httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r484638 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Date Fri, 08 Dec 2006 15:29:37 GMT
Author: jim
Date: Fri Dec  8 07:29:36 2006
New Revision: 484638

URL: http://svn.apache.org/viewvc?view=rev&rev=484638
Log:
Merge r463427 from trunk:

mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
set, REMOTE_USER will be set to this attribute, rather than the
username supplied by the user. Useful for example when you want users
to log in using an email address, but need to supply a userid instead
to the backend.

Submitted by: minfrin
Reviewed by: jim

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=diff&rev=484638&r1=484637&r2=484638
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Dec  8 07:29:36 2006
@@ -1,6 +1,12 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.4
 
+  *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
+     set, REMOTE_USER will be set to this attribute, rather than the
+     username supplied by the user. Useful for example when you want users
+     to log in using an email address, but need to supply a userid instead
+     to the backend. [Graham Leggett]
+
   *) mod_cgi and mod_cgid: Don't use apr_status_t error return
      from input filters as HTTP return value from the handler.
      PR#31579.

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?view=diff&rev=484638&r1=484637&r2=484638
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Dec  8 07:29:36 2006
@@ -96,14 +96,6 @@
      wrowe adds; keeping the old idents for backporting would have
                  made this alot easier for review - mind \x09's please.
 
-    * mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
-      set, REMOTE_USER will be set to this attribute, rather than the
-      username supplied by the user. Useful for example when you want users
-      to log in using an email address, but need to supply a userid instead
-      to the backend.
-      Trunk: http://svn.apache.org/viewvc?view=rev&rev=463427
-      +1: minfrini, wrowe, jim
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
 
     * mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml?view=diff&rev=484638&r1=484637&r2=484638
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml Fri Dec  8 07:29:36 2006
@@ -803,6 +803,29 @@
 </directivesynopsis>
 
 <directivesynopsis>
+<name>AuthLDAPRemoteUserAttribute</name>
+<description>Use the value of the attribute returned during the user
+query to set the REMOTE_USER environment variable</description>
+<syntax>AuthLDAPRemoteUserAttribute uid</syntax>
+<default>none</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override> 
+      
+<usage>
+    <p>If this directive is set, the value of the 
+    <code>REMOTE_USER</code> environment variable will be set to the
+    value of the attribute specified. Make sure that this attribute is
+    included in the list of attributes in the AuthLDAPUrl definition,
+    otherwise this directive will have no effect. This directive, if
+    present, takes precedence over AuthLDAPRemoteUserIsDN. This
+    directive is useful should you want people to log into a website
+    using an email address, but a backend application expects the
+    username as a userid.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>AuthLDAPRemoteUserIsDN</name>
 <description>Use the DN of the client username to set the REMOTE_USER
 environment variable</description>

Modified: httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c?view=diff&rev=484638&r1=484637&r2=484638
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c Fri Dec  8 07:29:36 2006
@@ -64,6 +64,7 @@
     char *bindpw;                   /* Password to bind to server (can be NULL) */
 
     int user_is_dn;                 /* If true, connection->user is DN instead of userid
*/
+    char *remote_user_attribute;    /* If set, connection->user is this attribute instead
of userid */
     int compare_dn_on_server;       /* If true, will use server to do DN compare */
 
     int have_ldap_url;              /* Set if we have found an LDAP url */
@@ -303,6 +304,7 @@
     sec->secure = -1;   /*Initialize to unset*/
 
     sec->user_is_dn = 0;
+    sec->remote_user_attribute = NULL;
     sec->compare_dn_on_server = 0;
 
     return sec;
@@ -337,6 +339,7 @@
 
     util_ldap_connection_t *ldc = NULL;
     int result = 0;
+    int remote_user_attribute_set = 0;
     const char *dn = NULL;
 
     authn_ldap_request_t *req =
@@ -447,10 +450,28 @@
                 j++;
             }
             apr_table_setn(e, str, vals[i]);
+
+            /* handle remote_user_attribute, if set */
+            if (sec->remote_user_attribute && 
+                !strcmp(sec->remote_user_attribute, sec->attributes[i])) {
+                r->user = (char *)apr_pstrdup(r->pool, vals[i]);
+                remote_user_attribute_set = 1;
+            }
             i++;
         }
     }
 
+    /* sanity check */
+    if (sec->remote_user_attribute && !remote_user_attribute_set) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                  "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
+                  "REMOTE_USER was to be set with attribute '%s', "
+                  "but this attribute was not requested for in the "
+                  "LDAP query for the user. REMOTE_USER will fall "
+                  "back to username or DN as appropriate.", getpid(),
+                  sec->remote_user_attribute);
+    }
+
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                   "[%" APR_PID_T_FMT "] auth_ldap authenticate: accepting %s", getpid(),
user);
 
@@ -1040,6 +1061,13 @@
                  "Set to 'on' to set the REMOTE_USER environment variable to be the full
"
                  "DN of the remote user. By default, this is set to off, meaning that "
                  "the REMOTE_USER variable will contain whatever value the remote user sent."),
+
+    AP_INIT_TAKE1("AuthLDAPRemoteUserAttribute", ap_set_string_slot,
+                 (void *)APR_OFFSETOF(authn_ldap_config_t, 
+                                      remote_user_attribute), OR_AUTHCFG,
+                 "Override the user supplied username and place the "
+                 "contents of this attribute in the REMOTE_USER "
+                 "environment variable."),
 
     AP_INIT_FLAG("AuthzLDAPAuthoritative", ap_set_flag_slot,
                  (void *)APR_OFFSETOF(authn_ldap_config_t, auth_authoritative), OR_AUTHCFG,



Mime
View raw message