Re: patch for mod_ldap_authnz

2010-04-28 Thread Kevin Kalupson 
I agree all around.  I would like it if there were a sane default
prefix. LDAP_* makes sense to me.  I like the idea of being able to  set
the prefix with a directive in the configuration file.

-Kevin

On 4/28/10 3:37 AM, Plüm, Rüdiger, VF-Group wrote:
  
 
 -Original Message-
 From: Eric Covener 
 Sent: Mittwoch, 28. April 2010 04:37
 To: dev@httpd.apache.org
 Subject: Re: patch for mod_ldap_authnz

 On Tue, Apr 27, 2010 at 9:25 PM, Kevin Kalupson 
 kjk...@kevinkal.com wrote:
 Hi,
  mod_authnz_ldap will put the attributes from the AuthLdapUrl in the
 request environmental variables if ldap is the 
 authentication source.
 However, if mod_authnz_ldap is only providing Authorization 
 and another
 module is the authentication source, the attributes are not 
 available as
 request variables.


 Anyone have feelings about LDAP-as-authorizer adding entries to
 AUTHENTICATE_*?  Seems like an unfortunate name given the nature of
 the data people are likely to plug into with this.
 
 We shouldn't use the AUTHENTICATE_* prefix in this case. It should be 
 something
 different to distiguish the cases.
 
 Regards
 
 Rüdiger

patch for mod_ldap_authnz

2010-04-27 Thread Kevin Kalupson 
Hi,
  mod_authnz_ldap will put the attributes from the AuthLdapUrl in the
request environmental variables if ldap is the authentication source.
However, if mod_authnz_ldap is only providing Authorization and another
module is the authentication source, the attributes are not available as
request variables.

  I have a suggestion for a patch based on the httpd package distributes
with RHEL5 which is httpd-2.2.3.

  The patch is simple in that it does in the authz function what is done
in the authn function.  This is very useful to me and I'm sure others
who are writing applications that run in enterprises where ldap is a
public service.

  I've attached the patch for mod_authnz_ldap.c , but it is also
available here
https://weblion.psu.edu/trac/weblion/changeset?format=diffnew=11300old=11294new_path=users%2Fkjk137%2Fmod_authnz_ldapold_path=users%2Fkjk137%2Fmod_authnz_ldap
.

-Kevin
Index: users/kjk137/mod_authnz_ldap/mod_authnz_ldap.c
===
--- users/kjk137/mod_authnz_ldap/mod_authnz_ldap.c (revision 11294)
+++ users/kjk137/mod_authnz_ldap/mod_authnz_ldap.c (revision 11300)
@@ -581,6 +581,27 @@
 req-dn = apr_pstrdup(r-pool, dn);
 req-user = r-user;
-}
-
+
+}
+/* add environment variables */
+/* if (sec-attributes  vals) { */
+apr_table_t *e = r-subprocess_env;
+int i = 0;
+while (sec-attributes[i]) {
+char *str = apr_pstrcat(r-pool, AUTHENTICATE_, 
sec-attributes[i], NULL);
+int j = 13;
+while (str[j]) {
+if (str[j] = 'a'  str[j] = 'z') {
+str[j] = str[j] - ('a' - 'A');
+}
+j++;
+}
+apr_table_setn(e, str, vals[i]);
+   ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+   [% APR_PID_T_FMT ] auth_ldap authorise: accepting %s, 
getpid(), str );
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+   [% APR_PID_T_FMT ] auth_ldap authorise: accepting %s, 
getpid(), vals[i] );
+i++;
+}
+
 /* Loop through the requirements array until there's no elements
  * left, or something causes a return from inside the loop */