httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject cvs commit: httpd-2.0/modules/aaa mod_authnz_ldap.c
Date Wed, 03 Nov 2004 22:05:25 GMT
bnicholes    2004/11/03 14:05:25

  Modified:    .        CHANGES
               docs/manual/mod mod_authnz_ldap.xml
               modules/aaa mod_authnz_ldap.c
  Log:
  Added the directive "Requires ldap-attribute" that allows the module to only authorize a
user if the attribute value specified matches the value of the user object. PR 31913
  
  Submitted by: Ryan Morgan <rmorgan pobox.com>
  Reviewd by: Brad Nicholes
  
  Revision  Changes    Path
  1.1624    +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1623
  retrieving revision 1.1624
  diff -u -r1.1623 -r1.1624
  --- CHANGES	2 Nov 2004 00:11:20 -0000	1.1623
  +++ CHANGES	3 Nov 2004 22:05:24 -0000	1.1624
  @@ -2,6 +2,11 @@
   
     [Remove entries to the current 2.0 section below, when backported]
   
  +  *) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that
  +     allows the module to only authorize a user if the attribute value
  +     specified matches the value of the user object. PR 31913
  +     [Ryan Morgan <rmorgan pobox.com>]
  +     
     *) Allow mod_authnz_ldap authorization functionality to be used 
        without requiring the user to also be authenticated through 
        mod_authnz_ldap. This allows other authentication modules to 
  
  
  
  1.3       +39 -4     httpd-2.0/docs/manual/mod/mod_authnz_ldap.xml
  
  Index: mod_authnz_ldap.xml
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_authnz_ldap.xml,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- mod_authnz_ldap.xml	7 Oct 2004 21:51:27 -0000	1.2
  +++ mod_authnz_ldap.xml	3 Nov 2004 22:05:25 -0000	1.3
  @@ -87,6 +87,7 @@
             <li><a href="#requser">require ldap-user</a></li>
             <li><a href="#reqgroup">require ldap-group</a></li>
             <li><a href="#reqdn">require ldap-dn</a></li>
  +          <li><a href="#reqattribute">require ldap-attribute</a></li>
           </ul>
         </li>
   
  @@ -210,6 +211,11 @@
         the DN fetched from the LDAP directory (or the username
         passed by the client) occurs in the LDAP group.</li>
   
  +      <li>Grant access if there is a <a href="#reqattribute">
  +      <code>require ldap-attribute</code></a> 
  +      directive, and the attribute fetched from the LDAP directory
  +      matches the given value.</li> 
  +
         <li>otherwise, deny or decline access</li>
       </ul>
   
  @@ -278,9 +284,10 @@
       <p>Apache's <directive module="core">Require</directive>
       directives are used during the authorization phase to ensure that
       a user is allowed to access a resource.  mod_authnz_ldap extends the 
  -    authorization types with <code>ldap-user</code>, <code>ldap-dn</code>

  -    and <code>ldap-group</code>.  Other authorization types may also be 
  -    used but may require that additional authorization modules be loaded.</p>
  +    authorization types with <code>ldap-user</code>, <code>ldap-dn</code>,

  +    <code>ldap-group</code> and <code>ldap-attribute</code>.  Other

  +    authorization types may also be used but may require that additional 
  +    authorization modules be loaded.</p>
   
   <section id="reqvaliduser"><title>require valid-user</title>
   
  @@ -371,6 +378,34 @@
       module="mod_authnz_ldap">AuthLDAPCompareDNOnServer</directive>
       directive.</p>
   </section>
  +
  +<section id="reqattribute"><title>require ldap-attribute</title>
  +
  +    <p>The <code>require ldap-attribute</code> directive allows the
  +    administrator to grant access based on attributes of the authenticated
  +    user in the LDAP directory.  If the attribute in the directory
  +    matches the value given in the configuration, access is granted.</p>
  +    
  +    <p>The following directive would grant access to anyone with
  +    the attribute employeeType = active</p>
  +
  +    <example>require ldap-attribute employeeType=active</example>
  +
  +    <p>Multiple attribute/value pairs can be specified on the same line
  +    separated by spaces or they can be specified in multiple 
  +    <code>require ldap-attribute</code> directives. The effect of listing 
  +    multiple attribute/values pairs is an OR operation. Access will be 
  +    granted if any of the listed attribute values match the value of the 
  +    corresponding attribute in the user object. If the value of the 
  +    attribute contains a space, only the value must be within double quotes.</p>
  +
  +    <p>The following directive would grant access to anyone with
  +    the city attribute equal to "San Jose" or status equal to "Active"</p>
  +
  +    <example>require ldap-attribute city="San Jose" status=active</example>
  +
  +</section>
  +
   </section>
   
   <section id="examples"><title>Examples</title>
  
  
  
  1.7       +29 -1     httpd-2.0/modules/aaa/mod_authnz_ldap.c
  
  Index: mod_authnz_ldap.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_authnz_ldap.c,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -r1.6 -r1.7
  --- mod_authnz_ldap.c	2 Nov 2004 00:08:21 -0000	1.6
  +++ mod_authnz_ldap.c	3 Nov 2004 22:05:25 -0000	1.7
  @@ -466,7 +466,7 @@
   
       register int x;
       const char *t;
  -    char *w;
  +    char *w, *value;
       int method_restricted = 0;
   
       char filtbuf[FILTER_LENGTH];
  @@ -690,6 +690,34 @@
                                         "[%d] auth_ldap authorise: require group \"%s\":
"
                                         "authorisation failed [%s][%s]",
                                         getpid(), t, ldc->reason, ldap_err2string(result));
  +                    }
  +                }
  +            }
  +        }
  +        else if (strcmp(w, "ldap-attribute") == 0) {
  +            while (t[0]) {
  +                w = ap_getword(r->pool, &t, '=');
  +                value = ap_getword_conf(r->pool, &t);
  +
  +                ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
  +                              "[%d] auth_ldap authorise: checking attribute"
  +                              " %s has value %s", getpid(), w, value);
  +                result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
  +                                                 w, value);
  +                switch(result) {
  +                    case LDAP_COMPARE_TRUE: {
  +                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
  +                                      0, r, "[%d] auth_ldap authorise: "
  +                                      "require attribute: authorisation "
  +                                      "successful", getpid());
  +                        return OK;
  +                    }
  +                    default: {
  +                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
  +                                      0, r, "[%d] auth_ldap authorise: "
  +                                      "require attribute: authorisation "
  +                                      "failed [%s][%s]", getpid(), 
  +                                      ldc->reason, ldap_err2string(result));
                       }
                   }
               }
  
  
  

Mime
View raw message