The attached patches convert LDAPTrustedMode into a per-directory
directive rather than a per-server. This allows the configuration to
specify which mode should be applied for the associated AuthLDAPURL.
Thoughts on whether this should be the way to go or if LDAPTrustedMode
should be moved up into mod_authnz_ldap as AuthLDAPTrustedMode?
Brad
>>> [EMAIL PROTECTED] Tuesday, February 01, 2005 3:33:19 PM >>>
After testing mod_authnz_ldap and util_ldap some more, it appears
that the directive LDAPTrustedMode should be pushed up into
mod_authnz_ldap rather than util_ldap and become AuthLDAPTrustedMode.
The reason why is because the connection type (ie. NONE, SSL,
STARTTLS)
is tied to the AuthLDAPUrl rather than the global connection or
certificate directives that are set in util_ldap. As it stands today,
the following configuration will fail:
Alias /secure /webpages/secure
<Directory /webpages/secure>
Order deny,allow
Allow from all
AuthType Basic
AuthName LDAP_Protected_Place
AuthBasicProvider ldap
AuthLDAPURL "ldap://foo.ldapserver.com/o=ctx";
AuthzLDAPAuthoritative off
require valid-user
</Directory>
Alias /othersecuredir /webpages/othersecuredir
<Directory /webpages/othersecuredir>
Order deny,allow
Allow from all
AuthType Basic
AuthName LDAP_Secure_Test
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
LDAPTrustedMode STARTTLS
AuthLDAPURL "ldap://other.ldapserver.com/o=ctx";
require valid-user
</Directory>
The above configuration assumes that all connections to
"foo.ldapserver.com" will be non-secure on port 389 and that all
connections to "other.ldapserver.com" will be TLS connections on port
389. The problem is that the directive LDAPTrustedMode is global not
per-directory. Therefore even though the configuration intended to
connect to "foo.ldapserver.com" non-secure, since the global trusted
mode has been set to STARTTLS, util_ldap will attempt to start tls on
all connections.
Since the type of connection is already determined partially by the
AuthLDAPURL (ie. ldaps:// vs ldap://), changing the type to STARTTLS
also needs to be in the same scope as AuthLDAPURL. There are two
options, change LDAPTrustedMode to a per-directory directive within
util_ldap or move LDAPTrustedMode up into mod_authnz_ldap as
AuthLDAPTrustedMode.
Brad
Index: util_ldap.h
===================================================================
--- util_ldap.h (revision 126565)
+++ util_ldap.h (working copy)
@@ -117,8 +117,6 @@
int ssl_supported;
apr_array_header_t *global_certs; /* Global CA certificates */
apr_array_header_t *client_certs; /* Client certificates */
- int secure;
- int secure_set;
#if APR_HAS_SHARED_MEMORY
apr_shm_t *cache_shm;
Index: util_ldap.c
===================================================================
--- util_ldap.c (revision 149421)
+++ util_ldap.c (working copy)
@@ -57,7 +57,14 @@
int util_ldap_handler(request_rec *r);
void *util_ldap_create_config(apr_pool_t *p, server_rec *s);
+typedef struct {
+ apr_pool_t *pool; /* Pool */
+ int secure; /* APR_LDAP_NONE, APR_LDAP_SSL, APR_LDAP_STARTTLS
*/
+ int secure_set;
+} util_ldap_dir_config_t;
+
+
/*
* Some definitions to help between various versions of apache.
*/
@@ -416,6 +423,8 @@
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
+ util_ldap_dir_config_t *dc =
+ (util_ldap_dir_config_t *)ap_get_module_config(r->per_dir_config,
&ldap_module);
#if APR_HAS_THREADS
@@ -514,7 +523,7 @@
* setting optionally supplied by the admin using LDAPTrustedMode
*/
l->secure = (APR_LDAP_NONE == secure) ?
- st->secure :
+ dc->secure :
secure;
/* save away a copy of the client cert list that is presently valid */
@@ -1566,31 +1575,29 @@
* - SSL (SSL encryption)
* - STARTTLS (TLS encryption)
*/
-static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy,
const char *mode)
+static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *config,
const char *mode)
{
- util_ldap_state_t *st =
- (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
- &ldap_module);
+ util_ldap_dir_config_t *dc = config;
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"LDAP: SSL trusted mode - %s",
mode);
if (0 == strcasecmp("NONE", mode)) {
- st->secure = APR_LDAP_NONE;
+ dc->secure = APR_LDAP_NONE;
}
else if (0 == strcasecmp("SSL", mode)) {
- st->secure = APR_LDAP_SSL;
+ dc->secure = APR_LDAP_SSL;
}
else if (0 == strcasecmp("TLS", mode) || 0 == strcasecmp("STARTTLS",
mode)) {
- st->secure = APR_LDAP_STARTTLS;
+ dc->secure = APR_LDAP_STARTTLS;
}
else {
return "Invalid LDAPTrustedMode setting: must be one of NONE, "
"SSL, or TLS/STARTTLS";
}
- st->secure_set = 1;
+ dc->secure_set = 1;
return(NULL);
}
@@ -1619,7 +1626,18 @@
return NULL;
}
+static void *util_ldap_create_dir_config(apr_pool_t *p, char *d)
+{
+ util_ldap_dir_config_t *dc =
+ (util_ldap_dir_config_t *)apr_pcalloc(p,
sizeof(util_ldap_dir_config_t));
+ dc->pool = p;
+ dc->secure = APR_LDAP_NONE;
+
+ return dc;
+}
+
+
void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
{
util_ldap_state_t *st =
@@ -1636,8 +1654,6 @@
st->ssl_supported = 0;
st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
st->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
- st->secure = APR_LDAP_NONE;
- st->secure_set = 0;
st->connectionTimeout = 10;
return st;
@@ -1660,7 +1676,6 @@
st->ssl_supported = base->ssl_supported;
st->global_certs = apr_array_append(p, base->global_certs,
overrides->global_certs);
st->client_certs = apr_array_append(p, base->client_certs,
overrides->client_certs);
- st->secure = (overrides->secure_set == 0) ? base->secure :
overrides->secure;
return st;
}
@@ -1942,10 +1957,10 @@
module ldap_module = {
STANDARD20_MODULE_STUFF,
- NULL, /* dir config creater */
- NULL, /* dir merger --- default is to
override */
- util_ldap_create_config, /* server config */
- util_ldap_merge_config, /* merge server config */
- util_ldap_cmds, /* command table */
- util_ldap_register_hooks, /* set up request processing hooks */
+ util_ldap_create_dir_config, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
+ util_ldap_create_config, /* server config */
+ util_ldap_merge_config, /* merge server config */
+ util_ldap_cmds, /* command table */
+ util_ldap_register_hooks, /* set up request processing hooks */
};
