diff options
author | Bradley Nicholes <bnicholes@apache.org> | 2004-11-10 18:05:47 +0000 |
---|---|---|
committer | Bradley Nicholes <bnicholes@apache.org> | 2004-11-10 18:05:47 +0000 |
commit | cdf5a5836231619a888b2ede8a72138a062ba3c3 (patch) | |
tree | 296ad0d2ccb80672fd4ba305f47891b209713c8f | |
parent | ebf5c2c124ba1d8d8ffecfa64886c2254219b691 (diff) | |
download | httpd-cdf5a5836231619a888b2ede8a72138a062ba3c3.tar.gz |
Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. PR 31913
Submitted by: Ryan Morgan <rmorgan pobox.com>
Reviewd by: bnicholes, wrowe, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105745 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | STATUS | 9 | ||||
-rw-r--r-- | docs/manual/mod/mod_auth_ldap.xml | 35 | ||||
-rw-r--r-- | modules/experimental/mod_auth_ldap.c | 30 |
4 files changed, 69 insertions, 10 deletions
@@ -5,6 +5,11 @@ Changes with Apache 2.0.53 user cache without having to require ldap authentication as well. [PR 31898] [Jari Ahonen jah progress.com, Brad Nicholes] + *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that + allows the module to only authorize a user if the attribute value + specified matches the value of the user object. PR 31913 + [Ryan Morgan <rmorgan pobox.com>] + *) SECURITY: CAN-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] @@ -1,5 +1,5 @@ APACHE 2.0 STATUS: -*-text-*- -Last modified at [$Date: 2004/11/10 16:35:21 $] +Last modified at [$Date: 2004/11/10 18:05:46 $] Release: @@ -75,13 +75,6 @@ PATCHES TO BACKPORT FROM 2.1 [ please place file names and revisions from HEAD here, so it is easy to identify exactly what the proposed changes are! ] - *) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that - allows the module to only authorize a user if the attribute value - specified matches the value of the user object. PR 31913 - modules/aaa/mod_authnz_ldap.c: r1.7 - docs/manual/mod/mod_authnz_ldap.xml: r1.3 - +1: bnicholes, wrowe, jim - *) mod_ssl: Fix an possible NULL pointer dereference in some configs. http://nagoya.apache.org/bugzilla/showattachment.cgi?attach_id=13182 PR: 31848 diff --git a/docs/manual/mod/mod_auth_ldap.xml b/docs/manual/mod/mod_auth_ldap.xml index 454a0828ac..45ca5ee5da 100644 --- a/docs/manual/mod/mod_auth_ldap.xml +++ b/docs/manual/mod/mod_auth_ldap.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> -<!-- $Revision: 1.6.2.12 $ --> +<!-- $Revision: 1.6.2.13 $ --> <!-- Copyright 2002-2004 The Apache Software Foundation @@ -80,6 +80,7 @@ for HTTP Basic authentication.</description> <li><a href="#requser">require user</a></li> <li><a href="#reqgroup">require group</a></li> <li><a href="#reqdn">require dn</a></li> + <li><a href="#reqattribute">require ldap-attribute</a></li> </ul> </li> @@ -198,6 +199,11 @@ for HTTP Basic authentication.</description> the DN fetched from the LDAP directory (or the username passed by the client) occurs in the LDAP group.</li> + <li>Grant access if there is a <a href="#reqattribute"> + <code>require ldap-attribute</code></a> + directive, and the attribute fetched from the LDAP directory + matches the given value.</li> + <li>otherwise, deny or decline access</li> </ul> @@ -336,6 +342,33 @@ uniqueMember: cn=Fred User, o=Airius<br /> module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive> directive.</p> </section> + +<section id="reqattribute"><title>require ldap-attribute</title> + + <p>The <code>require ldap-attribute</code> directive allows the + administrator to grant access based on attributes of the authenticated + user in the LDAP directory. If the attribute in the directory + matches the value given in the configuration, access is granted.</p> + + <p>The following directive would grant access to anyone with + the attribute employeeType = active</p> + + <example>require ldap-attribute employeeType=active</example> + + <p>Multiple attribute/value pairs can be specified on the same line + separated by spaces or they can be specified in multiple + <code>require ldap-attribute</code> directives. The effect of listing + multiple attribute/values pairs is an OR operation. Access will be + granted if any of the listed attribute values match the value of a + corresponding attribute in the user object. If the value of the + attribute contains a space, only the value must be within double quotes.</p> + + <p>The following directive would grant access to anyone with + the city attribute equal to "San Jose" or status equal to "Active"</p> + + <example>require ldap-attribute city="San Jose" status=active</example> +</section> + </section> <section id="examples"><title>Examples</title> diff --git a/modules/experimental/mod_auth_ldap.c b/modules/experimental/mod_auth_ldap.c index ee9ad71871..93b014071c 100644 --- a/modules/experimental/mod_auth_ldap.c +++ b/modules/experimental/mod_auth_ldap.c @@ -420,7 +420,7 @@ int mod_auth_ldap_auth_checker(request_rec *r) register int x; const char *t; - char *w; + char *w, *value; int method_restricted = 0; if (!sec->enabled) { @@ -627,6 +627,34 @@ int mod_auth_ldap_auth_checker(request_rec *r) } } } + else if (strcmp(w, "ldap-attribute") == 0) { + while (t[0]) { + w = ap_getword(r->pool, &t, '='); + value = ap_getword_conf(r->pool, &t); + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authorise: checking attribute" + " %s has value %s", getpid(), w, value); + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, + w, value); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, + 0, r, "[%d] auth_ldap authorise: " + "require attribute: authorisation " + "successful", getpid()); + return OK; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, + 0, r, "[%d] auth_ldap authorise: " + "require attribute: authorisation " + "failed [%s][%s]", getpid(), + ldc->reason, ldap_err2string(result)); + } + } + } + } } if (!method_restricted) { |