</directive></seealso>
+<seealso><directive module="mod_authnnz_ldap">AuthLDAPBindDN</directive></seealso>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPInitialBindPattern</name>
+<description>Specifies the transformation of the basic authentication username to be used when binding to the LDAP server
+to perform a DN lookup</description>
+<syntax>AuthLDAPInitialBindPattern<em><var>regex</var> <var>substitution</var></em></syntax>
+<default>AuthLDAPInitialBindPattern (.*) $1 (remote username used verbatim)</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<compatibility>Available in version 2.3.7 and later</compatibility>
+<override>AuthConfig</override>
+<usage>
+    <p>If <directive module="mod_authnz_ldap">AuthLDAPInitialBindAsUser</directive> is set to
+       <em>ON</em>, the basic authentication username will be transformed according to the
+       regular expression and substituion arguments.</p>
+
+    <p> The regular expression argument is compared against the current basic authentication username.
+        The substitution argument may contain backreferences, but has no other variable interpolation.</p>
+     
+    <example> AuthLDAPInitialBindPattern (.+) $1@example.com </example>
+    <example> AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</example>
+
+    <note><title>Not available with authorization-only</title>
+        This directive can only be used if this module authenticates the user, and
+        has no effect when this module is used exclusively for authorization.
+    </note>
+    <note><title>debugging</title>
+        The substituted DN is recorded in the environment variable 
+        <em>LDAP_BINDASUSER</em>.  If the regular expression does not match the input, 
+        the verbatim username is used.
+    </note>
+</usage>
+<seealso><directive module="mod_authnnz_ldap">AuthLDAPInitialBindAsUser</directive></seealso>
+<seealso><directive module="mod_authnnz_ldap">AuthLDAPBindDN</directive></seealso>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>AuthLDAPBindDN</name>
 <description>Optional DN to use in binding to the LDAP server</description>
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 2678850a31..5409f81bea 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -80,6 +80,9 @@ typedef struct {
 
     int secure;                     /* True if SSL connections are requested */
     char *authz_prefix;             /* Prefix for environment variables added during authz */
+    int initial_bind_as_user;               /* true if we should try to bind (to lookup DN) directly with the basic auth username */
+    ap_regex_t *bind_regex;         /* basic auth -> bind'able username regex */
+    const char *bind_subst;         /* basic auth -> bind'able username substitution */
 } authn_ldap_config_t;
 
 typedef struct {
@@ -386,6 +389,28 @@ static int set_request_vars(request_rec *r, enum auth_ldap_phase phase) {
     return remote_user_attribute_set;
 }
 
+static const char *ldap_determine_binddn(request_rec *r, const char *user) {
+    authn_ldap_config_t *sec =
+        (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+    const char *result = user;
+    ap_regmatch_t regm[AP_MAX_REG_MATCH];
+
+    if (NULL == user || NULL == sec || !sec->bind_regex || !sec->bind_subst) {
+        return result;
+    }
+
+    if (!ap_regexec(sec->bind_regex, user, AP_MAX_REG_MATCH, regm, 0)) {
+        char *substituted = ap_pregsub(r->pool, sec->bind_subst, user, AP_MAX_REG_MATCH, regm);
+        if (NULL != substituted) {
+            result = substituted;
+        }
+    }
+
+    apr_table_set(r->subprocess_env, "LDAP_BINDASUSER", result);
+
+    return result;
+}
+
 /*
  * Authentication Phase
  * --------------------
@@ -431,9 +456,16 @@ start_over:
 
     /* There is a good AuthLDAPURL, right? */
     if (sec->host) {
+        const char *binddn = sec->binddn;
+        const char *bindpw = sec->bindpw;
+        if (sec->initial_bind_as_user) {
+            bindpw = password;
+            binddn = ldap_determine_binddn(r, user);
+        }
+
         ldc = util_ldap_connection_find(r, sec->host, sec->port,
-                                       sec->binddn, sec->bindpw, sec->deref,
-                                       sec->secure);
+                                       binddn, bindpw,
+                                       sec->deref, sec->secure);
     }
     else {
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
@@ -1456,6 +1488,24 @@ static const char *set_charset_config(cmd_parms *cmd, void *config, const char *
     return NULL;
 }
 
+static const char *set_bind_pattern(cmd_parms *cmd, void *_cfg, const char *exp, const char *subst)
+{
+    authn_ldap_config_t *sec = _cfg;
+    ap_regex_t *regexp;
+
+    regexp = ap_pregcomp(cmd->pool, exp, AP_REG_EXTENDED);
+
+    if (!regexp) {
+        return apr_pstrcat(cmd->pool, "AuthLDAPInitialBindPattern: cannot compile regular "
+                                      "expression '", exp, "'", NULL);
+    }
+
+    sec->bind_regex = regexp;
+    sec->bind_subst = apr_pstrdup(cmd->pool, subst);
+
+    return NULL;
+}
+
 static const command_rec authnz_ldap_cmds[] =
 {
     AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG,
@@ -1547,6 +1597,15 @@ static const command_rec authnz_ldap_cmds[] =
                   (void *)APR_OFFSETOF(authn_ldap_config_t, authz_prefix), OR_AUTHCFG,
                   "The prefix to add to environment variables set during "
                   "successful authorization, default '" AUTHZ_PREFIX "'"),
+
+    AP_INIT_FLAG("AuthLDAPInitialBindAsUser", ap_set_flag_slot,
+                 (void *)APR_OFFSETOF(authn_ldap_config_t, initial_bind_as_user), OR_AUTHCFG,
+                 "Set to 'on' to perform the initial DN lookup with the basic auth credentials "
+                 "instead of anonymous or hard-coded credentials"),
+
+     AP_INIT_TAKE2("AuthLDAPInitialBindPattern", set_bind_pattern, NULL, OR_AUTHCFG,
+                   "The regex and substitution to determine a username that can bind based on an HTTP basic auth username"),
+
     {NULL}
 };