httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r1555539 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/ docs/manual/expr.xml docs/manual/mod/ docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Date Sun, 05 Jan 2014 16:09:08 GMT
Author: jim
Date: Sun Jan  5 16:09:07 2014
New Revision: 1555539

URL: http://svn.apache.org/r1555539
Log:
Merge r1554161 from trunk:

mod_authnz_ldap: Support the expression parser within the require
directives.

Submitted by: minfrin
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/docs/manual/   (props changed)
    httpd/httpd/branches/2.4.x/docs/manual/expr.xml
    httpd/httpd/branches/2.4.x/docs/manual/mod/   (props changed)
    httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1554161

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1555539&r1=1555538&r2=1555539&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sun Jan  5 16:09:07 2014
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.8
 
+  *) mod_authnz_ldap: Support the expression parser within the require
+     directives. [Graham Leggett]
+
   * mod_proxy_http: Core dumped under high load. PR 50335
     [Jan Kaluza <jkaluza redhat.com>]
 

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1555539&r1=1555538&r2=1555539&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sun Jan  5 16:09:07 2014
@@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_authnz_ldap: Support the expression parser within the require directives.
-    trunk patch: http://svn.apache.org/r1554161
-    2.4.x patch: trunk works (modulo CHANGES and log-message-tags)
-    +1: minfrin, jim, covener
-
   * mod_authz_dbd: Support the expression parser within the require directives.
     trunk patch: http://svn.apache.org/r1554168
                  http://svn.apache.org/r1554176

Propchange: httpd/httpd/branches/2.4.x/docs/manual/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk/docs/manual:r1554161

Modified: httpd/httpd/branches/2.4.x/docs/manual/expr.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/expr.xml?rev=1555539&r1=1555538&r2=1555539&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/expr.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/expr.xml Sun Jan  5 16:09:07 2014
@@ -51,6 +51,11 @@
 <seealso><directive module="mod_headers">RequestHeader</directive></seealso>
 <seealso><directive module="mod_filter">FilterProvider</directive></seealso>
 <seealso><a href="mod/mod_authz_core.html#reqexpr">Require expr</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#requser">Require ldap-user</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqgroup">Require ldap-group</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqdn">Require ldap-dn</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqattribute">Require ldap-attribute</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqfilter">Require ldap-filter</a></seealso>
 <seealso><directive module="mod_ssl">SSLRequire</directive></seealso>
 <seealso><directive module="mod_log_debug">LogMessage</directive></seealso>
 <seealso><module>mod_include</module></seealso>

Propchange: httpd/httpd/branches/2.4.x/docs/manual/mod/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk/docs/manual/mod:r1554161

Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml?rev=1555539&r1=1555538&r2=1555539&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml Sun Jan  5 16:09:07 2014
@@ -323,6 +323,9 @@ for HTTP Basic authentication.</descript
     <code>ldap-filter</code>.  Other authorization types may also be
     used but may require that additional authorization modules be loaded.</p>
 
+    <p>Since v2.5.0, <a href="../expr.html">expressions</a> are supported
+    within the LDAP require directives.</p>
+
 <section id="requser"><title>Require ldap-user</title>
 
     <p>The <code>Require ldap-user</code> directive specifies what
@@ -544,6 +547,16 @@ Require ldap-group cn=Administrators, o=
       </li>
 
       <li>
+        Grant access to anybody in the group whose name matches the
+        hostname of the virtual host. In this example an
+        <a href="../expr.html">expression</a> is used to build the filter.
+<highlight language="config">
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid
+Require ldap-group cn=%{SERVER_NAME}, o=Example
+</highlight>
+      </li>
+
+      <li>
         The next example assumes that everyone at Example who
         carries an alphanumeric pager will have an LDAP attribute
         of <code>qpagePagerID</code>. The example will grant access

Modified: httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c?rev=1555539&r1=1555538&r2=1555539&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/2.4.x/modules/aaa/mod_authnz_ldap.c Sun Jan  5 16:09:07 2014
@@ -607,6 +607,10 @@ static authz_status ldapuser_check_autho
 
     util_ldap_connection_t *ldc = NULL;
 
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
     char *w;
 
@@ -680,11 +684,19 @@ static authz_status ldapuser_check_autho
         return AUTHZ_DENIED;
     }
 
