mod_auth_ldap.c revision 956c6100798467199833e7159a00506ee879d772
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2001 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
*/
/*
* mod_auth_ldap.c: LDAP authentication module
*
* Original code from auth_ldap module for Apache v1.3:
* Copyright 1998, 1999 Enbridge Pipelines Inc.
* Copyright 1999-2001 Dave Carrigan
*/
#include <apr_ldap.h>
#include <apr_strings.h>
#include "ap_config.h"
/* for getpid() */
#include <unistd.h>
#endif
#include <ctype.h>
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "util_ldap.h"
/* per directory configuration */
typedef struct {
int auth_authoritative; /* Is this auth method the one and only? */
int enabled; /* Is auth_ldap enabled in this directory? */
/* These parameters are all derived from the AuthLDAPURL directive */
char *url; /* String representation of the URL */
char *host; /* Name of the LDAP server (or space separated list) */
int port; /* Port of the LDAP server */
char *basedn; /* Base DN to do all searches from */
char *attribute; /* Attribute to search for */
char **attributes; /* Array of all the attributes to return */
int scope; /* Scope of the search */
char *filter; /* Filter to further limit the search */
char *binddn; /* DN to bind to server (can be NULL) */
char *bindpw; /* Password to bind to server (can be NULL) */
int frontpage_hack; /* Hack for frontpage support */
int user_is_dn; /* If true, connection->user is DN instead of userid */
int compare_dn_on_server; /* If true, will use server to do DN compare */
int have_ldap_url; /* Set if we have found an LDAP url */
int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise,
it's the exact string passed by the HTTP client */
int netscapessl; /* True if Netscape SSL is enabled */
int starttls; /* True if StartTLS is enabled */
typedef struct mod_auth_ldap_request_t {
char *dn; /* The saved dn from a successful search */
char *user; /* The username provided by the client */
/* maximum group elements supported */
#define GROUPATTR_MAX_ELTS 10
struct mod_auth_ldap_groupattr_entry_t {
char *name;
};
/* function prototypes */
void mod_auth_ldap_build_filter(char *filtbuf,
request_rec *r,
int mod_auth_ldap_check_user_id(request_rec *r);
int mod_auth_ldap_auth_checker(request_rec *r);
void *mod_auth_ldap_create_dir_config(apr_pool_t *p, char *d);
/* ---------------------------------------- */
/*
* Build the search filter, or at least as much of the search filter that
* will fit in the buffer. We don't worry about the buffer not being able
* to hold the entire filter. If the buffer wasn't big enough to hold the
* filter, ldap_search_s will complain, but the only situation where this
* is likely to happen is if the client sent a really, really long
* username, most likely as part of an attack.
*
* The search filter consists of the filter provided with the URL,
* combined with a filter made up of the attribute provided with the URL,
* and the actual username passed by the HTTP client. For example, assume
* that the LDAP URL is
*
* ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*)
*
* Further, assume that the userid passed by the client was `userj'. The
* search filter will be (&(posixid=*)(uid=userj)).
*/
#define FILTER_LENGTH MAX_STRING_LEN
void mod_auth_ldap_build_filter(char *filtbuf,
request_rec *r,
{
char *p, *q, *filtbuf_end;
/*
* Create the first part of the filter, which consists of the
* config-supplied portions.
*/
/*
* Now add the client-supplied username to the filter, ensuring that any
* LDAP filter metachars are escaped.
*/
*p && q < filtbuf_end; *q++ = *p++) {
*q++ = '\\';
if (q >= filtbuf_end) {
break;
}
}
}
*q = '\0';
/*
* Append the closing parens of the filter, unless doing so would
* overrun the buffer.
*/
if (q + 2 <= filtbuf_end)
}
/*
* Authentication Phase
* --------------------
*
* This phase authenticates the credentials the user has sent with
* the request (ie the username and password are checked). This is done
* by making an attempt to bind to the LDAP server using this user's
* DN and the supplied password.
*
*/
{
char filtbuf[FILTER_LENGTH];
const char *sent_pw;
int result = 0;
return DECLINED;
}
/*
* Basic sanity checks before any LDAP operations even happen.
*/
if (!sec->have_ldap_url) {
return DECLINED;
}
/* There is a good AuthLDAPURL, right? */
}
else {
"[%d] auth_ldap authenticate: no sec->host - weird...?", getpid());
}
/* Get the password that the client sent */
"[%d] auth_ldap authenticate: "
return result;
}
/* build the username filter */
/* do the user search */
if (result != LDAP_SUCCESS) {
"[%d] auth_ldap authenticate: "
"user %s authentication failed; URI %s [%s][%s]",
if (LDAP_INVALID_CREDENTIALS == result) {
return HTTP_UNAUTHORIZED;
}
else {
}
}
/* mark the user and DN */
if (sec->user_is_dn) {
}
/* add environment variables */
apr_table_t *e = r->subprocess_env;
int i = 0;
while (sec->attributes[i]) {
int j = 13;
while (str[j]) {
}
j++;
}
i++;
}
}
return OK;
}
/*
* Authorisation Phase
* -------------------
*
* After checking whether the username and password are correct, we need
* to check whether that user is authorised to view this resource. The
* require directive is used to do this:
*
* require valid-user Any authenticated is allowed in.
