From: Graham Leggett Date: Sat, 18 Aug 2001 16:52:02 +0000 (+0000) Subject: Oops - left off the apr_ldap.h file in the commit. X-Git-Tag: 2.0.25~301 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=def0eda4a299142f0c4a8f0134f2fd6121ca3d52;p=apache Oops - left off the apr_ldap.h file in the commit. PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90323 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/include/util_ldap.h b/include/util_ldap.h new file mode 100644 index 0000000000..10dc2eabe5 --- /dev/null +++ b/include/util_ldap.h @@ -0,0 +1,275 @@ +/* ==================================================================== + * The Apache Software License, Version 1.1 + * + * Copyright (c) 2000-2001 The Apache Software Foundation. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The end-user documentation included with the redistribution, + * if any, must include the following acknowledgment: + * "This product includes software developed by the + * Apache Software Foundation (http://www.apache.org/)." + * Alternately, this acknowledgment may appear in the software itself, + * if and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Apache" and "Apache Software Foundation" must + * not be used to endorse or promote products derived from this + * software without prior written permission. For written + * permission, please contact apache@apache.org. + * + * 5. Products derived from this software may not be called "Apache", + * nor may "Apache" appear in their name, without prior written + * permission of the Apache Software Foundation. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + */ + +#ifndef UTIL_LDAP_H +#define UTIL_LDAP_H + +#include + +/* this whole thing disappears if LDAP is not enabled */ +#ifdef APU_HAS_LDAP + +/* APR header files */ +#include +#include +#include + +/* Apache header files */ +#include "ap_config.h" +#include "httpd.h" +#include "http_config.h" +#include "http_core.h" +#include "http_log.h" +#include "http_protocol.h" +#include "http_request.h" + + +/* + * LDAP Connections + */ + +/* Values that the deref member can have */ +typedef enum { + never=LDAP_DEREF_NEVER, + searching=LDAP_DEREF_SEARCHING, + finding=LDAP_DEREF_FINDING, + always=LDAP_DEREF_ALWAYS +} deref_options; + +/* Structure representing an LDAP connection */ +typedef struct util_ldap_connection_t { + LDAP *ldap; + apr_lock_t *lock; /* Lock to indicate this connection is in use */ + int bound; /* Flag to indicate whether this connection is bound yet */ + + const char *host; /* Name of the LDAP server (or space separated list) */ + int port; /* Port of the LDAP server */ + deref_options deref; /* how to handle alias dereferening */ + + const char *binddn; /* DN to bind to server (can be NULL) */ + const char *bindpw; /* Password to bind to server (can be NULL) */ + + int netscapessl; /* True if use Netscape SSL connection */ + const char *certtdb; /* Path to Netscape CA database */ + + int starttls; /* True if StartTLS is enabled */ + int withtls; /* True if StartTLS on this connection */ + + const char *reason; /* Reason for an error failure */ + + struct util_ldap_connection_t *next; +} util_ldap_connection_t; + +/* LDAP cache state information */ +typedef struct util_ldap_state_t { + apr_pool_t *pool; /* pool from which this state is allocated */ + apr_lock_t *mutex; /* mutex lock for the connection list */ + + apr_size_t cache_bytes; /* Size (in bytes) of shared memory cache */ + long search_cache_ttl; /* TTL for search cache */ + long search_cache_size; /* Size (in entries) of search cache */ + long compare_cache_ttl; /* TTL for compare cache */ + long compare_cache_size; /* Size (in entries) of compare cache */ + + struct util_ldap_connection_t *connections; +#ifdef APU_HAS_LDAP_NETSCAPE_SSL + int have_certdb; +#endif +} util_ldap_state_t; + + +/** + * Open a connection to an LDAP server + * @param ldc A structure containing the expanded details of the server + * to connect to. The handle to the LDAP connection is returned + * as ldc->ldap. + * @tip This function connects to the LDAP server and binds. It does not + * connect if already connected (ldc->ldap != NULL). Does not bind + * if already bound. + * @return If successful LDAP_SUCCESS is returned. + * @deffunc int util_ldap_connection_open(util_ldap_connection_t *ldc) + */ +int util_ldap_connection_open(util_ldap_connection_t *ldc); + +/** + * Close a connection to an LDAP server + * @param ldc A structure containing the expanded details of the server + that was connected. + * @tip This function unbinds from the LDAP server, and clears ldc->ldap. + * It is possible to rebind to this server again using the same ldc + * structure, using apr_ldap_open_connection(). + * @deffunc util_ldap_close_connection(util_ldap_connection_t *ldc) + */ +void util_ldap_connection_close(util_ldap_connection_t *ldc); + +/** + * Find a connection in a list of connections + * @param r The request record + * @param host The hostname to connect to (multiple hosts space separated) + * @param port The port to connect to + * @param binddn The DN to bind with + * @param bindpw The password to bind with + * @param deref The dereferencing behavior + * @param netscapessl Start SSL on the connection using ldapssl_client_init() [0|1] + * @param starttls Start TLS using STARTTLS parameter [0|1] + * @tip Once a connection is found and returned, a lock will be