httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cove...@apache.org
Subject svn commit: r949436 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authnz_ldap.html.en docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Date Sat, 29 May 2010 20:19:10 GMT
Author: covener
Date: Sat May 29 20:19:10 2010
New Revision: 949436

URL: http://svn.apache.org/viewvc?rev=949436&view=rev
Log:
mod_authnz_ldap: Allow the initial DN lookup to bind with a
transformation of the basic auth username.


Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.html.en
    httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=949436&r1=949435&r2=949436&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat May 29 20:19:10 2010
@@ -28,6 +28,11 @@ Changes with Apache 2.3.7
      processing is completed, avoiding orphaned callback pointers.
      [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
 
+  *) mod_authnz_ldap: Allow the initial DN search during authentication
+     to use the HTTP username/pass instead of an anonymous or hard-coded
+     LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).  
+     [Eric Covener]
+
   *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
      when this module is used for authorization. See AuthLDAPAuthorizePrefix.
      PR 45584 [Eric Covener]

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.html.en?rev=949436&r1=949435&r2=949436&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.html.en Sat May 29 20:19:10 2010
@@ -68,6 +68,8 @@ for HTTP Basic authentication.</td></tr>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authldapinitialbindpattern">AuthLDAPInitialBindPattern</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapmaxsubgroupdepth">AuthLDAPMaxSubGroupDepth</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserattribute">AuthLDAPRemoteUserAttribute</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li>
@@ -952,6 +954,79 @@ group membership</td></tr>
 
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
+<div class="directive-section"><h2><a name="AuthLDAPInitialBindAsUser" id="AuthLDAPInitialBindAsUser">AuthLDAPInitialBindAsUser</a>
<a name="authldapinitialbindasuser" id="authldapinitialbindasuser">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines
if the server does the initial DN lookup using the basic authentication users'
+own username, instead of anonymously or with hard-coded credentials for the server</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPInitialBindAsUser
<em>off|on</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPInitialBindAsUser
off</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory,
.htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available
in version 2.3.7 and later</td></tr>
+</table>
+    <p>By default, the server either anonymously, or with a dedicated user and
+     password, converts the basic authentication username into an LDAP
+     distinguished name (DN).  This directive forces the server to use the verbatim username
+     and password provided by the incoming user to perform the initial DN
+     search.</p>
+ 
+     <p> If the verbatim username can't directly bind, but needs some
+     cosmetic transformation, see <code class="directive"><a href="#&#10;  
  authldapinitialbindpattern">
+     AuthLDAPInitialBindPattern</a></code>.</p>
+
+     <div class="note"><h3>Not available with authorization-only</h3>
+         This directive can only be used if this module authenticates the user, and
+         has no effect when this module is used exclusively for authorization.
+     </div>
+
+<h3>See also</h3>
+<ul>
+<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapinitialbindpattern">AuthLDAPInitialBindPattern</a></code></li>
+<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapbinddn">AuthLDAPBindDN</a></code></li>
+</ul>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
+<div class="directive-section"><h2><a name="AuthLDAPInitialBindPattern" id="AuthLDAPInitialBindPattern">AuthLDAPInitialBindPattern</a>
<a name="authldapinitialbindpattern" id="authldapinitialbindpattern">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies
the transformation of the basic authentication username to be used when binding to the LDAP
server
+to perform a DN lookup</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPInitialBindPattern<em><var>regex</var>
<var>substitution</var></em></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPInitialBindPattern
(.*) $1 (remote username used verbatim)</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory,
.htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available
in version 2.3.7 and later</td></tr>
+</table>
+    <p>If <code class="directive"><a href="#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></code>
is set to
+       <em>ON</em>, the basic authentication username will be transformed according
to the
+       regular expression and substituion arguments.</p>
+
+    <p> The regular expression argument is compared against the current basic authentication
username.
+        The substitution argument may contain backreferences, but has no other variable interpolation.</p>
+     
+    <div class="example"><p><code> AuthLDAPInitialBindPattern (.+) $1@example.com
</code></p></div>
+    <div class="example"><p><code> AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</code></p></div>
+
+    <div class="note"><h3>Not available with authorization-only</h3>
+        This directive can only be used if this module authenticates the user, and
+        has no effect when this module is used exclusively for authorization.
+    </div>
+    <div class="note"><h3>debugging</h3>
+        The substituted DN is recorded in the environment variable 
+        <em>LDAP_BINDASUSER</em>.  If the regular expression does not match the
input, 
+        the verbatim username is used.
+    </div>
+
+<h3>See also</h3>
+<ul>
+<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></code></li>
+<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapbinddn">AuthLDAPBindDN</a></code></li>
+</ul>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
 <div class="directive-section"><h2><a name="AuthLDAPMaxSubGroupDepth" id="AuthLDAPMaxSubGroupDepth">AuthLDAPMaxSubGroupDepth</a>
<a name="authldapmaxsubgroupdepth" id="authldapmaxsubgroupdepth">Directive</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies
the maximum sub-group nesting depth that will be

