mod_authnz_ldap.c revision 08cb74ca432a8c24e39f17dedce527e6a47b8001
/* Copyright 2002-2005 The Apache Software Foundation or its licensors, as
* applicable.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "ap_provider.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "util_ldap.h"
#include "mod_auth.h"
#include "apr_strings.h"
#include "apr_xlate.h"
#define APR_WANT_STRFUNC
#include "apr_want.h"
/* for getpid() */
#include <unistd.h>
#endif
#include <ctype.h>
#if !APR_HAS_LDAP
#error mod_authnz_ldap requires APR-util to have LDAP support built in. To fix add --with-ldap to ./configure.
#endif
typedef struct {
#if APR_HAS_THREADS
#endif
int auth_authoritative; /* Is this auth method the one and only? */
/* int authz_enabled; Is ldap authorization enabled in this directory? */
/* These parameters are all derived from the AuthLDAPURL directive */
char *url; /* String representation of the URL */
char *host; /* Name of the LDAP server (or space separated list) */
int port; /* Port of the LDAP server */
char *basedn; /* Base DN to do all searches from */
char *attribute; /* Attribute to search for */
char **attributes; /* Array of all the attributes to return */
int scope; /* Scope of the search */
char *filter; /* Filter to further limit the search */
char *binddn; /* DN to bind to server (can be NULL) */
char *bindpw; /* Password to bind to server (can be NULL) */
int user_is_dn; /* If true, connection->user is DN instead of userid */
int compare_dn_on_server; /* If true, will use server to do DN compare */
int have_ldap_url; /* Set if we have found an LDAP url */
int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise,
it's the exact string passed by the HTTP client */
int secure; /* True if SSL connections are requested */
typedef struct {
char *dn; /* The saved dn from a successful search */
char *user; /* The username provided by the client */
/* maximum group elements supported */
#define GROUPATTR_MAX_ELTS 10
struct mod_auth_ldap_groupattr_entry_t {
char *name;
};
/* Derive a code page ID give a language name or ID */
{
int lang_len;
char *charset;
if (!language) /* our default codepage */
return apr_pstrdup(p, "ISO-8859-1");
else
if (!charset) {
}
if (charset) {
}
return charset;
}
{
char *lang;
if (lang_line) {
*lang = '\0';
break;
}
}
return convset;
}
}
return NULL;
}
/*
* Build the search filter, or at least as much of the search filter that
* will fit in the buffer. We don't worry about the buffer not being able
* to hold the entire filter. If the buffer wasn't big enough to hold the
* filter, ldap_search_s will complain, but the only situation where this
* is likely to happen is if the client sent a really, really long
* username, most likely as part of an attack.
*
* The search filter consists of the filter provided with the URL,
* combined with a filter made up of the attribute provided with the URL,
* and the actual username passed by the HTTP client. For example, assume
* that the LDAP URL is
*
* ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*)
*
* Further, assume that the userid passed by the client was `userj'. The
* search filter will be (&(posixid=*)(uid=userj)).
*/
#define FILTER_LENGTH MAX_STRING_LEN
static void authn_ldap_build_filter(char *filtbuf,
request_rec *r,
const char* sent_user,
const char* sent_filter,
{
char *p, *q, *filtbuf_end;
char *outbuf;
}
else
return;
if (sent_filter != NULL) {
}
else
if (charset_conversions) {
convset = get_conv_set(r);
}
if (convset) {
/* Convert the user name to UTF-8. This is only valid for LDAP v3 */
}
}
/*
* Create the first part of the filter, which consists of the
* config-supplied portions.
*/
/*
* Now add the client-supplied username to the filter, ensuring that any
* LDAP filter metachars are escaped.
*/
*p && q < filtbuf_end; ) {
if ( q + 3 >= filtbuf_end)
break; /* Don't write part of escape sequence if we can't write all of it */
*q++ = '\\';
switch ( *p++ )
{
case '*':
*q++ = '2';
*q++ = 'a';
break;
case '(':
*q++ = '2';
*q++ = '8';
break;
case ')':
*q++ = '2';
*q++ = '9';
break;
case '\\':
*q++ = '5';
*q++ = 'c';
break;
}
}
else
*q++ = *p++;
}
#else
*p && q < filtbuf_end; *q++ = *p++) {
*q++ = '\\';
if (q >= filtbuf_end) {
break;
}
}
}
#endif
*q = '\0';
/*
* Append the closing parens of the filter, unless doing so would
* overrun the buffer.