acquired to + * lock that particular connection, so that another thread does not try and + * use this connection while it is busy. Once you are finished with a connection, + * apr_ldap_connection_close() must be called to release this connection. + * @deffunc util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port, + * const char *binddn, const char *bindpw, deref_options deref, + * int netscapessl, int starttls) + */ +util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port, + const char *binddn, const char *bindpw, deref_options deref, + int netscapessl, int starttls); + + +/** + * Compare two DNs for sameness + * @param r The request record + * @param ldc The LDAP connection being used. + * @param url The URL of the LDAP connection - used for deciding which cache to use. + * @param dn The first DN to compare. + * @param reqdn The DN to compare the first DN to. + * @param compare_dn_on_server Flag to determine whether the DNs should be checked using + * LDAP calls or with a direct string comparision. A direct + * string comparison is faster, but not as accurate - false + * negative comparisons are possible. + * @tip Two DNs can be equal and still fail a string comparison. Eg "dc=example,dc=com" + * and "dc=example, dc=com". Use the compare_dn_on_server unless there are serious + * performance issues. + * @deffunc int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc, + * const char *url, const char *dn, const char *reqdn, + * int compare_dn_on_server) + */ +int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc, + const char *url, const char *dn, const char *reqdn, + int compare_dn_on_server); + +/** + * A generic LDAP compare function + * @param r The request record + * @param ldc The LDAP connection being used. + * @param url The URL of the LDAP connection - used for deciding which cache to use. + * @param dn The DN of the object in which we do the compare. + * @param attrib The attribute within the object we are comparing for. + * @param value The value of the attribute we are trying to compare for. + * @tip Use this function to determine whether an attribute/value pair exists within an + * object. Typically this would be used to determine LDAP group membership. + * @deffunc int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc, + * const char *url, const char *dn, const char *attrib, const char *value) + */ +int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc, + const char *url, const char *dn, const char *attrib, const char *value); + +/** + * Checks a username/password combination by binding to the LDAP server + * @param r The request record + * @param ldc The LDAP connection being used. + * @param url The URL of the LDAP connection - used for deciding which cache to use. + * @param basedn The Base DN to search for the user in. + * @param scope LDAP scope of the search. + * @param filter The user to search for in the form of an LDAP filter. This filter must return + * exactly one user for the check to be successful. + * @param bindpw The user password to bind as. + * @param binddn The DN of the user will be returned in this variable. + * @tip The filter supplied will be searched for. If a single entry is returned, an attempt + * is made to bind as that user. If this bind succeeds, the user is not validated. + * @deffunc int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc, + * char *url, const char *basedn, int scope, + * char *filter, char *bindpw, char **binddn) + */ +int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc, + const char *url, const char *basedn, int scope, + const char *filter, const char *bindpw, const char **binddn); + +/* from apr_ldap_cache.c */ + +/** + * Init the LDAP cache + * @param pool The pool to use to initialise the cache + * @param reqsize The size of the shared memory segement to request. A size + * of zero requests the max size possible from + * apr_shmem_init() + * @deffunc void util_ldap_cache_init(apr_pool_t *p) + * @return The status code returned is the status code of the + * apr_smmem_init() call. Regardless of the status, the cache + * will be set up at least for in-process or in-thread operation. + */ +apr_status_t util_ldap_cache_init(apr_pool_t *pool, apr_size_t reqsize); + +/** + * Display formatted stats for cache + * @param The pool to allocate the returned string from + * @tip This function returns a string allocated from the provided pool that describes + * various stats about the cache. + * @deffunc char *util_ald_cache_display(apr_pool_t *pool) + */ +char *util_ald_cache_display(apr_pool_t *pool); + + +/* from apr_ldap_cache_mgr.c */ + +/** + * Display formatted stats for cache + * @param The pool to allocate the returned string from + * @tip This function returns a string allocated from the provided pool that describes + * various stats about the cache. + * @deffunc char *util_ald_cache_display(apr_pool_t *pool) + */ +char *util_ald_cache_display(apr_pool_t *pool); + +#endif /* APU_HAS_LDAP */ +#endif /* UTIL_LDAP_H */ diff --git a/modules/aaa/config.m4 b/modules/aaa/config.m4 index a207aa6033..2126f4110e 100644 --- a/modules/aaa/config.m4 +++ b/modules/aaa/config.m4 @@ -20,6 +20,8 @@ APACHE_MODULE(auth_digest, RFC2617 Digest authentication, , , most, [ enable_auth_digest=no) ]) +APACHE_MODULE(auth_ldap, LDAP based authentication, , , no) + APR_ADDTO(LT_LDFLAGS,-export-dynamic) APACHE_MODPATH_FINISH