Resolve rashes with LDAP authz and non-LDAP authn since r1608202.

Add missing APLOGNO. Split lines longer than 80.

Consolidate common code that got duplicated by 2.3.x authz refactoring. Arrange for backend LDAP connections to be returned to the pool by a fixup hook rather than staying locked until the end of (a potentially slow) request. Add a little more trace4 to the authnz_ldap side of LDAP connection obtain/release.

Fix duplicate APLOGNO

mod_authnz_ldap: Fail explicitly when the filter is too long. Remove unnecessary apr_pstrdup() and strlen().

Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username.

follow-up to r1554161, r1554168, r1554170, r1554175, r1554188, and r1554195: axe unnecessary initialization/pool allocation

mod_authnz_ldap: Support the expression parser within the require directives.

update comments for two r->user related directives.

Log a warning when the LDAP authn provider is configured but an AuthLDAPURL isn't -- IOW, avoid silently skipping a misconfigured [or buggy?] LDAP provider.

Fix missing spaces in messages

Change the default value of AuthLDAPMaxSubGroupDepth, so sub-group searching is opt-in. Not intended for 2.4 backport.

authnzldap: support "none" as a filter to suppress using a search filter, which is required by some mainframe security products serving native registry over LDAP.

revert r1496183, leave at DEBUG. This not a subgroup message.

attribute and error reason reversed

Drop severity from DEBUG to trace4: "... didn't match with attr DN failed group verification." (This is just mod_authnz_ldap trying multiple atribbutes to discover LDAP subgroups)

Correct typo in error message

Add helper function to execute command w args and get one line of output. Allow AuthLDAPBindPassword to have exec: argument like SSLPassPhraseDialog

whitespace only: shift a block refactored in r1231255 over 8 spaces.

*) mod_authnz_ldap: Don't try a potentially expensive nested groups search before exhausting all AuthLDAPGroupAttribute checks on the current group. PR52464

Add lots of unique tags to error log messages

Cleanup effort in prep for GA push: Trim trailing whitespace... no func change

Compare value instead of string pointer Remove unused label Remove unused var

remove (the only) retry logic in mod_authnz_ldap's authentication path because it's causing the ample retries in mod_ldap to be multiplied by this outter loop.

Merge branch revert-ap-ldap: Revert ap_ldap integration due to veto by Graham Leggett Mailing list threads: http://mail-archives.apache.org/mod_mbox/httpd-dev/201106.mbox/%3C4192DC1D-C0B9-42BB-B614-C3A41290F18B@sharp.fm%3E http://mail-archives.apache.org/mod_mbox/httpd-dev/201107.mbox/%3C4E15E51E.4090700@rowe-clan.net%3E

Fix load order dependencies in LDAP code by switching to use of APR optional functions for the inter-module API: * modules/ldap/ldap_private.h: New file, containing "real" function declarations, copied from... * include/ap_ldap.h.in, include/ap_ldap_url.h, include/ap_ldap_option.h, include/ap_ldap_init.h, include/ap_ldap_rebind.h: ... here. All declarations changed to APR optional function declarations. * modules/ldap/util_ldap.c (util_ldap_register_hooks): Register all the new optional functions. * modules/aaa/mod_authnz_ldap.c (ImportULDAPOptFn): Pick up optional function stub for ap_ldap_url_parse. (mod_auth_ldap_parse_url): Use it here.

Various code cleanup PR: 51398 Submitted by: Christophe Jaillet <christophe jaillet wanadoo fr>

Incorporate the ap_ldap incomplete API, as there is no interest or effort at APR to make this a complete abstraction, and it was voted 'off the island' with APR 2.0. This will allow httpd 2.3 to build against either apr-2.0 or apr+util 1.x.

Some LDAP servers (wrongly) return LDAP_CONSTRAINT_VIOLATION if a user is locked due to too many password retries. This should not cause an internal server error but be treated as "auth denied".

