httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject svn commit: r168644 - in /httpd/httpd/trunk: docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Date Fri, 06 May 2005 19:50:58 GMT
Author: bnicholes
Date: Fri May  6 12:50:57 2005
New Revision: 168644

URL: http://svn.apache.org/viewcvs?rev=168644&view=rev
Log:
Backing out the AuthLDAPAllowDNAuth patch from r168016.  Because of LDAP filter issues this
patch still can't guarantee unique results.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=168644&r1=168643&r2=168644&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri May  6 12:50:57 2005
@@ -819,38 +819,6 @@
     the username that was passed by the client. It is turned off by
     default.</p>
 </usage>
-<seealso><directive module="mod_authnz_ldap">AuthLDAPAllowDNAuth</directive></seealso>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>AuthLDAPAllowDNAuth</name>
-<description>Allow the user to authenticate by passing a fully distinguished
-user name.</description>
-<syntax>AuthLDAPAllowDNAuth on|off</syntax>
-<default>AuthLDAPAllowDNAuth off</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
-    <p>If this directive is set to ON, users are allowed to pass a fully
-    distinguished user name as the user ID.  Regardless of this setting,
-    Auth_LDAP will still allow a contextless login. This directive is 
-    turned off by default.</p>
-
-    <note><title>Note</title>
-      <p>If a full user DN is allowed for authentication and the value of
-      <directive module="mod_authnz_ldap">AuthLDAPRemoteUserIsDN</directive>

-      is set to OFF, the value of the REMOTE_USER environment variable
-      will contain the actual user name value passed in the request.  If 
-      this directive is set to ON, the REMOTE_USER environment variable 
-      will always be set to the user DN retrieved from the LDAP directory. 
-      If a contextless user ID is required in all cases instead of a 
-      full DN, it is possible to retrieve the desired attribute value 
-      from the user object by specifying an attribute list in the 
-      <directive module="mod_authnz_ldap">AuthLDAPUrl</directive> directive.</p>
-    </note>
-</usage>
 </directivesynopsis>
 
 <directivesynopsis>
@@ -906,16 +874,13 @@
 
 <dt>attribute</dt>
 
-        <dd>The attribute to search for as well as additional attribute
-        values to extract from the authenticated user object.
+        <dd>The attribute to search for.
         Although RFC 2255 allows a comma-separated list of
         attributes, only the first attribute will be used, no
-        matter how many are provided. The values of all other listed 
-        attributes will be extracted from the user object and assigned
-        to environment variables (AUTHENTICATE_&lt;Attribute&gt;=value). 
-        If no attributes are provided, the default is to use <code>uid</code>.

-        It's a good idea to choose an attribute that will be unique across 
-        all entries in the subtree you will be searching.</dd>
+        matter how many are provided. If no attributes are
+        provided, the default is to use <code>uid</code>. It's a good
+        idea to choose an attribute that will be unique across all
+        entries in the subtree you will be using.</dd>
 
 <dt>scope</dt>
 

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=168644&r1=168643&r2=168644&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri May  6 12:50:57 2005
@@ -73,7 +73,6 @@
                                         it's the exact string passed by the HTTP client */
 
     int secure;                     /* True if SSL connections are requested */
-    int allow_fdn_auth;             /* Set to True if user is allowed to authenticate using
an FDN */
 } authn_ldap_config_t;
 
 typedef struct {
@@ -151,61 +150,6 @@
     return NULL;
 }
 
-#define FILTER_LENGTH MAX_STRING_LEN
-static char* cat_escape_dn_element(char *filtbuf, char *user)
-{
-    char *p, *q, *filtbuf_end;
-
-    /* 
-     * Now add the client-supplied username to the filter, ensuring that any
-     * LDAP filter metachars are escaped.
-     */
-    filtbuf_end = filtbuf + FILTER_LENGTH - 1;
-#if APR_HAS_MICROSOFT_LDAPSDK
-    for (p = user, q=filtbuf + strlen(filtbuf);
-         *p && q < filtbuf_end; ) {
-        if (strchr("*()\\", *p) != NULL) {
-            if ( q + 3 >= filtbuf_end)
-              break;  /* Don't write part of escape sequence if we can't write all of it
*/
-            *q++ = '\\';
-            switch ( *p++ )
-            {
-              case '*':
-                *q++ = '2';
-                *q++ = 'a';
-                break;
-              case '(':
-                *q++ = '2';
-                *q++ = '8';
-                break;
-              case ')':
-                *q++ = '2';
-                *q++ = '9';
-                break;
-              case '\\':
-                *q++ = '5';
-                *q++ = 'c';
-                break;
-		        }
-        }
-        else
-            *q++ = *p++;
-    }
-#else
-    for (p = user, q=filtbuf + strlen(filtbuf);
-         *p && q < filtbuf_end; *q++ = *p++) {
-        if (strchr("*()\\", *p) != NULL) {
-            *q++ = '\\';
-            if (q >= filtbuf_end) {
-              break;
-            }
-        }
-    }
-#endif
-    *q = '\0';
-
-    return filtbuf;
-}
 
