Return-Path: 
 <cvs-return-20551-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 85159 invoked from network); 2 Nov 2004 00:08:24 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 2 Nov 2004 00:08:24 -0000
Received: (qmail 84913 invoked by uid 500); 2 Nov 2004 00:08:24 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 84736 invoked by uid 500); 2 Nov 2004 00:08:22 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
list-post: <mailto:cvs@httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 84723 invoked by uid 500); 2 Nov 2004 00:08:22 -0000
Delivered-To: apmail-httpd-2.0-cvs@apache.org
Received: (qmail 84720 invoked by uid 99); 2 Nov 2004 00:08:22 -0000
X-ASF-Spam-Status: No, hits=-10.0 required=10.0
	tests=ALL_TRUSTED,NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194)
  by apache.org (qpsmtpd/0.28) with SMTP; Mon, 01 Nov 2004 16:08:22 -0800
Received: (qmail 85092 invoked by uid 1285); 2 Nov 2004 00:08:21 -0000
Date: 2 Nov 2004 00:08:21 -0000
Message-ID: <20041102000821.85091.qmail@minotaur.apache.org>
From: bnicholes@apache.org
To: httpd-2.0-cvs@apache.org
Subject: cvs commit: httpd-2.0/modules/aaa NWGNUauthnzldap mod_authnz_ldap.c
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

bnicholes    2004/11/01 16:08:21

  Modified:    modules/aaa NWGNUauthnzldap mod_authnz_ldap.c
  Log:
  Allow mod_authnz_ldap authorization functionality to be used without requiring the user to also be authenticated through mod_authnz_ldap. This allows other authentication modules to take advantage of LDAP authorization only [PR 28253]
  
  Submitted by: Jari Ahonen [jah progress.com]
  Reviewed by: Brad Nicholes
  
  Revision  Changes    Path
  1.2       +1 -0      httpd-2.0/modules/aaa/NWGNUauthnzldap
  
  Index: NWGNUauthnzldap
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/aaa/NWGNUauthnzldap,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- NWGNUauthnzldap	17 Aug 2004 23:33:07 -0000	1.1
  +++ NWGNUauthnzldap	2 Nov 2004 00:08:21 -0000	1.2
  @@ -206,6 +206,7 @@
   	util_ldap_connection_find \
   	util_ldap_connection_close \
   	util_ldap_cache_checkuserid \
  +	util_ldap_cache_getuserdn \
   	util_ldap_cache_compare \
   	util_ldap_cache_comparedn \
   	@$(APR)/aprlib.imp \
  
  
  
  1.6       +44 -0     httpd-2.0/modules/aaa/mod_authnz_ldap.c
  
  Index: mod_authnz_ldap.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_authnz_ldap.c,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- mod_authnz_ldap.c	12 Oct 2004 12:27:18 -0000	1.5
  +++ mod_authnz_ldap.c	2 Nov 2004 00:08:21 -0000	1.6
  @@ -469,6 +469,12 @@
       char *w;
       int method_restricted = 0;
   
  +    char filtbuf[FILTER_LENGTH];
  +    const char *dn = NULL;
  +    const char **vals = NULL;
  +    const char *type = ap_auth_type(r);
  +    char *tmpuser;
  +
   /*
       if (!sec->enabled) {
           return DECLINED;
  @@ -515,6 +521,44 @@
           ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
                         "[%d] auth_ldap authorise: no requirements array", getpid());
           return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
  +    }
  +
  +    /*
  +     * If we have been authenticated by some other module than mod_auth_ldap,
  +     * the req structure needed for authorization needs to be created
  +     * and populated with the userid and DN of the account in LDAP
  +     */
  +
  +    /* Check that we have a userid to start with */
  +    if ((!r->user) || (strlen(r->user) == 0)) {
  +        ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
  +            "ldap authorize: Userid is blank, AuthType=%s",
  +            r->ap_auth_type);
  +    }
  +
  +    if(!req) {
  +        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
  +            "ldap authorize: Creating LDAP req structure");
  +
  +        /* Build the username filter */
  +        authn_ldap_build_filter(filtbuf, r, r->user, sec);
  +
  +        /* Search for the user DN */
  +        result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
  +             sec->scope, sec->attributes, filtbuf, &dn, &vals);
  +
  +        /* Search failed, log error and return failure */
  +        if(result != LDAP_SUCCESS) {
  +            ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
  +                "auth_ldap authorise: User DN not found, %s", ldc->reason);
  +            return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
  +        }
  +
  +        req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
  +            sizeof(authn_ldap_request_t));
  +        ap_set_module_config(r->request_config, &authnz_ldap_module, req);
  +        req->dn = apr_pstrdup(r->pool, dn);
  +        req->user = r->user;
       }
   
       /* Loop through the requirements array until there's no elements