PR51163: Resolve crashes when LDAP is used for authorization-only Submitted By: Scott Hill <shill genscape.com>

* add the constructed filter at TRACE1 to authn, and to existing debug authz messages. * Drop the level of the LDAPURL parsing to TRACE1 from debug (appears in console/event viewer once per directive)

Allow authz providers to check args while reading the config and allow them to cache parsed args. Use this to check that argument to 'all' provider is 'granted' or 'denied'.

- Remove a load of unused variables (or variables that are set but never read). - Move some declarations into the correct #ifdef scope. I couldn't compile/test netware, but the changes look obvious enough.

The approach for allowing authorization by user or IP introduced in r956387, etc. causes problems because the authentication module calls note_*_auth_failure if authentication fails. This is inappropriate if access is later allowed because of the IP. So, instead of calling the auth_checker hook even if authentication failed, we introduce a new access_checker_ex hook that runs between the access_checker and the check_user_id hooks. If an access_checker_ex functions returns OK, the request will be allowed without authentication. To make use of this, change mod_authz_core to walk the require blocks in the access_checker_ex phase and deny/allow the request if the authz result does not depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an authz provider from an authz provider needing an authenticated user, the latter must return the new AUTHZ_DENIED_NO_USER code.

more pid logging cleanup

Use the new APLOG_USE_MODULE/AP_DECLARE_MODULE macros everywhere to take advantage of per-module loglevels

When checking direct group membership, interpret LDAP_NO_SUCH_ATTRIBUTE the same as LDAP_COMPARE_FALSE and continue on to subgroup (nested group) processing. This triggers when the group has no "direct" members but may have entries that represent nested groups to check.

mod_authnz_ldap: Search or Comparison during authorization phase can use the credentials from the authentication phase (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser). PR 48340 Submitted by: Domenico Rotiroti, Eric Covener Reviewed by: Eric Covener

* Fix compiler warning

mod_authnz_ldap: Allow the initial DN lookup to bind with a transformation of the basic auth username.

Allow mod_authnz_ldap to set environment variables when it only performs authorization. AuthLDAPAuthorizePrefix can be used to force this to overlap with the prefix used for authentication. PR 45584

mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the password to UTF-8. PR: 45318 Adapted patch from Johannes Müller

Change LDAP authentication failures (user->DN or password check) to log level INFO from log level WARNING. This is still liberal for authn providers.

Add AuthLDAPBindAuthoritative to allow other authentication providers a chance to run when mod_authnz_ldap finds a user but can't verify their password. Submitted By: Justin Erenkrantz, Joe Schaefer, Tony Stevenson

fix the name of this module in an error log message

mod_authnz_ldap: Reduce number of initialization debug messages and make information more clear. PR 46342 [Dan Poirier]

Implement checks for NULL r->user as per r705361. NOTE: If someone with an LDAP setup can ensure this compiles and works, that would be great.

mod_authnz_ldap: avoid returning NULL env vars PR 39045

revert r672639 which lacked a necessary major bump, add a major MMN bump to account for the short-lived API addition/removal.

caught by Ruediger

mod_auth_digest: Detect during startup when AuthDigestProvider is configured to use an incompatible provider via AuthnProviderAlias. PR 45196

Convert common provider version strings ("0") to AUTHN/Z_PROVIDER_VERSION macros defined in mod_auth.h.

Avoid calling access control hooks for internal requests with configurations which match those of the initial request. Revert to the original behaviour (call access control hooks for internal requests with URIs different from the initial request) if any access control hooks or providers are not registered as permitting this optimization. Introduce wrappers for access control hook and provider registration which can accept additional mode and flag data. The configuration walk optimizations were originally proposed a while ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2); they have been used since then in production systems and appear to be stable and effective. They permit certain combinations of modules and clients to function efficiently, especially when a deeply recursive series of internal requests, such as those generated by certain WebDAV requests, are all subject to the identical authentication and authorization directives. The major change from the original proposal is a cleaner mechanism for detecting modules which may expect the old behaviour. This has been tested successfully with Subversion's mod_authz_svn, which specifically requires the old behaviour when performing path-based authorization based against its own private access control configuration files.

return AUTHZ_GRANTED instead of OK from the LDAP nested group checking.