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585)
+                      "auth_ldap authorize: require user: Can't evaluate expression: %s",
+                      err);
+        return AUTHZ_DENIED;
+    }
+
     /*
      * First do a whole-line compare, in case it's something like
      *   require user Babs Jensen
      */
-    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute,
require_args);
+    result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute,
require);
     switch(result) {
         case LDAP_COMPARE_TRUE: {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703)
@@ -704,7 +716,7 @@ static authz_status ldapuser_check_autho
     /*
      * Now break apart the line and compare each word on it
      */
-    t = require_args;
+    t = require;
     while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
         result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute,
w);
         switch(result) {
@@ -744,6 +756,10 @@ static authz_status ldapgroup_check_auth
 
     util_ldap_connection_t *ldc = NULL;
 
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
 
     char filtbuf[FILTER_LENGTH];
@@ -863,7 +879,15 @@ static authz_status ldapgroup_check_auth
         }
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586)
+                      "auth_ldap authorize: require group: Can't evaluate expression: %s",
+                      err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
 
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713)
                   "auth_ldap authorize: require group: testing for group "
@@ -959,6 +983,10 @@ static authz_status ldapdn_check_authori
 
     util_ldap_connection_t *ldc = NULL;
 
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
 
     char filtbuf[FILTER_LENGTH];
@@ -1021,7 +1049,15 @@ static authz_status ldapdn_check_authori
         req->user = r->user;
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587)
+                      "auth_ldap authorize: require dn: Can't evaluate expression: %s",
+                      err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
 
     if (req->dn == NULL || strlen(req->dn) == 0) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725)
@@ -1068,6 +1104,10 @@ static authz_status ldapattribute_check_
 
     util_ldap_connection_t *ldc = NULL;
 
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
     char *w, *value;
 
@@ -1138,7 +1178,16 @@ static authz_status ldapattribute_check_
         return AUTHZ_DENIED;
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588)
+                      "auth_ldap authorize: require ldap-attribute: Can't "
+                      "evaluate expression: %s", err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
+
     while (t[0]) {
         w = ap_getword(r->pool, &t, '=');
         value = ap_getword_conf(r->pool, &t);
@@ -1183,6 +1232,11 @@ static authz_status ldapfilter_check_aut
         (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
 
     util_ldap_connection_t *ldc = NULL;
+
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_args;
+    const char *require;
+
     const char *t;
 
     char filtbuf[FILTER_LENGTH];
@@ -1252,7 +1306,15 @@ static authz_status ldapfilter_check_aut
         return AUTHZ_DENIED;
     }
 
-    t = require_args;
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589)
+                      "auth_ldap authorize: require ldap-filter: Can't "
+                      "evaluate require expression: %s", err);
+        return AUTHZ_DENIED;
+    }
+
+    t = require;
 
     if (t[0]) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743)
@@ -1311,6 +1373,25 @@ static authz_status ldapfilter_check_aut
     return AUTHZ_DENIED;
 }
 
+static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line,
+                                     const void **parsed_require_line)
+{
+    const char *expr_err = NULL;
+    ap_expr_info_t *expr = apr_pcalloc(cmd->pool, sizeof(*expr));
+
+    expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
+            &expr_err, NULL);
+
+    if (expr_err)
+        return apr_pstrcat(cmd->temp_pool,
+                           "Cannot parse expression in require line: ",
+                           expr_err, NULL);
+
+    *parsed_require_line = expr;
+
+    return NULL;
+}
+
 
 /*
  * Use the ldap url parsing routines to break up the ldap url into
@@ -1769,30 +1850,30 @@ static const authn_provider authn_ldap_p
 static const authz_provider authz_ldapuser_provider =
 {
     &ldapuser_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 static const authz_provider authz_ldapgroup_provider =
 {
     &ldapgroup_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 
 static const authz_provider authz_ldapdn_provider =
 {
     &ldapdn_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 
 static const authz_provider authz_ldapattribute_provider =
 {
     &ldapattribute_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 
 static const authz_provider authz_ldapfilter_provider =
 {
     &ldapfilter_check_authorization,
-    NULL,
+    &ldap_parse_config,
 };
 
 static void ImportULDAPOptFn(void)



Mime
View raw message