* require user <username> This particular user is allowed in.
* require group <groupname> The user must be a member of this group
* in order to be allowed in.
* require dn <dn> The user must have the following DN in the
* LDAP tree to be let in.
*
*/
{
int result = 0;
int m = r->method_number;
register int x;
const char *t;
char *w;
int method_restricted = 0;
return DECLINED;
}
if (!sec->have_ldap_url) {
return DECLINED;
}
}
else {
"[%d] auth_ldap authorise: no sec->host - weird...?", getpid());
}
/*
* If there are no elements in the group attribute array, the default should be
* member and uniquemember; populate the array now.
*/
struct mod_auth_ldap_groupattr_entry_t *grp;
}
if (!reqs_arr) {
"[%d] auth_ldap authorise: no requirements array", getpid());
}
/* Loop through the requirements array until there's no elements
* left, or something causes a return from inside the loop */
continue;
}
method_restricted = 1;
t = reqs[x].requirement;
if (strcmp(w, "valid-user") == 0) {
/*
* Valid user will always be true if we authenticated with ldap,
* but when using front page, valid user should only be true if
* he exists in the frontpage password file. This hack will get
* auth_ldap to look up the user in the the pw file to really be
* sure that he's valid. Naturally, it requires mod_auth to be
* compiled in, but if mod_auth wasn't in there, then the need
* for this hack wouldn't exist anyway.
*/
if (sec->frontpage_hack) {
"[%d] auth_ldap authorise: "
"deferring authorisation to mod_auth (FP Hack)",
getpid());
return OK;
}
else {
"[%d] auth_ldap authorise: "
"successful authorisation because user "
"is valid-user", getpid());
return OK;
}
}
else if (strcmp(w, "user") == 0) {
"[%d] auth_ldap authorise: "
"require user: user's DN has not been defined; failing authorisation",
getpid());
}
/*
* First do a whole-line compare, in case it's something like
* require user Babs Jensen
*/
switch(result) {
case LDAP_COMPARE_TRUE: {
"[%d] auth_ldap authorise: "
"require user: authorisation successful", getpid());
return OK;
}
default: {
"[%d] auth_ldap authorise: require user: "
"authorisation failed [%s][%s]", getpid(),
}
}
/*
* Now break apart the line and compare each word on it
*/
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
switch(result) {
case LDAP_COMPARE_TRUE: {
"[%d] auth_ldap authorise: "
"require user: authorisation successful", getpid());
return OK;
}
default: {
"[%d] auth_ldap authorise: "
"require user: authorisation failed [%s][%s]",
}
}
}
}
else if (strcmp(w, "dn") == 0) {
"[%d] auth_ldap authorise: "
"require dn: user's DN has not been defined; failing authorisation",
getpid());
}
switch(result) {
case LDAP_COMPARE_TRUE: {
"[%d] auth_ldap authorise: "
"require dn: authorisation successful", getpid());
return OK;
}
default: {
"[%d] auth_ldap authorise: "
"require dn: LDAP error [%s][%s]",
}
}
}
else if (strcmp(w, "group") == 0) {
struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
int i;
if (sec->group_attrib_is_dn) {
"[%d] auth_ldap authorise: require group: user's DN has not been defined; failing authorisation",
getpid());
}
}
else {
/* We weren't called in the authentication phase, so we didn't have a
* chance to set the user field. Do so now. */
}
}
"[%d] auth_ldap authorise: require group: testing for group membership in `%s'",
getpid(), t);
"[%d] auth_ldap authorise: require group: testing for %s: %s (%s)", getpid(),
switch(result) {
case LDAP_COMPARE_TRUE: {
"[%d] auth_ldap authorise: require group: "
"authorisation successful (attribute %s) [%s][%s]",
return OK;
}
default: {
"[%d] auth_ldap authorise: require group: "
"authorisation failed [%s][%s]",
}
}
}
}
}
if (!method_restricted) {
"[%d] auth_ldap authorise: agreeing because non-restricted",
getpid());
return OK;
}
if (!sec->auth_authoritative) {
"[%d] auth_ldap authorise: declining to authorise", getpid());
return DECLINED;
}
"[%d] auth_ldap authorise: authorisation denied", getpid());
return HTTP_UNAUTHORIZED;
}
/* ---------------------------------------- */
/* config directives */
void *mod_auth_ldap_create_dir_config(apr_pool_t *p, char *d)
{
sizeof(struct mod_auth_ldap_groupattr_entry_t));
sec->have_ldap_url = 0;
sec->frontpage_hack = 0;
sec->netscapessl = 0;
sec->user_is_dn = 0;
sec->compare_dn_on_server = 0;
return sec;
}
/*
* Use the ldap url parsing routines to break up the ldap url into
* host and port.