When using the MS SDK, re-establish LDAP backend connections on a return code of LDAP_UNAVAILABLE as if it were LDAP_SERVER_DOWN. With this SDK, LDAP_UNAVAIALBLE is returned when the socket had been closed between LDAP API calls. PR 39095

Ooops. Not sure why this didn't get deleted in the last commit to this file. This is no longer required due to the more optimal way the list of subgroup attributes is now handled.

Remove code that was both memory intensive and unnecessary. Replace the complicated code with a simple list.

Improve logged information and fix broken doc.

mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn parameters to the environment. Improve portability to EBCDIC machines by using apr_toupper()

detabify

mod_ldap, mod_authnzldap: Add support for nested groups (i.e. the ability to authorize an authenticated user via a "require ldap-group X" directive where the user is not in group X, but is in a subgroup contained in X. PR 42891 [Paul J. Reder]

revert revision 555470

This data is passed in an unsafe way to the LDAP SDK if the compiler chooses to use shorts for the enum values. http://www.redbooks.ibm.com/redbooks/SG245992/nn4/SG245992_88.html Submitted by: David Jones

mod_authn_dbd: Export any additional columns queried in the SQL select into the environment with the name AUTHENTICATE_<COLUMN>. This brings mod_authn_dbd behaviour in line with mod_authnz_ldap.

mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If set, REMOTE_USER will be set to this attribute, rather than the username supplied by the user. Useful for example when you want users to log in using an email address, but need to supply a userid instead to the backend.

update license header text

spellcheck

Fix a problem with invalid auth error detection for LDAP client SDKs that don't support LDAP_SECURITY_ERROR macro. PR#39529 Submitted by: [Ray Price <dohrayme yahoo.com>], [Josh Fenlason <jfenlason ptc.com>]

Update the copyright year in all .c, .h and .xml files

Clean up some string manipulation. Submitted by: Christophe JAILLET <christophe.jaillet wanadoo.fr> Reviewed by: Jeff Trawick PR: 38701

Authz refactoring Merge from branches/authz-dev Basically here is a list of what has been done: - Convert all of the authz modules from hook based to provider based - Remove the ap_requires field from the core_dir_config structure - Remove the function ap_requires() since its functionality is no longer supported or necessary in the refactoring - Remove the calls to ap_some_auth_required() in the core request handling to allow the hooks to be called in all cases. - Add the new module mod_authz_core which will act as the authorization provider vector and contain common authz directives such as 'Require', 'Reject' and '<RequireAlias>' - Add the new module mod_authn_core which will contain common authentication directives such as 'AuthType', 'AuthName' and '<AuthnProviderAlias>' - Move the check for METHOD_MASK out of the authz providers and into the authz_core provider vector - Define the status codes that can be returned by the authz providers as AUTHZ_DENIED, AUTHZ_GRANTED and AUTHZ_GENERAL_ERROR - Remove the 'Satisfy' directive - Implement the '<RequireAll>', '<RequireOne>' block directives to handle the 'and' and 'or' logic for authorization. - Remove the 'AuthzXXXAuthoritative' directives from all of the authz providers - Implement the 'Reject' directive that will deny authorization if the argument is true - Fold the 'Reject' directive into the '<RequireAll>', '<RequireOne>' logic - Reimplement the host based authorization functionality provided by 'allow', 'deny' and 'order' as authz providers - Remove the 'allow', 'deny' and 'order' directives - Merge mod_authn_alias into mod_authn_core - Add '<RequireAlias>' functionality which is similar to '<AuthnProviderAlias>' but specific to authorization aliasing - Remove all of the references to the 'authzxxxAuthoritative' directives from the documentation - Remove the 'Satisfy' directive from the documentation - Remove 'Allow', 'Deny', 'Order' directives from the documentation - Document '<RequireAll>', '<RequireOne>', 'Reject' directives - Reimplement the APIs ap_auth_type(), ap_auth_name() as optional functions and move the actual implementation into mod_authn_core - Reimplement the API ap_some_auth_required() as an optional function and move the actual implementation into mod_authz_core Major Changes: - Added the directives <RequireAll>, <RequireOne>, <RequireAlias>, Reject - Expanded the functionality of the directive 'Require' to handle all authorization and access control - Added the new authz providers 'env', 'ip', 'host', 'all' to handle host-based access control - Removed the directives 'Allow', 'Deny', 'Order', 'Satisfy', 'AuthzXXXAuthoritative' - Removed the ap_require() API - Moved the directives 'AuthType', 'AuthName' out of mod_core and into mod_authn_core - Moved the directive 'Require' out of mod_core and into mod_authz_core - Merged mod_authn_alias into mod_authn_core - Renamed mod_authz_dbm authz providers from 'group' and 'file-group' to 'dbm-group' and 'dbm-file-group' Benefits: - All authorization and access control is now handle through two directives, 'Require' and 'Reject' - Authorization has been expanded to allow for complex 'AND/OR' control logic through the directives '<RequireAll>' and '<RequireOne>' - Configuration is now much simpler and consistent across the board - Other modules like mod_ssl and mod_proxy should be able to plug into and take advantage of the same provider based authorization mechanism by implementing their own providers Issues: - Backwards compatibility between 2.2 and 2.3 configurations will be broken in the area of authorization and access control due to the fact that the directives 'allow', 'deny', 'order' and 'satisfy' have been removed. When moving from 2.2 to 2.3 these directives will have to be changed to 'Require all granted', 'Require all denied' or some variation of the authz host-based providers. - Existing third party authorization modules will have to adapt to the new structure.

