From cvs-return-25935-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org Thu Oct 12 20:53:03 2006 Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 55473 invoked from network); 12 Oct 2006 20:53:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 12 Oct 2006 20:53:03 -0000 Received: (qmail 20572 invoked by uid 500); 12 Oct 2006 20:53:02 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 20471 invoked by uid 500); 12 Oct 2006 20:53:01 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 20460 invoked by uid 99); 12 Oct 2006 20:53:01 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Oct 2006 13:53:01 -0700 X-ASF-Spam-Status: No, hits=-9.4 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [140.211.166.113] (HELO eris.apache.org) (140.211.166.113) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Oct 2006 13:52:59 -0700 Received: by eris.apache.org (Postfix, from userid 65534) id B6FAD1A981A; Thu, 12 Oct 2006 13:52:38 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r463427 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c Date: Thu, 12 Oct 2006 20:52:37 -0000 To: cvs@httpd.apache.org From: minfrin@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20061012205238.B6FAD1A981A@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Author: minfrin Date: Thu Oct 12 13:52:37 2006 New Revision: 463427 URL: http://svn.apache.org/viewvc?view=rev&rev=463427 Log: mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If set, REMOTE_USER will be set to this attribute, rather than the username supplied by the user. Useful for example when you want users to log in using an email address, but need to supply a userid instead to the backend. Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?view=diff&rev=463427&r1=463426&r2=463427 ============================================================================== --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Thu Oct 12 13:52:37 2006 @@ -2,6 +2,12 @@ Changes with Apache 2.3.0 [Remove entries to the current 2.0 and 2.2 section below, when backported] + *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If + set, REMOTE_USER will be set to this attribute, rather than the + username supplied by the user. Useful for example when you want users + to log in using an email address, but need to supply a userid instead + to the backend. [Graham Leggett] + *) Allow mod_dumpio to log at other than DEBUG levels via the new DumpIOLogLevel directive. [Jim Jagielski] Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?view=diff&rev=463427&r1=463426&r2=463427 ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Thu Oct 12 13:52:37 2006 @@ -775,6 +775,29 @@ +AuthLDAPRemoteUserAttribute +Use the value of the attribute returned during the user +query to set the REMOTE_USER environment variable +AuthLDAPRemoteUserAttribute uid +none +directory.htaccess + +AuthConfig + + +

If this directive is set, the value of the + REMOTE_USER environment variable will be set to the + value of the attribute specified. Make sure that this attribute is + included in the list of attributes in the AuthLDAPUrl definition, + otherwise this directive will have no effect. This directive, if + present, takes precedence over AuthLDAPRemoteUserIsDN. This + directive is useful should you want people to log into a website + using an email address, but a backend application expects the + username as a userid.

+ + + + AuthLDAPRemoteUserIsDN Use the DN of the client username to set the REMOTE_USER environment variable Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?view=diff&rev=463427&r1=463426&r2=463427 ============================================================================== --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original) +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Thu Oct 12 13:52:37 2006 @@ -62,6 +62,7 @@ char *bindpw; /* Password to bind to server (can be NULL) */ int user_is_dn; /* If true, connection->user is DN instead of userid */ + char *remote_user_attribute; /* If set, connection->user is this attribute instead of userid */ int compare_dn_on_server; /* If true, will use server to do DN compare */ int have_ldap_url; /* Set if we have found an LDAP url */ @@ -295,6 +296,7 @@ sec->secure = -1; /*Initialize to unset*/ sec->user_is_dn = 0; + sec->remote_user_attribute = NULL; sec->compare_dn_on_server = 0; return sec; @@ -329,6 +331,7 @@ util_ldap_connection_t *ldc = NULL; int result = 0; + int remote_user_attribute_set = 0; const char *dn = NULL; authn_ldap_request_t *req = @@ -439,10 +442,28 @@ j++; } apr_table_setn(e, str, vals[i]); + + /* handle remote_user_attribute, if set */ + if (sec->remote_user_attribute && + !strcmp(sec->remote_user_attribute, sec->attributes[i])) { + r->user = (char *)apr_pstrdup(r->pool, vals[i]); + remote_user_attribute_set = 1; + } i++; } } + /* sanity check */ + if (sec->remote_user_attribute && !remote_user_attribute_set) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authenticate: " + "REMOTE_USER was to be set with attribute '%s', " + "but this attribute was not requested for in the " + "LDAP query for the user. REMOTE_USER will fall " + "back to username or DN as appropriate.", getpid(), + sec->remote_user_attribute); + } + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: accepting %s", getpid(), user); @@ -1289,6 +1310,13 @@ "Set to 'on' to set the REMOTE_USER environment variable to be the full " "DN of the remote user. By default, this is set to off, meaning that " "the REMOTE_USER variable will contain whatever value the remote user sent."), + + AP_INIT_TAKE1("AuthLDAPRemoteUserAttribute", ap_set_string_slot, + (void *)APR_OFFSETOF(authn_ldap_config_t, + remote_user_attribute), OR_AUTHCFG, + "Override the user supplied username and place the " + "contents of this attribute in the REMOTE_USER " + "environment variable."), AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, (void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,