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=949436&r1=949435&r2=949436&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Sat May 29 20:19:10 2010
@@ -805,6 +805,71 @@ authorization</description>
 </directivesynopsis>
 
 <directivesynopsis>
+<name>AuthLDAPInitialBindAsUser</name>
+<description>Determines if the server does the initial DN lookup using the basic authentication
users'
+own username, instead of anonymously or with hard-coded credentials for the server</description>
+<syntax>AuthLDAPInitialBindAsUser <em>off|on</em></syntax>
+<default>AuthLDAPInitialBindAsUser off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<compatibility>Available in version 2.3.7 and later</compatibility>
+<override>AuthConfig</override>
+<usage>
+    <p>By default, the server either anonymously, or with a dedicated user and
+     password, converts the basic authentication username into an LDAP
+     distinguished name (DN).  This directive forces the server to use the verbatim username
+     and password provided by the incoming user to perform the initial DN
+     search.</p>
+ 
+     <p> If the verbatim username can't directly bind, but needs some
+     cosmetic transformation, see <directive module="mod_authnz_ldap">
+     AuthLDAPInitialBindPattern</directive>.</p>
+
+     <note><title>Not available with authorization-only</title>
+         This directive can only be used if this module authenticates the user, and
+         has no effect when this module is used exclusively for authorization.
+     </note>
+</usage>
+<seealso><directive module="mod_authnnz_ldap">AuthLDAPInitialBindPattern</directive></seealso>
+<seealso><directive module="mod_authnnz_ldap">AuthLDAPBindDN</directive></seealso>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPInitialBindPattern</name>
+<description>Specifies the transformation of the basic authentication username to be
used when binding to the LDAP server
+to perform a DN lookup</description>
+<syntax>AuthLDAPInitialBindPattern<em><var>regex</var> <var>substitution</var></em></syntax>
+<default>AuthLDAPInitialBindPattern (.*) $1 (remote username used verbatim)</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<compatibility>Available in version 2.3.7 and later</compatibility>
+<override>AuthConfig</override>
+<usage>
+    <p>If <directive module="mod_authnz_ldap">AuthLDAPInitialBindAsUser</directive>
is set to
+       <em>ON</em>, the basic authentication username will be transformed according
to the
+       regular expression and substituion arguments.</p>
+
+    <p> The regular expression argument is compared against the current basic authentication
username.
+        The substitution argument may contain backreferences, but has no other variable interpolation.</p>
+     
+    <example> AuthLDAPInitialBindPattern (.+) $1@example.com </example>
+    <example> AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</example>
+
+    <note><title>Not available with authorization-only</title>
+        This directive can only be used if this module authenticates the user, and
+        has no effect when this module is used exclusively for authorization.
+    </note>
+    <note><title>debugging</title>
+        The substituted DN is recorded in the environment variable 
+        <em>LDAP_BINDASUSER</em>.  If the regular expression does not match the
input, 
+        the verbatim username is used.
+    </note>
+</usage>
+<seealso><directive module="mod_authnnz_ldap">AuthLDAPInitialBindAsUser</directive></seealso>
+<seealso><directive module="mod_authnnz_ldap">AuthLDAPBindDN</directive></seealso>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>AuthLDAPBindDN</name>
 <description>Optional DN to use in binding to the LDAP server</description>
 <syntax>AuthLDAPBindDN <em>distinguished-name</em></syntax>

