httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject cvs commit: httpd-2.0/modules/aaa mod_authnz_ldap.c
Date Fri, 05 Nov 2004 18:48:16 GMT
bnicholes    2004/11/05 10:48:16

  Modified:    .        CHANGES
               docs/manual/mod mod_authnz_ldap.xml
               modules/aaa mod_authnz_ldap.c
  Log:
  Added the directive "Requires ldap-filter" that allows the module to only authorize a user
based on a complex LDAP search filter.
  
  Revision  Changes    Path
  1.1627    +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1626
  retrieving revision 1.1627
  diff -u -r1.1626 -r1.1627
  --- CHANGES	5 Nov 2004 15:39:16 -0000	1.1626
  +++ CHANGES	5 Nov 2004 18:48:15 -0000	1.1627
  @@ -2,6 +2,11 @@
   
     [Remove entries to the current 2.0 section below, when backported]
   
  +  *) mod_authnz_ldap: Added the directive "Requires ldap-filter" that
  +     allows the module to authorize a user based on a complex LDAP
  +     search filter.
  +     [Brad Nicholes]
  +     
     *) SECURITY: CAN-2004-0942, Fix for memory consumption DoS.
        [Joe Orton]
   
  
  
  
  1.4       +32 -4     httpd-2.0/docs/manual/mod/mod_authnz_ldap.xml
  
  Index: mod_authnz_ldap.xml
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_authnz_ldap.xml,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- mod_authnz_ldap.xml	3 Nov 2004 22:05:25 -0000	1.3
  +++ mod_authnz_ldap.xml	5 Nov 2004 18:48:16 -0000	1.4
  @@ -88,6 +88,7 @@
             <li><a href="#reqgroup">require ldap-group</a></li>
             <li><a href="#reqdn">require ldap-dn</a></li>
             <li><a href="#reqattribute">require ldap-attribute</a></li>
  +          <li><a href="#reqfilter">require ldap-filter</a></li>
           </ul>
         </li>
   
  @@ -216,6 +217,11 @@
         directive, and the attribute fetched from the LDAP directory
         matches the given value.</li> 
   
  +      <li>Grant access if there is a <a href="#reqfilter">
  +      <code>require ldap-filter</code></a> 
  +      directive, and the search filter successfully finds a single user
  +      object that matches the dn of the authenticated user.</li> 
  +
         <li>otherwise, deny or decline access</li>
       </ul>
   
  @@ -285,9 +291,9 @@
       directives are used during the authorization phase to ensure that
       a user is allowed to access a resource.  mod_authnz_ldap extends the 
       authorization types with <code>ldap-user</code>, <code>ldap-dn</code>,

  -    <code>ldap-group</code> and <code>ldap-attribute</code>.  Other

  -    authorization types may also be used but may require that additional 
  -    authorization modules be loaded.</p>
  +    <code>ldap-group</code>, <code>ldap-attribute</code> and 
  +    <code>ldap-filter</code>.  Other authorization types may also be 
  +    used but may require that additional authorization modules be loaded.</p>
   
   <section id="reqvaliduser"><title>require valid-user</title>
   
  @@ -403,6 +409,28 @@
       the city attribute equal to "San Jose" or status equal to "Active"</p>
   
       <example>require ldap-attribute city="San Jose" status=active</example>
  +
  +</section>
  +
  +<section id="reqfilter"><title>require ldap-filter</title>
  +
  +    <p>The <code>require ldap-filter</code> directive allows the
  +    administrator to grant access based on a complex LDAP search filter.
  +    If the dn returned by the filter search matches the authenticated user
  +    dn, access is granted.</p>
  +    
  +    <p>The following directive would grant access to anyone having a cell phone
  +    and is in the marketing department</p>
  +
  +    <example>require ldap-filter &amp;(cell=*)(department=marketing)</example>
  +
  +    <p>The difference between the <code>require ldap-filter</code> directive
and the 
  +    <code>require ldap-attribute</code> directive is that <code>ldap-filter</code>

  +    performs a search operation on the LDAP directory using the specified search 
  +    filter rather than a simple attribute comparison. If a simple attribute 
  +    comparison is all that is required, the comparison operation performed by 
  +    <code>ldap-attribute</code> will be faster than the search operation 
  +    used by <code>ldap-filter</code> especially within a large directory.</p>
   
