#if APR_HAS_THREADS
apr_thread_mutex_t *lock; /* Lock for this config */
#endif
- int auth_authoritative; /* Is this auth method the one and only? */
-/* int authz_enabled; Is ldap authorization enabled in this directory? */
-
/* These parameters are all derived from the AuthLDAPURL directive */
char *url; /* String representation of the URL */
sec->bindpw = NULL;
sec->deref = always;
sec->group_attrib_is_dn = 1;
- sec->auth_authoritative = 1;
-
-/*
- sec->frontpage_hack = 0;
-*/
-
sec->secure = -1; /*Initialize to unset*/
sec->user_is_dn = 0;
if(result != LDAP_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"auth_ldap authorise: User DN not found, %s", ldc->reason);
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ return AUTHZ_DENIED;
}
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
if(result != LDAP_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"auth_ldap authorise: User DN not found, %s", ldc->reason);
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ return AUTHZ_DENIED;
}
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
if(result != LDAP_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"auth_ldap authorise: User DN not found, %s", ldc->reason);
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ return AUTHZ_DENIED;
}
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
if(result != LDAP_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"auth_ldap authorise: User DN not found, %s", ldc->reason);
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ return AUTHZ_DENIED;
}
req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
"DN of the remote user. By default, this is set to off, meaning that "
"the REMOTE_USER variable will contain whatever value the remote user sent."),
- AP_INIT_FLAG("AuthzLDAPAuthoritative", ap_set_flag_slot,
- (void *)APR_OFFSETOF(authn_ldap_config_t, auth_authoritative), OR_AUTHCFG,
- "Set to 'off' to allow access control to be passed along to lower modules if "
- "the UserID and/or group is not known to this module"),
-
AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,
"Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "
"values \"never\", \"searching\", \"finding\", or \"always\". "
"Defaults to always."),
-/*
- AP_INIT_FLAG("AuthLDAPAuthzEnabled", ap_set_flag_slot,
- (void *)APR_OFFSETOF(authn_ldap_config_t, authz_enabled), OR_AUTHCFG,
- "Set to off to disable the LDAP authorization handler, even if it's been enabled in a higher tree"),
-*/
-
AP_INIT_TAKE1("AuthLDAPCharsetConfig", set_charset_config, NULL, RSRC_CONF,
"Character set conversion configuration file. If omitted, character set"
"conversion is disabled."),
/* TODO List
-- Convert all of the authz modules to providers
+X- Convert all of the authz modules to providers
- Remove the ap_requires field from the request_rec
- Remove the ap_requires field from authz_dir_conf
- Remove the function ap_requires() and authz_ap_requires()
- Expand the Satisfy directive to handle 'and' and 'or'
logic for determining which authorization must succeed
vs. may succeed
-- Remove the AuthzXXXAuthoritative directives from all of
+X- Remove the AuthzXXXAuthoritative directives from all of
the authz providers
*/
const char *query;
const char *redir_query;
int redirect;
- int authoritative;
} authz_dbd_cfg ;
static ap_dbd_t *(*dbd_handle)(request_rec*) = NULL;
static void *authz_dbd_cr_cfg(apr_pool_t *pool, char *dummy)
{
authz_dbd_cfg *ret = apr_pcalloc(pool, sizeof(authz_dbd_cfg));
- ret->redirect = ret->authoritative = -1;
+ ret->redirect = -1;
return ret;
}
static void *authz_dbd_merge_cfg(apr_pool_t *pool, void *BASE, void *ADD)
ret->query = (add->query == NULL) ? base->query : add->query;
ret->redir_query = (add->redir_query == NULL)
? base->redir_query : add->redir_query;
- ret->authoritative = (add->authoritative == -1)
- ? base->authoritative : add->authoritative;
ret->redirect = (add->redirect == -1) ? base->redirect : add->redirect;
return ret;
}
return ap_set_string_slot(cmd, cfg, label);
}
static const command_rec authz_dbd_cmds[] = {
- AP_INIT_FLAG("AuthzDBDAuthoritative", ap_set_flag_slot,
- (void*)APR_OFFSETOF(authz_dbd_cfg, authoritative), ACCESS_CONF,
- "Whether dbd-group is authoritative"),
AP_INIT_FLAG("AuthzDBDLoginToReferer", ap_set_flag_slot,
(void*)APR_OFFSETOF(authz_dbd_cfg, redirect), ACCESS_CONF,
"Whether to redirect to referer on successful login"),
typedef struct {
char *grpfile;
char *dbmtype;
- int authoritative;
} authz_dbm_config_rec;
APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
conf->grpfile = NULL;
conf->dbmtype = "default";
- conf->authoritative = 1; /* fortress is secure by default */
return conf;
}
AP_INIT_TAKE1("AuthzDBMType", ap_set_string_slot,
(void *)APR_OFFSETOF(authz_dbm_config_rec, dbmtype),
OR_AUTHCFG, "what type of DBM file the group file is"),
- AP_INIT_FLAG("AuthzDBMAuthoritative", ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_dbm_config_rec, authoritative),
- OR_AUTHCFG, "Set to 'Off' to allow access control to be passed along to "
- "lower modules, if the group required is not found or empty, or the user "
- " is not in the required groups. (default is On.)"),
{NULL}
};
*
* If there are any 'require group' blocks and we
* are not in any group - we HTTP_UNAUTHORIZE
- * unless we are non-authoritative; in which
- * case we DECLINED.
*
*/
typedef struct {
char *groupfile;
- int authoritative;
} authz_groupfile_config_rec;
APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
authz_groupfile_config_rec *conf = apr_palloc(p, sizeof(*conf));
conf->groupfile = NULL;
- conf->authoritative = 1; /* keep the fortress secure by default */
return conf;
}
(void *)APR_OFFSETOF(authz_groupfile_config_rec, groupfile),
OR_AUTHCFG,
"text file containing group names and member user IDs"),
- AP_INIT_FLAG("AuthzGroupFileAuthoritative", ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_groupfile_config_rec,
- authoritative),
- OR_AUTHCFG,
- "Set to 'Off' to allow access control to be passed along to "
- "lower modules if the 'require group' fails. (default is "
- "On)."),
{NULL}
};
#include "mod_auth.h" /* for AUTHZ_GROUP_NOTE */
typedef struct {
- int authoritative;
} authz_owner_config_rec;
APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
{
authz_owner_config_rec *conf = apr_palloc(p, sizeof(*conf));
- conf->authoritative = 1; /* keep the fortress secure by default */
return conf;
}
static const command_rec authz_owner_cmds[] =
{
- AP_INIT_FLAG("AuthzOwnerAuthoritative", ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_owner_config_rec, authoritative),
- OR_AUTHCFG,
- "Set to 'Off' to allow access control to be passed along to "
- "lower modules. (default is On.)"),
{NULL}
};
#include "mod_auth.h"
typedef struct {
- int authoritative;
} authz_user_config_rec;
static void *create_authz_user_dir_config(apr_pool_t *p, char *d)
{
authz_user_config_rec *conf = apr_palloc(p, sizeof(*conf));
- conf->authoritative = 1; /* keep the fortress secure by default */
return conf;
}
static const command_rec authz_user_cmds[] =
{
- AP_INIT_FLAG("AuthzUserAuthoritative", ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_user_config_rec, authoritative),
- OR_AUTHCFG,
- "Set to 'Off' to allow access control to be passed along to "
- "lower modules if the 'require user' or 'require valid-user' "
- "statement is not met. (default: On)."),
{NULL}
};