On Fri, Apr 25, 2014 at 1:15 PM <minf...@apache.org> wrote: > > Author: minfrin > Date: Fri Apr 25 11:14:36 2014 > New Revision: 1589993 > > URL: http://svn.apache.org/r1589993 > Log: > Add the ldap-search option to mod_authnz_ldap, allowing authorization > to be based on arbitrary expressions that do not include the username. [] > > --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 11:14:36 > 2014 [] > @@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1 > > </section> > > +<section id="reqsearch"><title>Require ldap-search</title> > + > + <p>The <code>Require ldap-search</code> directive allows the > + administrator to grant access based on a generic LDAP search filter > using an > + <a href="../expr.html">expression</a>. If there is exactly one match to > the search filter, > + regardless of the distinguished name, access is granted.</p>
I get from this that there should be one match.. > > --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original) > +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri Apr 25 11:14:36 2014 [] > > +static authz_status ldapsearch_check_authorization(request_rec *r, > + const char *require_args, > + const void > *parsed_require_args) > +{ > + int result = 0; > + authn_ldap_config_t *sec = > + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, > &authnz_ldap_module); > + > + util_ldap_connection_t *ldc = NULL; > + > + const char *err = NULL; > + const ap_expr_info_t *expr = parsed_require_args; > + const char *require; > + const char *t; > + const char *dn = NULL; > + > + if (!sec->have_ldap_url) { > + return AUTHZ_DENIED; > + } > + > + if (sec->host) { > + ldc = get_connection_for_authz(r, LDAP_SEARCH); > + apr_pool_cleanup_register(r->pool, ldc, > + authnz_ldap_cleanup_connection_close, > + apr_pool_cleanup_null); > + } > + else { > + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738) > + "auth_ldap authorize: no sec->host - weird...?"); > + return AUTHZ_DENIED; > + } > + > + require = ap_expr_str_exec(r, expr, &err); > + if (err) { > + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() > + "auth_ldap authorize: require ldap-search: Can't " > + "evaluate require expression: %s", err); > + return AUTHZ_DENIED; > + } > + > + t = require; > + > + if (t[0]) { > + const char **vals; > + > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() > + "auth_ldap authorize: checking filter %s", t); > + > + /* Search for the user DN */ > + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, > + sec->scope, sec->attributes, t, &dn, &vals); > + > + /* Make sure that the filtered search returned a single dn */ And it's restated here.. > + if (result == LDAP_SUCCESS && dn) { > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() > + "auth_ldap authorize: require ldap-search: " > + "authorization successful"); > + return AUTHZ_GRANTED; I get that for "ldap-filter" (unlike for "ldap-search here) we'll do a util_ldap_cache_comparedn() to (double) check the returned DN somehow (sorry I don't really know how LDAP works), not here though because we don't require a particular DN but just a single one. But what makes sure that it's the case here? > + } > + else { > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() > + "auth_ldap authorize: require ldap-search: " > + "%s authorization failed [%s][%s]", > + t, ldc->reason, ldap_err2string(result)); > + } > + } > + > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() > + "auth_ldap authorize filter: authorization denied for " > + "to %s", r->uri); > + > + return AUTHZ_DENIED; > +} Regards; Yann.