   </section>
   
  
  
  
  1.8       +59 -4     httpd-2.0/modules/aaa/mod_authnz_ldap.c
  
  Index: mod_authnz_ldap.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_authnz_ldap.c,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- mod_authnz_ldap.c	3 Nov 2004 22:05:25 -0000	1.7
  +++ mod_authnz_ldap.c	5 Nov 2004 18:48:16 -0000	1.8
  @@ -166,10 +166,11 @@
   static void authn_ldap_build_filter(char *filtbuf, 
                                request_rec *r,
                                const char* sent_user,
  +                             const char* sent_filter,
                                authn_ldap_config_t *sec)
   {
       char *p, *q, *filtbuf_end;
  -    char *user;
  +    char *user, *filter;
       apr_xlate_t *convset = NULL;
       apr_size_t inbytes;
       apr_size_t outbytes;
  @@ -181,6 +182,12 @@
       else
           return;
   
  +    if (sent_filter != NULL) {
  +        filter = apr_pstrdup (r->pool, sent_filter);
  +    }
  +    else
  +        filter = sec->filter;
  +
       if (charset_conversions) {
           convset = get_conv_set(r);
       }
  @@ -200,7 +207,7 @@
        * Create the first part of the filter, which consists of the 
        * config-supplied portions.
        */
  -    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", sec->filter, sec->attribute);
  +    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
   
       /* 
        * Now add the client-supplied username to the filter, ensuring that any
  @@ -375,7 +382,7 @@
       }
   
       /* build the username filter */
  -    authn_ldap_build_filter(filtbuf, r, user, sec);
  +    authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
   
       /* do the user search */
       result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
  @@ -541,7 +548,7 @@
               "ldap authorize: Creating LDAP req structure");
   
           /* Build the username filter */
  -        authn_ldap_build_filter(filtbuf, r, r->user, sec);
  +        authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec);
   
           /* Search for the user DN */
           result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
  @@ -716,6 +723,54 @@
                           ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
                                         0, r, "[%d] auth_ldap authorise: "
                                         "require attribute: authorisation "
  +                                      "failed [%s][%s]", getpid(), 
  +                                      ldc->reason, ldap_err2string(result));
  +                    }
  +                }
  +            }
  +        }
  +        else if (strcmp(w, "ldap-filter") == 0) {
  +            if (t[0]) {
  +                ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
  +                              "[%d] auth_ldap authorise: checking filter %s", 
  +                              getpid(), t);
  +
  +                /* Build the username filter */
  +                authn_ldap_build_filter(filtbuf, r, req->user, t, sec);
  +
  +                /* Search for the user DN */
  +                result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
  +                     sec->scope, sec->attributes, filtbuf, &dn, &vals);
  +
  +                /* Make sure that the filtered search returned the correct user dn */
  +                if (result == LDAP_SUCCESS) {
  +                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
  +                                  "[%d] auth_ldap authorise: checking dn match %s", 
  +                                  getpid(), dn);
  +                    result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn,
dn, 
  +                         sec->compare_dn_on_server);
  +                }
  +
  +                switch(result) {
  +                    case LDAP_COMPARE_TRUE: {
  +                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
  +                                      0, r, "[%d] auth_ldap authorise: "
  +                                      "require ldap-filter: authorisation "
  +                                      "successful", getpid());
  +                        return OK;
  +                    }
  +                    case LDAP_FILTER_ERROR: {
  +                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
  +                                      0, r, "[%d] auth_ldap authorise: "
  +                                      "require ldap-filter: %s authorisation "
  +                                      "failed [%s][%s]", getpid(), 
  +                                      filtbuf, ldc->reason, ldap_err2string(result));
  +                        break;
  +                    }
  +                    default: {
  +                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
  +                                      0, r, "[%d] auth_ldap authorise: "
  +                                      "require ldap-filter: authorisation "
                                         "failed [%s][%s]", getpid(), 
                                         ldc->reason, ldap_err2string(result));
                       }
  
  
  

Mime
View raw message