From b29716025411d91c0554fa24bf55e5434aac32c9 Mon Sep 17 00:00:00 2001
From: Jim Jagielski
Date: Sun, 5 Jan 2014 16:09:07 +0000
Subject: [PATCH] Merge r1554161 from trunk:
mod_authnz_ldap: Support the expression parser within the require
directives.
Submitted by: minfrin
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555539 13f79535-47bb-0310-9956-ffa450edef68
---
CHANGES | 3 +
STATUS | 5 --
docs/manual/expr.xml | 5 ++
docs/manual/mod/mod_authnz_ldap.xml | 13 ++++
modules/aaa/mod_authnz_ldap.c | 103 +++++++++++++++++++++++++---
5 files changed, 113 insertions(+), 16 deletions(-)
diff --git a/CHANGES b/CHANGES
index 0427552081..17a0638a21 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
Changes with Apache 2.4.8
+ *) mod_authnz_ldap: Support the expression parser within the require
+ directives. [Graham Leggett]
+
* mod_proxy_http: Core dumped under high load. PR 50335
[Jan Kaluza ]
diff --git a/STATUS b/STATUS
index 47858dff19..07331bc629 100644
--- a/STATUS
+++ b/STATUS
@@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_authnz_ldap: Support the expression parser within the require directives.
- trunk patch: http://svn.apache.org/r1554161
- 2.4.x patch: trunk works (modulo CHANGES and log-message-tags)
- +1: minfrin, jim, covener
-
* mod_authz_dbd: Support the expression parser within the require directives.
trunk patch: http://svn.apache.org/r1554168
http://svn.apache.org/r1554176
diff --git a/docs/manual/expr.xml b/docs/manual/expr.xml
index 50eb436fce..2674f8d646 100644
--- a/docs/manual/expr.xml
+++ b/docs/manual/expr.xml
@@ -51,6 +51,11 @@
RequestHeader
FilterProvider
Require expr
+Require ldap-user
+Require ldap-group
+Require ldap-dn
+Require ldap-attribute
+Require ldap-filter
SSLRequire
LogMessage
mod_include
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index 44bf395561..91acb9656d 100644
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -323,6 +323,9 @@ for HTTP Basic authentication.
ldap-filter
. Other authorization types may also be
used but may require that additional authorization modules be loaded.
+ Since v2.5.0, expressions are supported
+ within the LDAP require directives.
+
Require ldap-user
The Require ldap-user
directive specifies what
@@ -543,6 +546,16 @@ Require ldap-group cn=Administrators, o=Example
+
+ Grant access to anybody in the group whose name matches the
+ hostname of the virtual host. In this example an
+ expression is used to build the filter.
+
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid
+Require ldap-group cn=%{SERVER_NAME}, o=Example
+
+
+
The next example assumes that everyone at Example who
carries an alphanumeric pager will have an LDAP attribute
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index d46eeb44ed..50921cde3d 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -607,6 +607,10 @@ static authz_status ldapuser_check_authorization(request_rec *r,
util_ldap_connection_t *ldc = NULL;
+ const char *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_args;
+ const char *require;
+
const char *t;
char *w;
@@ -680,11 +684,19 @@ static authz_status ldapuser_check_authorization(request_rec *r,
return AUTHZ_DENIED;
}
+ require = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585)
+ "auth_ldap authorize: require user: Can't evaluate expression: %s",
+ err);
+ return AUTHZ_DENIED;
+ }
+
/*
* First do a whole-line compare, in case it's something like
* require user Babs Jensen
*/
- result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args);
+ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require);
switch(result) {
case LDAP_COMPARE_TRUE: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703)
@@ -704,7 +716,7 @@ static authz_status ldapuser_check_authorization(request_rec *r,
/*
* Now break apart the line and compare each word on it
*/
- t = require_args;
+ t = require;
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
switch(result) {
@@ -744,6 +756,10 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
util_ldap_connection_t *ldc = NULL;
+ const char *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_args;
+ const char *require;
+
const char *t;
char filtbuf[FILTER_LENGTH];
@@ -863,7 +879,15 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
}
}
- t = require_args;
+ require = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586)
+ "auth_ldap authorize: require group: Can't evaluate expression: %s",
+ err);
+ return AUTHZ_DENIED;
+ }
+
+ t = require;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713)
"auth_ldap authorize: require group: testing for group "
@@ -959,6 +983,10 @@ static authz_status ldapdn_check_authorization(request_rec *r,
util_ldap_connection_t *ldc = NULL;
+ const char *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_args;
+ const char *require;
+
const char *t;
char filtbuf[FILTER_LENGTH];
@@ -1021,7 +1049,15 @@ static authz_status ldapdn_check_authorization(request_rec *r,
req->user = r->user;
}
- t = require_args;
+ require = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587)
+ "auth_ldap authorize: require dn: Can't evaluate expression: %s",
+ err);
+ return AUTHZ_DENIED;
+ }
+
+ t = require;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725)
@@ -1068,6 +1104,10 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
util_ldap_connection_t *ldc = NULL;
+ const char *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_args;
+ const char *require;
+
const char *t;
char *w, *value;
@@ -1138,7 +1178,16 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
return AUTHZ_DENIED;
}
- t = require_args;
+ require = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588)
+ "auth_ldap authorize: require ldap-attribute: Can't "
+ "evaluate expression: %s", err);
+ return AUTHZ_DENIED;
+ }
+
+ t = require;
+
while (t[0]) {
w = ap_getword(r->pool, &t, '=');
value = ap_getword_conf(r->pool, &t);
@@ -1183,6 +1232,11 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
util_ldap_connection_t *ldc = NULL;
+
+ const char *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_args;
+ const char *require;
+
const char *t;
char filtbuf[FILTER_LENGTH];
@@ -1252,7 +1306,15 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
return AUTHZ_DENIED;
}
- t = require_args;
+ require = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589)
+ "auth_ldap authorize: require ldap-filter: Can't "
+ "evaluate require expression: %s", err);
+ return AUTHZ_DENIED;
+ }
+
+ t = require;
if (t[0]) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743)
@@ -1311,6 +1373,25 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
return AUTHZ_DENIED;
}
+static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line,
+ const void **parsed_require_line)
+{
+ const char *expr_err = NULL;
+ ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr));
+
+ expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+
+ if (expr_err)
+ return apr_pstrcat(cmd->temp_pool,
+ "Cannot parse expression in require line: ",
+ expr_err, NULL);
+
+ *parsed_require_line = expr;
+
+ return NULL;
+}
+
/*
* Use the ldap url parsing routines to break up the ldap url into
@@ -1769,30 +1850,30 @@ static const authn_provider authn_ldap_provider =
static const authz_provider authz_ldapuser_provider =
{
&ldapuser_check_authorization,
- NULL,
+ &ldap_parse_config,
};
static const authz_provider authz_ldapgroup_provider =
{
&ldapgroup_check_authorization,
- NULL,
+ &ldap_parse_config,
};
static const authz_provider authz_ldapdn_provider =
{
&ldapdn_check_authorization,
- NULL,
+ &ldap_parse_config,
};
static const authz_provider authz_ldapattribute_provider =
{
&ldapattribute_check_authorization,
- NULL,
+ &ldap_parse_config,
};
static const authz_provider authz_ldapfilter_provider =
{
&ldapfilter_check_authorization,
- NULL,
+ &ldap_parse_config,
};
static void ImportULDAPOptFn(void)
--
2.40.0