httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject svn commit: r463427 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Date Thu, 12 Oct 2006 20:52:37 GMT
Author: minfrin
Date: Thu Oct 12 13:52:37 2006
New Revision: 463427

URL: http://svn.apache.org/viewvc?view=rev&rev=463427
Log:
mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
set, REMOTE_USER will be set to this attribute, rather than the
username supplied by the user. Useful for example when you want users
to log in using an email address, but need to supply a userid instead
to the backend.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?view=diff&rev=463427&r1=463426&r2=463427
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Oct 12 13:52:37 2006
@@ -2,6 +2,12 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
+     set, REMOTE_USER will be set to this attribute, rather than the
+     username supplied by the user. Useful for example when you want users
+     to log in using an email address, but need to supply a userid instead
+     to the backend. [Graham Leggett]
+
   *) Allow mod_dumpio to log at other than DEBUG levels via
      the new DumpIOLogLevel directive. [Jim Jagielski]
 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?view=diff&rev=463427&r1=463426&r2=463427
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Thu Oct 12 13:52:37 2006
@@ -775,6 +775,29 @@
 </directivesynopsis>
 
 <directivesynopsis>
+<name>AuthLDAPRemoteUserAttribute</name>
+<description>Use the value of the attribute returned during the user
+query to set the REMOTE_USER environment variable</description>
+<syntax>AuthLDAPRemoteUserAttribute uid</syntax>
+<default>none</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override> 
+      
+<usage>
+    <p>If this directive is set, the value of the 
+    <code>REMOTE_USER</code> environment variable will be set to the
+    value of the attribute specified. Make sure that this attribute is
+    included in the list of attributes in the AuthLDAPUrl definition,
+    otherwise this directive will have no effect. This directive, if
+    present, takes precedence over AuthLDAPRemoteUserIsDN. This
+    directive is useful should you want people to log into a website
+    using an email address, but a backend application expects the
+    username as a userid.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>AuthLDAPRemoteUserIsDN</name>
 <description>Use the DN of the client username to set the REMOTE_USER
 environment variable</description>

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?view=diff&rev=463427&r1=463426&r2=463427
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Thu Oct 12 13:52:37 2006
@@ -62,6 +62,7 @@
     char *bindpw;                   /* Password to bind to server (can be NULL) */
 
     int user_is_dn;                 /* If true, connection->user is DN instead of userid
*/
+    char *remote_user_attribute;    /* If set, connection->user is this attribute instead
of userid */
     int compare_dn_on_server;       /* If true, will use server to do DN compare */
 
     int have_ldap_url;              /* Set if we have found an LDAP url */
@@ -295,6 +296,7 @@
     sec->secure = -1;   /*Initialize to unset*/
 
     sec->user_is_dn = 0;
+    sec->remote_user_attribute = NULL;
     sec->compare_dn_on_server = 0;
 
     return sec;
@@ -329,6 +331,7 @@
 
     util_ldap_connection_t *ldc = NULL;
     int result = 0;
+    int remote_user_attribute_set = 0;
     const char *dn = NULL;
 
     authn_ldap_request_t *req =
@@ -439,10 +442,28 @@
                 j++;
             }
             apr_table_setn(e, str, vals[i]);
+
+            /* handle remote_user_attribute, if set */
+            if (sec->remote_user_attribute && 
+                !strcmp(sec->remote_user_attribute, sec->attributes[i])) {
+                r->user = (char *)apr_pstrdup(r->pool, vals[i]);
+                remote_user_attribute_set = 1;
+            }
             i++;
         }
     }
 
+    /* sanity check */
+    if (sec->remote_user_attribute && !remote_user_attribute_set) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                  "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
+                  "REMOTE_USER was to be set with attribute '%s', "
+                  "but this attribute was not requested for in the "
+                  "LDAP query for the user. REMOTE_USER will fall "
+                  "back to username or DN as appropriate.", getpid(),
+                  sec->remote_user_attribute);
+    }
+
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                   "[%" APR_PID_T_FMT "] auth_ldap authenticate: accepting %s", getpid(),
user);
 
@@ -1289,6 +1310,13 @@
                  "Set to 'on' to set the REMOTE_USER environment variable to be the full
"
                  "DN of the remote user. By default, this is set to off, meaning that "
                  "the REMOTE_USER variable will contain whatever value the remote user sent."),
+
+    AP_INIT_TAKE1("AuthLDAPRemoteUserAttribute", ap_set_string_slot,
+                 (void *)APR_OFFSETOF(authn_ldap_config_t, 
+                                      remote_user_attribute), OR_AUTHCFG,
+                 "Override the user supplied username and place the "
+                 "contents of this attribute in the REMOTE_USER "
+                 "environment variable."),
 
     AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,
                  (void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,



Mime
View raw message