*/
if (q + 2 <= filtbuf_end)
}
static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
{
#if APR_HAS_THREADS
#endif
/*
sec->authz_enabled = 1;
*/
sizeof(struct mod_auth_ldap_groupattr_entry_t));
sec->have_ldap_url = 0;
/*
sec->frontpage_hack = 0;
*/
sec->user_is_dn = 0;
sec->compare_dn_on_server = 0;
return sec;
}
{
return APR_SUCCESS;
}
/*
* Authentication Phase
* --------------------
*
* This phase authenticates the credentials the user has sent with
* the request (ie the username and password are checked). This is done
* by making an attempt to bind to the LDAP server using this user's
* DN and the supplied password.
*
*/
const char *password)
{
int failures = 0;
char filtbuf[FILTER_LENGTH];
int result = 0;
/*
if (!sec->enabled) {
return AUTH_USER_NOT_FOUND;
}
*/
/*
* Basic sanity checks before any LDAP operations even happen.
*/
if (!sec->have_ldap_url) {
return AUTH_GENERAL_ERROR;
}
/* There is a good AuthLDAPURL, right? */
}
else {
"[%d] auth_ldap authenticate: no sec->host - weird...?", getpid());
return AUTH_GENERAL_ERROR;
}
/* Get the password that the client sent */
"[%d] auth_ldap authenticate: no password specified", getpid());
return AUTH_GENERAL_ERROR;
}
"[%d] auth_ldap authenticate: no user specified", getpid());
return AUTH_GENERAL_ERROR;
}
/* build the username filter */
/* do the user search */
/* sanity check - if server is down, retry it up to 5 times */
if (result == LDAP_SERVER_DOWN) {
if (failures++ <= 5) {
goto start_over;
}
}
/* handle bind failure */
if (result != LDAP_SUCCESS) {
"[%d] auth_ldap authenticate: "
"user %s authentication failed; URI %s [%s][%s]",
#ifdef LDAP_SECURITY_ERROR
#endif
}
/* mark the user and DN */
if (sec->user_is_dn) {
}
/* add environment variables */
apr_table_t *e = r->subprocess_env;
int i = 0;
while (sec->attributes[i]) {
int j = 13;
while (str[j]) {
}
j++;
}
i++;
}
}
return AUTH_GRANTED;
}
/*
* Authorisation Phase
* -------------------
*
* After checking whether the username and password are correct, we need
* to check whether that user is authorised to view this resource. The
* require directive is used to do this:
*
* require valid-user Any authenticated is allowed in.
* require user <username> This particular user is allowed in.
* require group <groupname> The user must be a member of this group
* in order to be allowed in.
* require dn <dn> The user must have the following DN in the
* LDAP tree to be let in.
*
*/
static int authz_ldap_check_user_access(request_rec *r)
{
int result = 0;
int m = r->method_number;
register int x;
const char *t;
char *w, *value;
int method_restricted = 0;
char filtbuf[FILTER_LENGTH];
const char *type = ap_auth_type(r);
/*
if (!sec->enabled) {
return DECLINED;
}
*/
if (!sec->have_ldap_url) {
return DECLINED;
}
}
else {
"[%d] auth_ldap authorise: no sec->host - weird...?", getpid());
}
/*
* If there are no elements in the group attribute array, the default should be
* member and uniquemember; populate the array now.
*/
struct mod_auth_ldap_groupattr_entry_t *grp;
#if APR_HAS_THREADS
#endif
#if APR_HAS_THREADS
#endif
}
if (!reqs_arr) {
"[%d] auth_ldap authorise: no requirements array", getpid());
}
/*
* If we have been authenticated by some other module than mod_auth_ldap,
* the req structure needed for authorization needs to be created
* and populated with the userid and DN of the account in LDAP
*/
/* Check that we have a userid to start with */
"ldap authorize: Userid is blank, AuthType=%s",
r->ap_auth_type);
}
if(!req) {
"ldap authorize: Creating LDAP req structure");
/* Build the username filter */
/* Search for the user DN */
/* Search failed, log error and return failure */
if(result != LDAP_SUCCESS) {
}
sizeof(authn_ldap_request_t));
}
/* Loop through the requirements array until there's no elements
* left, or something causes a return from inside the loop */
continue;
}
method_restricted = 1;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (strcmp(w, "ldap-user") == 0) {
