From 502d1cc8ec24beae08e6970692128d6617b5b9e4 Mon Sep 17 00:00:00 2001
From: Bradley Nicholes <bnicholes@apache.org>
Date: Wed, 3 Nov 2004 22:05:25 +0000
Subject: [PATCH] Added the directive "Requires ldap-attribute" that allows the
 module to only authorize a user if the attribute value specified matches the
 value of the user object. PR 31913

Submitted by: Ryan Morgan <rmorgan pobox.com>
Reviewd by: Brad Nicholes


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105675 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                             |  5 ++++
 docs/manual/mod/mod_authnz_ldap.xml | 43 ++++++++++++++++++++++++++---
 modules/aaa/mod_authnz_ldap.c       | 30 +++++++++++++++++++-
 3 files changed, 73 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 70ea3736e8..7833c01a60 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that
+     allows the module to only authorize a user if the attribute value
+     specified matches the value of the user object. PR 31913
+     [Ryan Morgan <rmorgan pobox.com>]
+     
   *) Allow mod_authnz_ldap authorization functionality to be used 
      without requiring the user to also be authenticated through 
      mod_authnz_ldap. This allows other authentication modules to 
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index 880e4e12c1..474552ee1a 100644
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
-<!-- $Revision: 1.2 $ -->
+<!-- $Revision: 1.3 $ -->
 
 <!--
  Copyright 2002-2004 The Apache Software Foundation
@@ -87,6 +87,7 @@ for HTTP Basic authentication.</description>
           <li><a href="#requser">require ldap-user</a></li>
           <li><a href="#reqgroup">require ldap-group</a></li>
           <li><a href="#reqdn">require ldap-dn</a></li>
+          <li><a href="#reqattribute">require ldap-attribute</a></li>
         </ul>
       </li>
 
@@ -210,6 +211,11 @@ for HTTP Basic authentication.</description>
       the DN fetched from the LDAP directory (or the username
       passed by the client) occurs in the LDAP group.</li>
 
+      <li>Grant access if there is a <a href="#reqattribute">
+      <code>require ldap-attribute</code></a> 
+      directive, and the attribute fetched from the LDAP directory
+      matches the given value.</li> 
+
       <li>otherwise, deny or decline access</li>
     </ul>
 
@@ -278,9 +284,10 @@ for HTTP Basic authentication.</description>
     <p>Apache's <directive module="core">Require</directive>
     directives are used during the authorization phase to ensure that
     a user is allowed to access a resource.  mod_authnz_ldap extends the 
-    authorization types with <code>ldap-user</code>, <code>ldap-dn</code> 
-    and <code>ldap-group</code>.  Other authorization types may also be 
-    used but may require that additional authorization modules be loaded.</p>
+    authorization types with <code>ldap-user</code>, <code>ldap-dn</code>, 
+    <code>ldap-group</code> and <code>ldap-attribute</code>.  Other 
+    authorization types may also be used but may require that additional 
+    authorization modules be loaded.</p>
 
 <section id="reqvaliduser"><title>require valid-user</title>
 
@@ -371,6 +378,34 @@ uniqueMember: cn=Fred User, o=Airius<br />
     module="mod_authnz_ldap">AuthLDAPCompareDNOnServer</directive>
     directive.</p>
 </section>
+
+<section id="reqattribute"><title>require ldap-attribute</title>
+
+    <p>The <code>require ldap-attribute</code> directive allows the
+    administrator to grant access based on attributes of the authenticated
+    user in the LDAP directory.  If the attribute in the directory
+    matches the value given in the configuration, access is granted.</p>
+    
+    <p>The following directive would grant access to anyone with
+    the attribute employeeType = active</p>
+
+    <example>require ldap-attribute employeeType=active</example>
+
+    <p>Multiple attribute/value pairs can be specified on the same line
+    separated by spaces or they can be specified in multiple 
+    <code>require ldap-attribute</code> directives. The effect of listing 
+    multiple attribute/values pairs is an OR operation. Access will be 
+    granted if any of the listed attribute values match the value of the 
+    corresponding attribute in the user object. If the value of the 
+    attribute contains a space, only the value must be within double quotes.</p>
+
+    <p>The following directive would grant access to anyone with
+    the city attribute equal to "San Jose" or status equal to "Active"</p>
+
+    <example>require ldap-attribute city="San Jose" status=active</example>
+
+</section>
+
 </section>
 
 <section id="examples"><title>Examples</title>
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index df80a724b8..88d95f3857 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -466,7 +466,7 @@ static int authz_ldap_check_user_access(request_rec *r)
 
     register int x;
     const char *t;
-    char *w;
+    char *w, *value;
     int method_restricted = 0;
 
     char filtbuf[FILTER_LENGTH];
@@ -694,6 +694,34 @@ static int authz_ldap_check_user_access(request_rec *r)
                 }
             }
         }
+        else if (strcmp(w, "ldap-attribute") == 0) {
+            while (t[0]) {
+                w = ap_getword(r->pool, &t, '=');
+                value = ap_getword_conf(r->pool, &t);
+
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+                              "[%d] auth_ldap authorise: checking attribute"
+                              " %s has value %s", getpid(), w, value);
+                result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
+                                                 w, value);
+                switch(result) {
+                    case LDAP_COMPARE_TRUE: {
+                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
+                                      0, r, "[%d] auth_ldap authorise: "
+                                      "require attribute: authorisation "
+                                      "successful", getpid());
+                        return OK;
+                    }
+                    default: {
+                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
+                                      0, r, "[%d] auth_ldap authorise: "
+                                      "require attribute: authorisation "
+                                      "failed [%s][%s]", getpid(), 
+                                      ldc->reason, ldap_err2string(result));
+                    }
+                }
+            }
+        }
     }
 
     if (!method_restricted) {
-- 
2.40.0