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=949436&r1=949435&r2=949436&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Sat May 29 20:19:10 2010
@@ -80,6 +80,9 @@ typedef struct {
 
     int secure;                     /* True if SSL connections are requested */
     char *authz_prefix;             /* Prefix for environment variables added during authz
*/
+    int initial_bind_as_user;               /* true if we should try to bind (to lookup DN)
directly with the basic auth username */
+    ap_regex_t *bind_regex;         /* basic auth -> bind'able username regex */
+    const char *bind_subst;         /* basic auth -> bind'able username substitution */
 } authn_ldap_config_t;
 
 typedef struct {
@@ -386,6 +389,28 @@ static int set_request_vars(request_rec 
     return remote_user_attribute_set;
 }
 
+static const char *ldap_determine_binddn(request_rec *r, const char *user) {
+    authn_ldap_config_t *sec =
+        (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
+    const char *result = user;
+    ap_regmatch_t regm[AP_MAX_REG_MATCH];
+
+    if (NULL == user || NULL == sec || !sec->bind_regex || !sec->bind_subst) {
+        return result;
+    }
+
+    if (!ap_regexec(sec->bind_regex, user, AP_MAX_REG_MATCH, regm, 0)) {
+        char *substituted = ap_pregsub(r->pool, sec->bind_subst, user, AP_MAX_REG_MATCH,
regm);
+        if (NULL != substituted) {
+            result = substituted;
+        }
+    }
+
+    apr_table_set(r->subprocess_env, "LDAP_BINDASUSER", result);
+
+    return result;
+}
+
 /*
  * Authentication Phase
  * --------------------
@@ -431,9 +456,16 @@ start_over:
 
     /* There is a good AuthLDAPURL, right? */
     if (sec->host) {
+        const char *binddn = sec->binddn;
+        const char *bindpw = sec->bindpw;
+        if (sec->initial_bind_as_user) {
+            bindpw = password;
+            binddn = ldap_determine_binddn(r, user);
+        }
+
         ldc = util_ldap_connection_find(r, sec->host, sec->port,
-                                       sec->binddn, sec->bindpw, sec->deref,
-                                       sec->secure);
+                                       binddn, bindpw,
+                                       sec->deref, sec->secure);
     }
     else {
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
@@ -1456,6 +1488,24 @@ static const char *set_charset_config(cm
     return NULL;
 }
 
+static const char *set_bind_pattern(cmd_parms *cmd, void *_cfg, const char *exp, const char
*subst)
+{
+    authn_ldap_config_t *sec = _cfg;
+    ap_regex_t *regexp;
+
+    regexp = ap_pregcomp(cmd->pool, exp, AP_REG_EXTENDED);
+
+    if (!regexp) {
+        return apr_pstrcat(cmd->pool, "AuthLDAPInitialBindPattern: cannot compile regular
"
+                                      "expression '", exp, "'", NULL);
+    }
+
+    sec->bind_regex = regexp;
+    sec->bind_subst = apr_pstrdup(cmd->pool, subst);
+
+    return NULL;
+}
+
 static const command_rec authnz_ldap_cmds[] =
 {
     AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG,
@@ -1547,6 +1597,15 @@ static const command_rec authnz_ldap_cmd
                   (void *)APR_OFFSETOF(authn_ldap_config_t, authz_prefix), OR_AUTHCFG,
                   "The prefix to add to environment variables set during "
                   "successful authorization, default '" AUTHZ_PREFIX "'"),
+
+    AP_INIT_FLAG("AuthLDAPInitialBindAsUser", ap_set_flag_slot,
+                 (void *)APR_OFFSETOF(authn_ldap_config_t, initial_bind_as_user), OR_AUTHCFG,
+                 "Set to 'on' to perform the initial DN lookup with the basic auth credentials
"
+                 "instead of anonymous or hard-coded credentials"),
+
+     AP_INIT_TAKE2("AuthLDAPInitialBindPattern", set_bind_pattern, NULL, OR_AUTHCFG,
+                   "The regex and substitution to determine a username that can bind based
on an HTTP basic auth username"),
+
     {NULL}
 };
 



Mime
View raw message