httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject cvs commit: httpd-2.0/modules/experimental mod_auth_ldap.c
Date Wed, 10 Nov 2004 18:05:47 GMT
bnicholes    2004/11/10 10:05:47

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
               docs/manual/mod Tag: APACHE_2_0_BRANCH mod_auth_ldap.xml
               modules/experimental Tag: APACHE_2_0_BRANCH mod_auth_ldap.c
  Log:
  Added the directive "Requires ldap-attribute" that allows the module to only authorize a
user if the attribute value specified matches the value of the user object. PR 31913
  
  Submitted by: Ryan Morgan <rmorgan pobox.com>
  Reviewd by: bnicholes, wrowe, jim
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.380 +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.379
  retrieving revision 1.988.2.380
  diff -u -r1.988.2.379 -r1.988.2.380
  --- CHANGES	10 Nov 2004 16:35:20 -0000	1.988.2.379
  +++ CHANGES	10 Nov 2004 18:05:46 -0000	1.988.2.380
  @@ -5,6 +5,11 @@
        user cache without having to require ldap authentication as well.  
        [PR 31898] [Jari Ahonen jah progress.com, Brad Nicholes]
   
  +  *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
  +     allows the module to only authorize a user if the attribute value
  +     specified matches the value of the user object. PR 31913
  +     [Ryan Morgan <rmorgan pobox.com>]
  +
     *) SECURITY: CAN-2004-0942 (cve.mitre.org)
        Fix for memory consumption DoS in handling of MIME folded request
        headers.  [Joe Orton]
  
  
  
  1.751.2.1147 +1 -8      httpd-2.0/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.1146
  retrieving revision 1.751.2.1147
  diff -u -r1.751.2.1146 -r1.751.2.1147
  --- STATUS	10 Nov 2004 16:35:21 -0000	1.751.2.1146
  +++ STATUS	10 Nov 2004 18:05:46 -0000	1.751.2.1147
  @@ -75,13 +75,6 @@
     [ please place file names and revisions from HEAD here, so it is easy to
       identify exactly what the proposed changes are! ]
   
  -    *) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that
  -       allows the module to only authorize a user if the attribute value
  -       specified matches the value of the user object. PR 31913
  -         modules/aaa/mod_authnz_ldap.c: r1.7
  -	 docs/manual/mod/mod_authnz_ldap.xml: r1.3
  -       +1: bnicholes, wrowe, jim
  -
       *) mod_ssl: Fix an possible NULL pointer dereference in some configs.
          http://nagoya.apache.org/bugzilla/showattachment.cgi?attach_id=13182
          PR: 31848
  
  
  
  No                   revision
  No                   revision
  1.6.2.13  +34 -1     httpd-2.0/docs/manual/mod/Attic/mod_auth_ldap.xml
  
  Index: mod_auth_ldap.xml
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/mod/Attic/mod_auth_ldap.xml,v
  retrieving revision 1.6.2.12
  retrieving revision 1.6.2.13
  diff -u -r1.6.2.12 -r1.6.2.13
  --- mod_auth_ldap.xml	21 May 2004 18:44:28 -0000	1.6.2.12
  +++ mod_auth_ldap.xml	10 Nov 2004 18:05:47 -0000	1.6.2.13
  @@ -80,6 +80,7 @@
             <li><a href="#requser">require user</a></li>
             <li><a href="#reqgroup">require group</a></li>
             <li><a href="#reqdn">require dn</a></li>
  +          <li><a href="#reqattribute">require ldap-attribute</a></li>
           </ul>
         </li>
   
  @@ -198,6 +199,11 @@
         the DN fetched from the LDAP directory (or the username
         passed by the client) occurs in the LDAP group.</li>
   
  +      <li>Grant access if there is a <a href="#reqattribute">
  +      <code>require ldap-attribute</code></a> 
  +      directive, and the attribute fetched from the LDAP directory
  +      matches the given value.</li> 
  +
         <li>otherwise, deny or decline access</li>
       </ul>
   
  @@ -336,6 +342,33 @@
       module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive>
       directive.</p>
   </section>
  +
  +<section id="reqattribute"><title>require ldap-attribute</title>
  +
  +    <p>The <code>require ldap-attribute</code> directive allows the
  +    administrator to grant access based on attributes of the authenticated
  +    user in the LDAP directory.  If the attribute in the directory
  +    matches the value given in the configuration, access is granted.</p>
  +    
  +    <p>The following directive would grant access to anyone with
  +    the attribute employeeType = active</p>
  +
  +    <example>require ldap-attribute employeeType=active</example>
  +
  +    <p>Multiple attribute/value pairs can be specified on the same line
  +    separated by spaces or they can be specified in multiple 
  +    <code>require ldap-attribute</code> directives. The effect of listing 
  +    multiple attribute/values pairs is an OR operation. Access will be 
  +    granted if any of the listed attribute values match the value of a 
  +    corresponding attribute in the user object. If the value of the 
  +    attribute contains a space, only the value must be within double quotes.</p>
  +
  +    <p>The following directive would grant access to anyone with
  +    the city attribute equal to "San Jose" or status equal to "Active"</p>
  +
  +    <example>require ldap-attribute city="San Jose" status=active</example>
  +</section>
  +
   </section>
   
   <section id="examples"><title>Examples</title>
  
  
  
  No                   revision
  No                   revision
  1.8.2.16  +29 -1     httpd-2.0/modules/experimental/Attic/mod_auth_ldap.c
  
  Index: mod_auth_ldap.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/experimental/Attic/mod_auth_ldap.c,v
  retrieving revision 1.8.2.15
  retrieving revision 1.8.2.16
  diff -u -r1.8.2.15 -r1.8.2.16
  --- mod_auth_ldap.c	21 May 2004 23:39:41 -0000	1.8.2.15
  +++ mod_auth_ldap.c	10 Nov 2004 18:05:47 -0000	1.8.2.16
  @@ -420,7 +420,7 @@
   
       register int x;
       const char *t;
  -    char *w;
  +    char *w, *value;
       int method_restricted = 0;
   
       if (!sec->enabled) {
  @@ -623,6 +623,34 @@
                                         "[%d] auth_ldap authorise: require group \"%s\":
"
                                         "authorisation failed [%s][%s]",
                                         getpid(), t, ldc->reason, ldap_err2string(result));
  +                    }
  +                }
  +            }
  +        }
  +        else if (strcmp(w, "ldap-attribute") == 0) {
  +            while (t[0]) {
  +                w = ap_getword(r->pool, &t, '=');
  +                value = ap_getword_conf(r->pool, &t);
  +
  +                ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
  +                              "[%d] auth_ldap authorise: checking attribute"
  +                              " %s has value %s", getpid(), w, value);
  +                result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
  +                                                 w, value);
  +                switch(result) {
  +                    case LDAP_COMPARE_TRUE: {
  +                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
  +                                      0, r, "[%d] auth_ldap authorise: "
  +                                      "require attribute: authorisation "
  +                                      "successful", getpid());
  +                        return OK;
  +                    }
  +                    default: {
  +                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
  +                                      0, r, "[%d] auth_ldap authorise: "
  +                                      "require attribute: authorisation "
  +                                      "failed [%s][%s]", getpid(), 
  +                                      ldc->reason, ldap_err2string(result));
                       }
                   }
               }
  
  
  

Mime
View raw message