This shift was treated in 32 bit scope, then masked to 64 bits, which was probably quite uncool.

No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines

No functional change: simple detabbing of indented code.

Start of getpid()/%d confusion fix...

Ensure that req->dn is valid for the util_ldap_cache_compare() call. Esp make sure not null.

* modules/ldap/util_ldap.c, modules/aaa/mod_authnz_ldap.c: Stop using APLOG_NOERRNO throughout.

* modules/aaa/mod_authnz_ldap.c (authz_ldap_check_user_access): Remove unused variable.

Backing out the AuthLDAPAllowDNAuth patch from r168016. Because of LDAP filter issues this patch still can't guarantee unique results.

Add the directive AuthLDAPAllowDNAuth to allow a user to authenticate against an LDAP directory using a full user DN. This directive allows a user to authenticate against a subcontext that may contain non-unique user IDs.

Implement the exported function from mod_ldap(util_ldap) as optional functions so that we can eliminate the load ordering of mod_ldap and mod_authnz_ldap.

Update copyright year to 2005 and standardize on current copyright owner line.

Allow AuthLDAPURL to override the default connection type with an option second parameter of NONE, SSL or TLS | STARTTLS

Correct the order of includes to follow httpd conventions, and get Win32 compiling again.

Axe a dead variable

Return the correct error when the user object is not found

Added the directive "Requires ldap-filter" that allows the module to only authorize a user based on a complex LDAP search filter.

Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. PR 31913 Submitted by: Ryan Morgan <rmorgan pobox.com> Reviewd by: Brad Nicholes

Allow mod_authnz_ldap authorization functionality to be used without requiring the user to also be authenticated through mod_authnz_ldap. This allows other authentication modules to take advantage of LDAP authorization only [PR 28253] Submitted by: Jari Ahonen [jah progress.com] Reviewed by: Brad Nicholes

* modules/aaa/mod_authnz_ldap.c: Fix /*-within-comment warning.

mod_auth_ldap: Handle the inconsistent way in which the MS LDAP library handles special characters. PR: 24437 Obtained from: Submitted by: Jess Holle Reviewed by:

Clean up some compiler warnings

Clarify an error message to tell the user what to do if apr-util lacks LDAP support. PR: Obtained from: Submitted by: Reviewed by:

Re-structure the auth_ldap module to fit the new authentication model. The authnz_ldap module provides an ldap authentication provider and an authorization handler. It implements the authorization "require" values ldap-user, ldap-dn and ldap-group. This restructure also moves auth_ldap out of the experimental directory.