Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 34535 invoked from network); 17 Aug 2004 23:58:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 17 Aug 2004 23:58:10 -0000 Received: (qmail 67934 invoked by uid 500); 17 Aug 2004 23:57:59 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 67639 invoked by uid 500); 17 Aug 2004 23:57:57 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 67610 invoked by uid 500); 17 Aug 2004 23:57:57 -0000 Delivered-To: apmail-httpd-2.0-cvs@apache.org Received: (qmail 67601 invoked by uid 99); 17 Aug 2004 23:57:57 -0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received: from [137.65.81.169] (HELO sinclair.provo.novell.com) (137.65.81.169) by apache.org (qpsmtpd/0.27.1) with ESMTP; Tue, 17 Aug 2004 16:57:54 -0700 Received: from INET-PRV-MTA by sinclair.provo.novell.com with Novell_GroupWise; Tue, 17 Aug 2004 17:57:54 -0600 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.2 Beta Date: Tue, 17 Aug 2004 17:57:46 -0600 From: "Brad Nicholes" To: ,, Subject: Re: cvs commit: httpd-2.0/modules/aaa NWGNUauthnzldap mod_authnz_ldap.c NWGNUmakefile Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 500/1000/N This is the first attempt to restructure mod_auth_ldap to fit the new authentication model. There are a couple of things to note that I would like some feedback on. 1. The ldap_authn provider and ldap_authz handler exist in the same module. The reason for this is because both handlers depend on the same set of directive values to provide the necessary information for establishing a connection to the ldap server. Rather than having to redefine the AuthLDAPUrl, AuthLDAPBindDN and AuthLDAPBindPassword for two different modules, it seemed to make more sense both from a module perspective and a user interface perspective, to allow them to share the directives. 2. As a result of #1, this leaves the ldap_authz hook registered whether it is ultimately being used or not. Therefore simply reimplementing the "require" types "user" and "group" within the ldap_authz handler would conflict with the same types in other authz modules if loaded and configured in the same directory at the same time. Therefore it seemed to make more since to implement ldap-user and ldap-group which more closely identifies what is happening during the authorization phase anyway. authnz_ldap is still capable of using "valid-user", "group" or "user" if desired. 3. The directive "AuthLDAPFrontPageHack" has been removed. The reason for this hack was to allow authorization for frontpage to fallback on a groupfile rather than the LDAP directory. Now that authnz_ldap can be configured to authorize via a authz_groupfile rather than forced to use the directory, this directive didn't seem necessary anymore. Brad Brad Nicholes Senior Software Engineer Novell, Inc., the leading provider of Net business solutions http://www.novell.com >>> bnicholes@apache.org Tuesday, August 17, 2004 5:33:08 PM >>> bnicholes 2004/08/17 16:33:07 Modified: modules/aaa NWGNUmakefile Added: modules/aaa NWGNUauthnzldap mod_authnz_ldap.c Log: Re-structure the auth_ldap module to fit the new authentication model. The authnz_ldap module provides an ldap authentication provider and an authorization handler. It implements the authorization "require" values ldap-user, ldap-dn and ldap-group. This restructure also moves auth_ldap out of the experimental directory. Revision Changes Path 1.3 +2 -0 httpd-2.0/modules/aaa/NWGNUmakefile Index: NWGNUmakefile =================================================================== RCS file: /home/cvs/httpd-2.0/modules/aaa/NWGNUmakefile,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- NWGNUmakefile 13 Sep 2002 21:34:27 -0000 1.2 +++ NWGNUmakefile 17 Aug 2004 23:33:07 -0000 1.3 @@ -158,9 +158,11 @@ $(OBJDIR)/authndbm.nlm \ $(OBJDIR)/authndef.nlm \ $(OBJDIR)/authnfil.nlm \ + $(OBJDIR)/authnzldap.nlm \ $(OBJDIR)/authzdbm.nlm \ $(OBJDIR)/authzdef.nlm \ $(OBJDIR)/authzgrp.nlm \ + $(OBJDIR)/authzusr.nlm \ $(OBJDIR)/authzusr.nlm \ $(EOLIST) 1.1 httpd-2.0/modules/aaa/NWGNUauthnzldap Index: NWGNUauthnzldap =================================================================== # # Make sure all needed macro's are defined # # # Get the 'head' of the build environment if necessary. This includes default # targets and paths to tools # ifndef EnvironmentDefined include $(AP_WORK)\build\NWGNUhead.inc endif # # These directories will be at the beginning of the include list, followed by # INCDIRS # XINCDIRS += \ $(AP_WORK)/include \ $(NWOS) \ $(AP_WORK)/srclib/apr/include \ $(AP_WORK)/srclib/apr-util/include \ $(AP_WORK)/srclib/apr \ $(EOLIST) # # These flags will come after CFLAGS # XCFLAGS += \ $(EOLIST) # # These defines will come after DEFINES # XDEFINES += \ $(EOLIST) # # These flags will be added to the link.opt file # XLFLAGS += \ $(EOLIST) # # These values will be appended to the correct variables based on the value of # RELEASE # ifeq "$(RELEASE)" "debug" XINCDIRS += \ $(EOLIST) XCFLAGS += \ $(EOLIST) XDEFINES += \ $(EOLIST) XLFLAGS += \ $(EOLIST) endif ifeq "$(RELEASE)" "noopt" XINCDIRS += \ $(EOLIST) XCFLAGS += \ $(EOLIST) XDEFINES += \ $(EOLIST) XLFLAGS += \ $(EOLIST) endif ifeq "$(RELEASE)" "release" XINCDIRS += \ $(EOLIST) XCFLAGS += \ $(EOLIST) XDEFINES += \ $(EOLIST) XLFLAGS += \ $(EOLIST) endif # # These are used by the link target if an NLM is being generated # This is used by the link 'name' directive to name the nlm. If left blank # TARGET_nlm (see below) will be used. # NLM_NAME = authnzldap # # This is used by the link '-desc ' directive. # If left blank, NLM_NAME will be used. # NLM_DESCRIPTION = Apache $(VERSION_STR) LDAP Authentication Module # # This is used by the '-threadname' directive. If left blank, # NLM_NAME Thread will be used. # NLM_THREAD_NAME = AuthnzLDAP Module # # If this is specified, it will override VERSION value in # $(AP_WORK)\build\NWGNUenvironment.inc # NLM_VERSION = # # If this is specified, it will override the default of 64K # NLM_STACK_SIZE = 8192 # # If this is specified it will be used by the link '-entry' directive # NLM_ENTRY_SYM = _LibCPrelude # # If this is specified it will be used by the link '-exit' directive # NLM_EXIT_SYM = _LibCPostlude # # If this is specified it will be used by the link '-check' directive # NLM_CHECK_SYM = # # If these are specified it will be used by the link '-flags' directive # NLM_FLAGS = AUTOUNLOAD, PSEUDOPREEMPTION # # If this is specified it will be linked in with the XDCData option in the def # file instead of the default of $(NWOS)/apache.xdc. XDCData can be disabled # by setting APACHE_UNIPROC in the environment # XDCDATA = # # If there is an NLM target, put it here # TARGET_nlm = \ $(OBJDIR)/authnzldap.nlm \ $(EOLIST) # # If there is an LIB target, put it here # TARGET_lib = \ $(EOLIST) # # These are the OBJ files needed to create the NLM target above. # Paths must all use the '/' character # FILES_nlm_objs = \ $(OBJDIR)/mod_authnz_ldap.o \ $(EOLIST) # # These are the LIB files needed to create the NLM target above. # These will be added as a library command in the link.opt file. # FILES_nlm_libs = \ libcpre.o \ $(EOLIST) # # These are the modules that the above NLM target depends on to load. # These will be added as a module command in the link.opt file. # FILES_nlm_modules = \ aprlib \ libc \ lldapsdk \ $(EOLIST) # # If the nlm has a msg file, put it's path here # FILE_nlm_msg = # # If the nlm has a hlp file put it's path here # FILE_nlm_hlp = # # If this is specified, it will override $(NWOS)\copyright.txt. # FILE_nlm_copyright = # # Any additional imports go here # FILES_nlm_Ximports = \ util_ldap_connection_find \ util_ldap_connection_close \ util_ldap_cache_checkuserid \ util_ldap_cache_compare \ util_ldap_cache_comparedn \ @$(APR)/aprlib.imp \ @$(NWOS)/httpd.imp \ @libc.imp \ @$(LDAPSDK)/imports/lldapsdk.imp \ $(EOLIST) # # Any symbols exported to here # FILES_nlm_exports = \ authnz_ldap_module \ $(EOLIST) # # These are the OBJ files needed to create the LIB target above. # Paths must all use the '/' character # FILES_lib_objs = \ $(EOLIST) # # implement targets and dependancies (leave this section alone) # libs :: $(OBJDIR) $(TARGET_lib) nlms :: libs $(TARGET_nlm) # # Updated this target to create necessary directories and copy files to the # correct place. (See $(AP_WORK)\build\NWGNUhead.inc for examples) # install :: nlms FORCE # # Any specialized rules here # # # Include the 'tail' makefile that has targets that depend on variables defined # in this makefile # include $(AP_WORK)\build\NWGNUtail.inc 1.1 httpd-2.0/modules/aaa/mod_authnz_ldap.c Index: mod_authnz_ldap.c ===================================================================