"[%d] auth_ldap authorise: "
"require user: user's DN has not been defined; failing authorisation",
getpid());
}
/*
* First do a whole-line compare, in case it's something like
* require user Babs Jensen
*/
switch(result) {
case LDAP_COMPARE_TRUE: {
"[%d] auth_ldap authorise: "
"require user: authorisation successful", getpid());
return OK;
}
default: {
"[%d] auth_ldap authorise: require user: "
"authorisation failed [%s][%s]", getpid(),
}
}
/*
* Now break apart the line and compare each word on it
*/
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
switch(result) {
case LDAP_COMPARE_TRUE: {
"[%d] auth_ldap authorise: "
"require user: authorisation successful", getpid());
return OK;
}
default: {
"[%d] auth_ldap authorise: "
"require user: authorisation failed [%s][%s]",
}
}
}
}
else if (strcmp(w, "ldap-dn") == 0) {
"[%d] auth_ldap authorise: "
"require dn: user's DN has not been defined; failing authorisation",
getpid());
}
switch(result) {
case LDAP_COMPARE_TRUE: {
"[%d] auth_ldap authorise: "
"require dn: authorisation successful", getpid());
return OK;
}
default: {
"[%d] auth_ldap authorise: "
"require dn \"%s\": LDAP error [%s][%s]",
}
}
}
else if (strcmp(w, "ldap-group") == 0) {
struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
int i;
if (sec->group_attrib_is_dn) {
"[%d] auth_ldap authorise: require group: user's DN has not been defined; failing authorisation",
getpid());
}
}
else {
/* We weren't called in the authentication phase, so we didn't have a
* chance to set the user field. Do so now. */
}
}
"[%d] auth_ldap authorise: require group: testing for group membership in \"%s\"",
getpid(), t);
"[%d] auth_ldap authorise: require group: testing for %s: %s (%s)", getpid(),
switch(result) {
case LDAP_COMPARE_TRUE: {
"[%d] auth_ldap authorise: require group: "
"authorisation successful (attribute %s) [%s][%s]",
return OK;
}
default: {
"[%d] auth_ldap authorise: require group \"%s\": "
"authorisation failed [%s][%s]",
}
}
}
}
else if (strcmp(w, "ldap-attribute") == 0) {
while (t[0]) {
"[%d] auth_ldap authorise: checking attribute"
w, value);
switch(result) {
case LDAP_COMPARE_TRUE: {
0, r, "[%d] auth_ldap authorise: "
"require attribute: authorisation "
"successful", getpid());
return OK;
}
default: {
0, r, "[%d] auth_ldap authorise: "
"require attribute: authorisation "
"failed [%s][%s]", getpid(),
}
}
}
}
else if (strcmp(w, "ldap-filter") == 0) {
if (t[0]) {
"[%d] auth_ldap authorise: checking filter %s",
getpid(), t);
/* Build the username filter */
/* Search for the user DN */
/* Make sure that the filtered search returned the correct user dn */
if (result == LDAP_SUCCESS) {
"[%d] auth_ldap authorise: checking dn match %s",
}
switch(result) {
case LDAP_COMPARE_TRUE: {
0, r, "[%d] auth_ldap authorise: "
"require ldap-filter: authorisation "
"successful", getpid());
return OK;
}
case LDAP_FILTER_ERROR: {
0, r, "[%d] auth_ldap authorise: "
"require ldap-filter: %s authorisation "
"failed [%s][%s]", getpid(),
break;
}
default: {
0, r, "[%d] auth_ldap authorise: "
"require ldap-filter: authorisation "
"failed [%s][%s]", getpid(),
}
}
}
}
}
if (!method_restricted) {
"[%d] auth_ldap authorise: agreeing because non-restricted",
getpid());
return OK;
}
if (!sec->auth_authoritative) {
"[%d] auth_ldap authorise: declining to authorise", getpid());
return DECLINED;
}
"[%d] auth_ldap authorise: authorisation denied", getpid());
return HTTP_UNAUTHORIZED;
}
/*
* Use the ldap url parsing routines to break up the ldap url into
* host and port.
*/
void *config,
const char *url,
const char *mode)
{
int rc;
if (rc != APR_SUCCESS) {
}
cmd->server, "[%d] auth_ldap url parse: attrib: %s", getpid(), urld->lud_attrs? urld->lud_attrs[0] : "(null)");
/* Set all the values, or at least some sane defaults */
strcat(p, " ");
}
else {
}
int i = 1;
i++;
}
i = 0;
i++;
}
}
else {
}
if (urld->lud_filter) {
/*
* Get rid of the surrounding parens; later on when generating the
* filter, they'll be put back.
