On Fri, Apr 25, 2014 at 1:15 PM <minf...@apache.org> wrote:
>
> Author: minfrin
> Date: Fri Apr 25 11:14:36 2014
> New Revision: 1589993
>
> URL: http://svn.apache.org/r1589993
> Log:
> Add the ldap-search option to mod_authnz_ldap, allowing authorization
> to be based on arbitrary expressions that do not include the username.
[]
>
> --- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Apr 25 11:14:36
> 2014
[]
> @@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1
>
> </section>
>
> +<section id="reqsearch"><title>Require ldap-search</title>
> +
> + <p>The <code>Require ldap-search</code> directive allows the
> + administrator to grant access based on a generic LDAP search filter
> using an
> + <a href="../expr.html">expression</a>. If there is exactly one match to
> the search filter,
> + regardless of the distinguished name, access is granted.</p>
I get from this that there should be one match..
>
> --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
> +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri Apr 25 11:14:36 2014
[]
>
> +static authz_status ldapsearch_check_authorization(request_rec *r,
> + const char *require_args,
> + const void
> *parsed_require_args)
> +{
> + int result = 0;
> + authn_ldap_config_t *sec =
> + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config,
> &authnz_ldap_module);
> +
> + util_ldap_connection_t *ldc = NULL;
> +
> + const char *err = NULL;
> + const ap_expr_info_t *expr = parsed_require_args;
> + const char *require;
> + const char *t;
> + const char *dn = NULL;
> +
> + if (!sec->have_ldap_url) {
> + return AUTHZ_DENIED;
> + }
> +
> + if (sec->host) {
> + ldc = get_connection_for_authz(r, LDAP_SEARCH);
> + apr_pool_cleanup_register(r->pool, ldc,
> + authnz_ldap_cleanup_connection_close,
> + apr_pool_cleanup_null);
> + }
> + else {
> + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738)
> + "auth_ldap authorize: no sec->host - weird...?");
> + return AUTHZ_DENIED;
> + }
> +
> + require = ap_expr_str_exec(r, expr, &err);
> + if (err) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
> + "auth_ldap authorize: require ldap-search: Can't "
> + "evaluate require expression: %s", err);
> + return AUTHZ_DENIED;
> + }
> +
> + t = require;
> +
> + if (t[0]) {
> + const char **vals;
> +
> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "auth_ldap authorize: checking filter %s", t);
> +
> + /* Search for the user DN */
> + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
> + sec->scope, sec->attributes, t, &dn, &vals);
> +
> + /* Make sure that the filtered search returned a single dn */
And it's restated here..
> + if (result == LDAP_SUCCESS && dn) {
> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "auth_ldap authorize: require ldap-search: "
> + "authorization successful");
> + return AUTHZ_GRANTED;
I get that for "ldap-filter" (unlike for "ldap-search here) we'll do a
util_ldap_cache_comparedn() to (double) check the returned DN somehow
(sorry I don't really know how LDAP works), not here though because we
don't require a particular DN but just a single one.
But what makes sure that it's the case here?
> + }
> + else {
> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "auth_ldap authorize: require ldap-search: "
> + "%s authorization failed [%s][%s]",
> + t, ldc->reason, ldap_err2string(result));
> + }
> + }
> +
> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> + "auth_ldap authorize filter: authorization denied for "
> + "to %s", r->uri);
> +
> + return AUTHZ_DENIED;
> +}
Regards;
Yann.
