httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cove...@apache.org
Subject svn commit: r916091 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Date Thu, 25 Feb 2010 02:25:35 GMT
Author: covener
Date: Thu Feb 25 02:25:35 2010
New Revision: 916091

URL: http://svn.apache.org/viewvc?rev=916091&view=rev
Log:
backport r881808 from trunk:

    Add AuthLDAPBindAuthoritative to allow other authentication providers a chance
    to run when mod_authnz_ldap finds a user but can't verify their password.

Submitted By: Justin Erenkrantz, Joe Schaefer, Tony Stevenson
Reviewed By: covener, pgollucci, rpluem


Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=916091&r1=916090&r2=916091&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Thu Feb 25 02:25:35 2010
@@ -9,6 +9,10 @@
      access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
      [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
 
+  *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
+     try other providers in the case of an LDAP bind failure.
+     PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
+
   *) mod_proxy, mod_proxy_http: Support remote https proxies
      by using HTTP CONNECT.
      PR 19188.  [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=916091&r1=916090&r2=916091&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Thu Feb 25 02:25:35 2010
@@ -87,21 +87,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow other authentication 
-     providers a chance to run when mod_authnz_ldap finds a user but can't 
-     verify their password. PR46608.
-     Trunk patch: http://svn.apache.org/viewvc?rev=881808&view=rev
-             doc: http://svn.apache.org/viewvc?view=revision&revision=881812
-     2.2.x patch: http://people.apache.org/~covener/patches/2.2.x-ldap_bind_authoritative.diff

-     2.2.x doc  : http://people.apache.org/~covener/patches/2.2.x-ldap_bind_authoritative-doc.diff
-                  (resolves loglevel conflict introduced after the trunk commit)
-    +1: covener, pgollucci
-    rpluem says: I am +1 once you provide proper documentation for the manual
-    covener says: doc revision added above
-    minfrin says: The trunk patches no longer apply clean, is it possible to
-                  create a v2.2. patch?
-    covener: resolved conflict 
-
   * mod_include: Allow fine control over the removal of Last-Modified and ETag headers
     within the INCLUDES filter, making it possible to cache responses if
     desired. Fix the default value of the SSIAccessEnable directive.

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml?rev=916091&r1=916090&r2=916091&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml Thu Feb 25 02:25:35 2010
@@ -675,6 +675,33 @@
 </directivesynopsis>
 
 <directivesynopsis>
+<name>AuthLDAPBindAuthoritative</name>
+<description>Determines if other authentication providers are used when a user can
be mapped to a DN but the server cannot successfully bind with the users credentials.</description>
+<syntax>AuthLDAPBindAuthoritative<em>off|on</em></syntax>
+<default>AuthLDAPBindAuhtoritative on</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+<compatibility>Available in versions later than 2.2.14</compatibility>
+
+<usage>
+    <p>By default, subsequent authentication providers are only queried if a 
+    user cannot be mapped to a DN, but not if the user can be mapped to a DN and their
+    password cannot be verified with an LDAP bind.  
+    If <directive module="mod_authnz_ldap">AuthLDAPBindAuthoritative</directive>

+    is set to <em>off</em>, other configured authentication modules will have

+    a chance to validate the user if the LDAP bind (with the current users credentials) 
+    fails for any reason.</p>
+    <p> This allows users present in both LDAP and 
+    <directive module="mod_authn_file">AuthUserFile</directive> to authenticate
+    when the LDAP server is available but the users account is locked or password
+    is otherwise unusable.</p>
+</usage>
+<seealso><directive module="mod_authn_file">AuthUserFile</directive></seealso>
+<seealso><directive module="mod_auth_basic">AuthBasicProvider</directive></seealso>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>AuthLDAPBindDN</name>
 <description>Optional DN to use in binding to the LDAP server</description>
 <syntax>AuthLDAPBindDN <em>distinguished-name</em></syntax>

Modified: httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c?rev=916091&r1=916090&r2=916091&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c Thu Feb 25 02:25:35 2010
@@ -63,6 +63,7 @@
     deref_options deref;            /* how to handle alias dereferening */
     char *binddn;                   /* DN to bind to server (can be NULL) */
     char *bindpw;                   /* Password to bind to server (can be NULL) */
+    int bind_authoritative;         /* If true, will return errors when bind fails */
 
     int user_is_dn;                 /* If true, connection->user is DN instead of userid
*/
     char *remote_user_attribute;    /* If set, connection->user is this attribute instead
of userid */
@@ -294,6 +295,7 @@
     sec->host = NULL;
     sec->binddn = NULL;
     sec->bindpw = NULL;
+    sec->bind_authoritative = 1;
     sec->deref = always;
     sec->group_attrib_is_dn = 1;
     sec->auth_authoritative = 1;
@@ -409,6 +411,14 @@
 
     /* handle bind failure */
     if (result != LDAP_SUCCESS) {
+        if (!sec->bind_authoritative) {
+           ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
+                      "user %s authentication failed; URI %s [%s][%s] (not authoritative)",
+                      getpid(), user, r->uri, ldc->reason, ldap_err2string(result));
+           return AUTH_USER_NOT_FOUND;
+        }
+
         ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                       "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
                       "user %s authentication failed; URI %s [%s][%s]",
@@ -1065,6 +1075,10 @@
                   (void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG,
                   "Password to use to bind to LDAP server. If not provided, will do an anonymous
bind."),
 
+    AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot,
+                  (void *)APR_OFFSETOF(authn_ldap_config_t, bind_authoritative), OR_AUTHCFG,
+                  "Set to 'on' to return failures when user-specific bind fails - defaults
to on."),
+
     AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
                  (void *)APR_OFFSETOF(authn_ldap_config_t, user_is_dn), OR_AUTHCFG,
                  "Set to 'on' to set the REMOTE_USER environment variable to be the full
"



Mime
View raw message