*/
void *config,
const char *url)
{
int result;
if (result != LDAP_SUCCESS) {
switch (result) {
case LDAP_URL_ERR_NOTLDAP:
return "LDAP URL does not begin with ldap://";
case LDAP_URL_ERR_NODN:
return "LDAP URL does not have a DN";
case LDAP_URL_ERR_BADSCOPE:
return "LDAP URL has an invalid scope";
case LDAP_URL_ERR_MEM:
return "Out of memory parsing LDAP URL";
default:
return "Could not parse LDAP URL";
}
}
cmd->server, "[%d] auth_ldap url parse: attrib: %s", getpid(), urld->lud_attrs? urld->lud_attrs[0] : "(null)");
/* Set all the values, or at least some sane defaults */
strcat(p, " ");
}
else {
}
int i = 1;
i++;
}
i = 0;
i++;
}
}
else {
}
if (urld->lud_filter) {
/*
* Get rid of the surrounding parens; later on when generating the
* filter, they'll be put back.
*/
}
else {
}
}
else {
}
#ifdef APU_HAS_LDAP_STARTTLS
#else
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
#else
return "Secure LDAP (ldaps://) not supported. Rebuild APR-Util";
#endif
#endif
}
else {
sec->netscapessl = 0;
}
return NULL;
}
{
}
}
}
}
else {
return "Unrecognized value for AuthLDAPAliasDereference directive";
}
return NULL;
}
{
struct mod_auth_ldap_groupattr_entry_t *new;
return "Too many AuthLDAPGroupAttribute directives";
return NULL;
}
"URL to define LDAP connection. This should be an RFC 2255 complaint\n"
"URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n"
"<ul>\n"
"<li>Host is the name of the LDAP server. Use a space separated list of hosts \n"
"to specify redundant servers.\n"
"<li>Port is optional, and specifies the port to connect to.\n"
"<li>basedn specifies the base DN to start searches from\n"
"<li>Attrib specifies what attribute to search for in the directory. If not "
"provided, it defaults to <b>uid</b>.\n"
"<li>Scope is the scope of the search, and can be either <b>sub</b> or "
"<b>one</b>. If not provided, the default is <b>sub</b>.\n"
"<li>Filter is a filter to use in the search. If not provided, "
"defaults to <b>(objectClass=*)</b>.\n"
"</ul>\n"
"Searches are performed using the attribute and the filter combined. "
"For example, assume that the\n"
"LDAP URL is <b>ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*)</b>. "
"Searches will\n"
"be done using the filter <b>(&((posixid=*))(uid=<i>username</i>))</b>, "
"where <i>username</i>\n"
"is the user name passed by the HTTP client. The search will be a subtree "
"search on the branch <b>ou=People, o=Airius</b>."),
"DN to use to bind to LDAP server. If not provided, will do an anonymous bind."),
"Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
"Set to 'on' to set the REMOTE_USER environment variable to be the full "
"DN of the remote user. By default, this is set to off, meaning that "
"the REMOTE_USER variable will contain whatever value the remote user sent."),
"Set to 'off' to allow access control to be passed along to lower modules if "
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "
"directive) using the server, and set it 'off' to do the compares locally "
"(at the expense of possible false matches). See the documentation for "
"a complete description of this option."),
"A list of attributes used to define group membership - defaults to "
"member and uniquemember"),
"If set to 'on', auth_ldap uses the DN that is retrieved from the server for"
"subsequent group comparisons. If set to 'off', auth_ldap uses the string"
"provided by the client directly. Defaults to 'on'."),
"Determines how aliases are handled during a search. Can bo one of the"
"values \"never\", \"searching\", \"finding\", or \"always\". "
"Defaults to always."),
"Set to off to disable auth_ldap, even if it's been enabled in a higher tree"),
"Set to 'on' to support Microsoft FrontPage"),
#ifdef APU_HAS_LDAP_STARTTLS
"Set to 'on' to start TLS after connecting to the LDAP server."),
#endif /* APU_HAS_LDAP_STARTTLS */
{NULL}
};
static void mod_auth_ldap_register_hooks(apr_pool_t *p)
{
}
mod_auth_ldap_create_dir_config, /* dir config creater */
NULL, /* dir merger --- default is to override */
NULL, /* server config */
NULL, /* merge server config */
mod_auth_ldap_cmds, /* command table */
mod_auth_ldap_register_hooks, /* set up request processing hooks */
};