 /*
  * Build the search filter, or at least as much of the search filter that
@@ -224,23 +168,20 @@
  *
  * Further, assume that the userid passed by the client was `userj'.  The
  * search filter will be (&(posixid=*)(uid=userj)).
- *
- * If a full DN is allowed for authentication, the a userid of 
- * cn=userj,o=dev will result in the following search filter:
- *  (&(objectclass=*)(&(cn:dn:=userj)(o:dn:=dev)))
  */
+#define FILTER_LENGTH MAX_STRING_LEN
 static void authn_ldap_build_filter(char *filtbuf, 
                              request_rec *r,
                              const char* sent_user,
                              const char* sent_filter,
                              authn_ldap_config_t *sec)
 {
+    char *p, *q, *filtbuf_end;
     char *user, *filter;
     apr_xlate_t *convset = NULL;
     apr_size_t inbytes;
     apr_size_t outbytes;
     char *outbuf;
-	char **dnbuf = NULL;
 
     if (sent_user != NULL) {
         user = apr_pstrdup (r->pool, sent_user);
@@ -269,50 +210,66 @@
         }
     }
 
-    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(&", filter);
+    /* 
+     * Create the first part of the filter, which consists of the 
+     * config-supplied portions.
+     */
+    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
 
-    /* If FDN authentication is not allowed then don't attempt to explode
-        the user ID.  The result is that dnbuf well be NULL which will
-        bypass building a FDN unique filter. */
-    if (sec->allow_fdn_auth) {
-        dnbuf = ldap_explode_dn (user, 0); 
-    }
-
-	if (dnbuf && (strchr(*dnbuf, '='))) {
-		char **buf;
-        char *dnfilter = "&";
-		for (buf = dnbuf; *buf; buf++) {
-            char *eq = strchr (*buf, '=');
-            char *newdn = *buf;
-
-            if (eq) {
-                newdn = apr_pstrcat (r->pool, apr_pstrndup (r->pool, *buf, eq-(*buf)),
-                                     ":dn:", eq, NULL);
+    /* 
+     * Now add the client-supplied username to the filter, ensuring that any
+     * LDAP filter metachars are escaped.
+     */
+    filtbuf_end = filtbuf + FILTER_LENGTH - 1;
+#if APR_HAS_MICROSOFT_LDAPSDK
+    for (p = user, q=filtbuf + strlen(filtbuf);
+         *p && q < filtbuf_end; ) {
+        if (strchr("*()\\", *p) != NULL) {
+            if ( q + 3 >= filtbuf_end)
+              break;  /* Don't write part of escape sequence if we can't write all of it
*/
+            *q++ = '\\';
+            switch ( *p++ )
+            {
+              case '*':
+                *q++ = '2';
+                *q++ = 'a';
+                break;
+              case '(':
+                *q++ = '2';
+                *q++ = '8';
+                break;
+              case ')':
+                *q++ = '2';
+                *q++ = '9';
+                break;
+              case '\\':
+                *q++ = '5';
+                *q++ = 'c';
+                break;
+		        }
+        }
+        else
+            *q++ = *p++;
+    }
+#else
+    for (p = user, q=filtbuf + strlen(filtbuf);
+         *p && q < filtbuf_end; *q++ = *p++) {
+        if (strchr("*()\\", *p) != NULL) {
+            *q++ = '\\';
+            if (q >= filtbuf_end) {
+              break;
             }
-
-            apr_snprintf(filtbuf, FILTER_LENGTH, "%s(", filtbuf);
-            cat_escape_dn_element(filtbuf, newdn);
-            apr_snprintf(filtbuf, FILTER_LENGTH, "%s)", filtbuf);
-		}
-	}
-    else {
-        /* 
-         * Create the first part of the filter, which consists of the 
-         * config-supplied portions.
-         */
-        apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
-        cat_escape_dn_element(filtbuf, user);
+        }
     }
-    ldap_value_free (dnbuf); 
+#endif
+    *q = '\0';
 
     /* 
      * Append the closing parens of the filter, unless doing so would 
      * overrun the buffer.
      */
-    apr_snprintf(filtbuf, FILTER_LENGTH, "%s))", filtbuf);
-
-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
-                  "[%d] auth_ldap authenticate: using filter %s", getpid(), filtbuf);
+    if (q + 2 <= filtbuf_end)
+        strcat(filtbuf, "))");
 }
 
 static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
@@ -338,7 +295,6 @@
     sec->deref = always;
     sec->group_attrib_is_dn = 1;
     sec->auth_authoritative = 1;
-    sec->allow_fdn_auth = 0;
 
 /*
     sec->frontpage_hack = 0;
@@ -1096,11 +1052,6 @@
     AP_INIT_TAKE1("AuthLDAPCharsetConfig", set_charset_config, NULL, RSRC_CONF,
                   "Character set conversion configuration file. If omitted, character set"
                   "conversion is disabled."),
-
-    AP_INIT_FLAG("AuthLDAPAllowDNAuth", ap_set_flag_slot,
-                 (void *)APR_OFFSETOF(authn_ldap_config_t, allow_fdn_auth), OR_AUTHCFG,
-                 "If set to 'on', auth_ldap allows the user to authenicate using a fully"

-                 "distinguished user name. Defaults to 'off'."),
 
     {NULL}
 };



Mime
View raw message