From: Bradley Nicholes Date: Fri, 9 Dec 2005 23:03:59 +0000 (+0000) Subject: Initial conversion of mod_authnz_ldap to provider based authorization X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b53d5d79fe43c77e13705a0ea0b507eb82f4dac;p=thirdparty%2Fapache%2Fhttpd.git Initial conversion of mod_authnz_ldap to provider based authorization git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/authz-dev@355629 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 586f80bf433..1061e33dd4f 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -17,6 +17,7 @@ #include "ap_provider.h" #include "httpd.h" #include "http_config.h" +#include "ap_provider.h" #include "http_core.h" #include "http_log.h" #include "http_protocol.h" @@ -448,6 +449,7 @@ start_over: return AUTH_GRANTED; } +#if 0 /* * Authorisation Phase * ------------------- @@ -820,6 +822,641 @@ static int authz_ldap_check_user_access(request_rec *r) return HTTP_UNAUTHORIZED; } +#endif + +static authz_status ldapuser_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + + const char *t; + char *w; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If we have been authenticated by some other module than mod_authnz_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return AUTHZ_DENIED; + } + + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + } + + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require user: user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; + } + + /* + * First do a whole-line compare, in case it's something like + * require user Babs Jensen + */ + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require user: authorization successful", getpid()); + return AUTHZ_GRANTED; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require user: " + "authorization failed [%s][%s]", getpid(), + ldc->reason, ldap_err2string(result)); + } + } + + /* + * Now break apart the line and compare each word on it + */ + t = require_args; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require user: authorization successful", getpid()); + return AUTHZ_GRANTED; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require user: authorization failed [%s][%s]", + getpid(), ldc->reason, ldap_err2string(result)); + } + } + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: authorization denied", getpid()); + return AUTHZ_DENIED; +} + +static authz_status ldapgroup_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + + const char *t; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + struct mod_auth_ldap_groupattr_entry_t *ent; + int i; + + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If there are no elements in the group attribute array, the default should be + * member and uniquemember; populate the array now. + */ + if (sec->groupattr->nelts == 0) { + struct mod_auth_ldap_groupattr_entry_t *grp; +#if APR_HAS_THREADS + apr_thread_mutex_lock(sec->lock); +#endif + grp = apr_array_push(sec->groupattr); + grp->name = "member"; + grp = apr_array_push(sec->groupattr); + grp->name = "uniquemember"; +#if APR_HAS_THREADS + apr_thread_mutex_unlock(sec->lock); +#endif + } + + /* + * If we have been authenticated by some other module than mod_auth_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + } + + ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts; + + if (sec->group_attrib_is_dn) { + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: " + "user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; + } + } + else { + if (req->user == NULL || strlen(req->user) == 0) { + /* We weren't called in the authentication phase, so we didn't have a + * chance to set the user field. Do so now. */ + req->user = r->user; + } + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: " + "testing for group membership in \"%s\"", + getpid(), t); + + t = require_args; + + for (i = 0; i < sec->groupattr->nelts; i++) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: " + "testing for %s: %s (%s)", getpid(), + ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); + + result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, + sec->group_attrib_is_dn ? req->dn : req->user); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: " + "authorization successful (attribute %s) [%s][%s]", + getpid(), ent[i].name, ldc->reason, ldap_err2string(result)); + return AUTHZ_GRANTED; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: require group \"%s\": " + "authorization failed [%s][%s]", + getpid(), t, ldc->reason, ldap_err2string(result)); + } + } + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: authorization denied", getpid()); + + return AUTHZ_DENIED; +} + +static authz_status ldapdn_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + + const char *t; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If we have been authenticated by some other module than mod_auth_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + } + + t = require_args; + + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require dn: user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; + } + + result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require dn: authorization successful", getpid()); + return AUTHZ_GRANTED; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require dn \"%s\": LDAP error [%s][%s]", + getpid(), t, ldc->reason, ldap_err2string(result)); + } + } + + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); + + return AUTHZ_DENIED; +} + +static authz_status ldapattribute_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + + const char *t; + char *w, *value; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If we have been authenticated by some other module than mod_auth_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + } + + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-attribute: user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; + } + + t = require_args; + while (t[0]) { + w = ap_getword(r->pool, &t, '='); + value = ap_getword_conf(r->pool, &t); + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: checking attribute" + " %s has value %s", getpid(), w, value); + result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value); + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require attribute: authorization successful", + getpid()); + return AUTHZ_GRANTED; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require attribute: authorization failed [%s][%s]", + getpid(), ldc->reason, ldap_err2string(result)); + } + } + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); + + return AUTHZ_DENIED; +} + +static authz_status ldapfilter_check_authorization(request_rec *r, + const char *require_args) +{ + int result = 0; + authn_ldap_request_t *req = + (authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module); + authn_ldap_config_t *sec = + (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); + + util_ldap_connection_t *ldc = NULL; + const char *t; + + char filtbuf[FILTER_LENGTH]; + const char *dn = NULL; + const char **vals = NULL; + + if (!sec->have_ldap_url) { + return AUTHZ_DENIED; + } + + if (sec->host) { + ldc = util_ldap_connection_find(r, sec->host, sec->port, + sec->binddn, sec->bindpw, sec->deref, + sec->secure); + apr_pool_cleanup_register(r->pool, ldc, + authnz_ldap_cleanup_connection_close, + apr_pool_cleanup_null); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: no sec->host - weird...?", getpid()); + return AUTHZ_DENIED; + } + + /* + * If we have been authenticated by some other module than mod_auth_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ + + /* Check that we have a userid to start with */ + if ((!r->user) || (strlen(r->user) == 0)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + + if(!req) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "ldap authorize: Creating LDAP req structure"); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Search failed, log error and return failure */ + if(result != LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "auth_ldap authorise: User DN not found, %s", ldc->reason); + return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; + } + + req = (authn_ldap_request_t *)apr_pcalloc(r->pool, + sizeof(authn_ldap_request_t)); + ap_set_module_config(r->request_config, &authnz_ldap_module, req); + req->dn = apr_pstrdup(r->pool, dn); + req->user = r->user; + } + + if (req->dn == NULL || strlen(req->dn) == 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-filter: user's DN has not been defined; failing authorization", + getpid()); + return AUTHZ_DENIED; + } + + t = require_args; + + if (t[0]) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: checking filter %s", + getpid(), t); + + /* Build the username filter */ + authn_ldap_build_filter(filtbuf, r, req->user, t, sec); + + /* Search for the user DN */ + result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, + sec->scope, sec->attributes, filtbuf, &dn, &vals); + + /* Make sure that the filtered search returned the correct user dn */ + if (result == LDAP_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorize: checking dn match %s", + getpid(), dn); + result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn, + sec->compare_dn_on_server); + } + + switch(result) { + case LDAP_COMPARE_TRUE: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-filter: authorization " + "successful", getpid()); + return AUTHZ_GRANTED; + } + case LDAP_FILTER_ERROR: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-filter: %s authorization " + "failed [%s][%s]", getpid(), + filtbuf, ldc->reason, ldap_err2string(result)); + break; + } + default: { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, + 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorize: " + "require ldap-filter: authorization " + "failed [%s][%s]", getpid(), + ldc->reason, ldap_err2string(result)); + } + } + } + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authorise: authorization denied", getpid()); + + return AUTHZ_DENIED; +} /* @@ -1160,6 +1797,30 @@ static const authn_provider authn_ldap_provider = &authn_ldap_check_password, }; +static const authz_provider authz_ldapuser_provider = +{ + &ldapuser_check_authorization, +}; +static const authz_provider authz_ldapgroup_provider = +{ + &ldapgroup_check_authorization, +}; + +static const authz_provider authz_ldapdn_provider = +{ + &ldapdn_check_authorization, +}; + +static const authz_provider authz_ldapattribute_provider = +{ + &ldapattribute_check_authorization, +}; + +static const authz_provider authz_ldapfilter_provider = +{ + &ldapfilter_check_authorization, +}; + static void ImportULDAPOptFn(void) { util_ldap_connection_close = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_close); @@ -1173,12 +1834,23 @@ static void ImportULDAPOptFn(void) static void register_hooks(apr_pool_t *p) { - static const char * const aszPost[]={ "mod_authz_user.c", NULL }; - + /* Register authn provider */ ap_register_provider(p, AUTHN_PROVIDER_GROUP, "ldap", "0", &authn_ldap_provider); + + /* Register authz providers */ + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-user", "0", + &authz_ldapuser_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-group", "0", + &authz_ldapgroup_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-dn", "0", + &authz_ldapdn_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-attribute", "0", + &authz_ldapattribute_provider); + ap_register_provider(p, AUTHZ_PROVIDER_GROUP, "ldap-filter", "0", + &authz_ldapfilter_provider); + ap_hook_post_config(authnz_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE); - ap_hook_auth_checker(authz_ldap_check_user_access, NULL, aszPost, APR_HOOK_MIDDLE); ap_hook_optional_fn_retrieve(ImportULDAPOptFn,NULL,NULL,APR_HOOK_MIDDLE); }