user cache without having to require ldap authentication as well.
[PR 31898] [Jari Ahonen jah progress.com, Brad Nicholes]
+ *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
+ allows the module to only authorize a user if the attribute value
+ specified matches the value of the user object. PR 31913
+ [Ryan Morgan <rmorgan pobox.com>]
+
*) SECURITY: CAN-2004-0942 (cve.mitre.org)
Fix for memory consumption DoS in handling of MIME folded request
headers. [Joe Orton]
APACHE 2.0 STATUS: -*-text-*-
-Last modified at [$Date: 2004/11/10 16:35:21 $]
+Last modified at [$Date: 2004/11/10 18:05:46 $]
Release:
[ please place file names and revisions from HEAD here, so it is easy to
identify exactly what the proposed changes are! ]
- *) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that
- allows the module to only authorize a user if the attribute value
- specified matches the value of the user object. PR 31913
- modules/aaa/mod_authnz_ldap.c: r1.7
- docs/manual/mod/mod_authnz_ldap.xml: r1.3
- +1: bnicholes, wrowe, jim
-
*) mod_ssl: Fix an possible NULL pointer dereference in some configs.
http://nagoya.apache.org/bugzilla/showattachment.cgi?attach_id=13182
PR: 31848
<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
-<!-- $Revision: 1.6.2.12 $ -->
+<!-- $Revision: 1.6.2.13 $ -->
<!--
Copyright 2002-2004 The Apache Software Foundation
<li><a href="#requser">require user</a></li>
<li><a href="#reqgroup">require group</a></li>
<li><a href="#reqdn">require dn</a></li>
+ <li><a href="#reqattribute">require ldap-attribute</a></li>
</ul>
</li>
the DN fetched from the LDAP directory (or the username
passed by the client) occurs in the LDAP group.</li>
+ <li>Grant access if there is a <a href="#reqattribute">
+ <code>require ldap-attribute</code></a>
+ directive, and the attribute fetched from the LDAP directory
+ matches the given value.</li>
+
<li>otherwise, deny or decline access</li>
</ul>
module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive>
directive.</p>
</section>
+
+<section id="reqattribute"><title>require ldap-attribute</title>
+
+ <p>The <code>require ldap-attribute</code> directive allows the
+ administrator to grant access based on attributes of the authenticated
+ user in the LDAP directory. If the attribute in the directory
+ matches the value given in the configuration, access is granted.</p>
+
+ <p>The following directive would grant access to anyone with
+ the attribute employeeType = active</p>
+
+ <example>require ldap-attribute employeeType=active</example>
+
+ <p>Multiple attribute/value pairs can be specified on the same line
+ separated by spaces or they can be specified in multiple
+ <code>require ldap-attribute</code> directives. The effect of listing
+ multiple attribute/values pairs is an OR operation. Access will be
+ granted if any of the listed attribute values match the value of a
+ corresponding attribute in the user object. If the value of the
+ attribute contains a space, only the value must be within double quotes.</p>
+
+ <p>The following directive would grant access to anyone with
+ the city attribute equal to "San Jose" or status equal to "Active"</p>
+
+ <example>require ldap-attribute city="San Jose" status=active</example>
+</section>
+
</section>
<section id="examples"><title>Examples</title>
register int x;
const char *t;
- char *w;
+ char *w, *value;
int method_restricted = 0;
if (!sec->enabled) {
}
}
}
+ else if (strcmp(w, "ldap-attribute") == 0) {
+ while (t[0]) {
+ w = ap_getword(r->pool, &t, '=');
+ value = ap_getword_conf(r->pool, &t);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: checking attribute"
+ " %s has value %s", getpid(), w, value);
+ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
+ w, value);
+ switch(result) {
+ case LDAP_COMPARE_TRUE: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require attribute: authorisation "
+ "successful", getpid());
+ return OK;
+ }
+ default: {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,
+ 0, r, "[%d] auth_ldap authorise: "
+ "require attribute: authorisation "
+ "failed [%s][%s]", getpid(),
+ ldc->reason, ldap_err2string(result));
+ }
+ }
+ }
+ }
}
if (!method_restricted) {
projects / thirdparty / apache / httpd.git / commitdiff