*/
}
else {
}
}
else {
}
if (mode) {
}
}
}
else {
return "Invalid LDAP connection mode setting: must be one of NONE, "
}
}
/* "ldaps" indicates secure ldap connections desired
*/
{
"LDAP: auth_ldap using SSL connections");
}
else
{
"LDAP: auth_ldap not using SSL connections");
}
return NULL;
}
{
}
}
}
}
else {
return "Unrecognized value for AuthLDAPAliasDereference directive";
}
return NULL;
}
{
struct mod_auth_ldap_groupattr_entry_t *new;
return "Too many AuthLDAPGroupAttribute directives";
return NULL;
}
{
(void *)arg);
return NULL;
}
static const command_rec authnz_ldap_cmds[] =
{
"URL to define LDAP connection. This should be an RFC 2255 complaint\n"
"URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n"
"<ul>\n"
"<li>Host is the name of the LDAP server. Use a space separated list of hosts \n"
"to specify redundant servers.\n"
"<li>Port is optional, and specifies the port to connect to.\n"
"<li>basedn specifies the base DN to start searches from\n"
"<li>Attrib specifies what attribute to search for in the directory. If not "
"provided, it defaults to <b>uid</b>.\n"
"<li>Scope is the scope of the search, and can be either <b>sub</b> or "
"<b>one</b>. If not provided, the default is <b>sub</b>.\n"
"<li>Filter is a filter to use in the search. If not provided, "
"defaults to <b>(objectClass=*)</b>.\n"
"</ul>\n"
"Searches are performed using the attribute and the filter combined. "
"For example, assume that the\n"
"LDAP URL is <b>ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*)</b>. "
"Searches will\n"
"be done using the filter <b>(&((posixid=*))(uid=<i>username</i>))</b>, "
"where <i>username</i>\n"
"is the user name passed by the HTTP client. The search will be a subtree "
"search on the branch <b>ou=People, o=Airius</b>."),
"DN to use to bind to LDAP server. If not provided, will do an anonymous bind."),
"Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
"Set to 'on' to set the REMOTE_USER environment variable to be the full "
"DN of the remote user. By default, this is set to off, meaning that "
"the REMOTE_USER variable will contain whatever value the remote user sent."),
"Set to 'off' to allow access control to be passed along to lower modules if "
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "
"directive) using the server, and set it 'off' to do the compares locally "
"(at the expense of possible false matches). See the documentation for "
"a complete description of this option."),
"A list of attributes used to define group membership - defaults to "
"member and uniquemember"),
"If set to 'on', auth_ldap uses the DN that is retrieved from the server for"
"subsequent group comparisons. If set to 'off', auth_ldap uses the string"
"provided by the client directly. Defaults to 'on'."),
"Determines how aliases are handled during a search. Can bo one of the"
"values \"never\", \"searching\", \"finding\", or \"always\". "
"Defaults to always."),
/*
AP_INIT_FLAG("AuthLDAPAuthzEnabled", ap_set_flag_slot,
(void *)APR_OFFSETOF(authn_ldap_config_t, authz_enabled), OR_AUTHCFG,
"Set to off to disable the LDAP authorization handler, even if it's been enabled in a higher tree"),
*/
"Character set conversion configuration file. If omitted, character set"
"conversion is disabled."),
{NULL}
};
static int authnz_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
{
ap_configfile_t *f;
char l[MAX_STRING_LEN];
/*
authn_ldap_config_t *sec = (authn_ldap_config_t *)
ap_get_module_config(s->module_config,
&authnz_ldap_module);
if (sec->secure)
{
if (!util_ldap_ssl_supported(s))
{
ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
"LDAP: SSL connections (ldaps://) not supported by utilLDAP");
return(!OK);
}
}
*/
/* make sure that mod_ldap (util_ldap) is loaded */
"Module mod_ldap missing. Mod_ldap (aka. util_ldap) "
"must be loaded in order for mod_auth_ldap to function properly");
return HTTP_INTERNAL_SERVER_ERROR;
}
if (!charset_confname) {
return OK;
}
if (!charset_confname) {
"Invalid charset conversion config path %s",
(const char *)ap_get_module_config(s->module_config,
return HTTP_INTERNAL_SERVER_ERROR;
}
!= APR_SUCCESS) {
"could not open charset conversion config file %s.",
return HTTP_INTERNAL_SERVER_ERROR;
}
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
const char *ll = l;
char *lang;
if (l[0] == '#') {
continue;
}
if (ll[0]) {
}
}
ap_cfg_closefile(f);
if (to_charset == NULL) {
"could not find the UTF-8 charset in the file %s.",
return HTTP_INTERNAL_SERVER_ERROR;
}
return OK;
}
static const authn_provider authn_ldap_provider =
{
};
static void register_hooks(apr_pool_t *p)
{
}
{
create_authnz_ldap_dir_config, /* dir config creater */
NULL, /* dir merger --- default is to override */
NULL, /* server config */
NULL, /* merge server config */
authnz_ldap_cmds, /* command apr_table_t */
register_hooks /* register hooks */
};