From: Bradley Nicholes <bnicholes@apache.org>
Date: Wed, 10 Nov 2004 18:05:47 +0000 (+0000)
Subject: Added the directive "Requires ldap-attribute" that allows the module to only authoriz... 
X-Git-Tag: 2.0.53~175
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cdf5a5836231619a888b2ede8a72138a062ba3c3;p=thirdparty%2Fapache%2Fhttpd.git

Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. PR 31913

Submitted by: Ryan Morgan <rmorgan pobox.com>
Reviewd by: bnicholes, wrowe, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105745 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 08c83fd3132..80b1777455e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,11 @@ Changes with Apache 2.0.53
      user cache without having to require ldap authentication as well.  
      [PR 31898] [Jari Ahonen jah progress.com, Brad Nicholes]
 
+  *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
+     allows the module to only authorize a user if the attribute value
+     specified matches the value of the user object. PR 31913
+     [Ryan Morgan <rmorgan pobox.com>]
+
   *) SECURITY: CAN-2004-0942 (cve.mitre.org)
      Fix for memory consumption DoS in handling of MIME folded request
      headers.  [Joe Orton]
diff --git a/STATUS b/STATUS
index c48712573c3..378dc3b811f 100644
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 2.0 STATUS:                                              -*-text-*-
-Last modified at [$Date: 2004/11/10 16:35:21 $]
+Last modified at [$Date: 2004/11/10 18:05:46 $]
 
 Release:
 
@@ -75,13 +75,6 @@ PATCHES TO BACKPORT FROM 2.1
   [ please place file names and revisions from HEAD here, so it is easy to
     identify exactly what the proposed changes are! ]
 
-    *) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that
-       allows the module to only authorize a user if the attribute value
-       specified matches the value of the user object. PR 31913
-         modules/aaa/mod_authnz_ldap.c: r1.7
-	 docs/manual/mod/mod_authnz_ldap.xml: r1.3
-       +1: bnicholes, wrowe, jim
-
     *) mod_ssl: Fix an possible NULL pointer dereference in some configs.
        http://nagoya.apache.org/bugzilla/showattachment.cgi?attach_id=13182
        PR: 31848
diff --git a/docs/manual/mod/mod_auth_ldap.xml b/docs/manual/mod/mod_auth_ldap.xml
index 454a0828ac0..45ca5ee5da2 100644
--- a/docs/manual/mod/mod_auth_ldap.xml
+++ b/docs/manual/mod/mod_auth_ldap.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
-<!-- $Revision: 1.6.2.12 $ -->
+<!-- $Revision: 1.6.2.13 $ -->
 
 <!--
  Copyright 2002-2004 The Apache Software Foundation
@@ -80,6 +80,7 @@ for HTTP Basic authentication.</description>
           <li><a href="#requser">require user</a></li>
           <li><a href="#reqgroup">require group</a></li>
           <li><a href="#reqdn">require dn</a></li>
+          <li><a href="#reqattribute">require ldap-attribute</a></li>
         </ul>
       </li>
 
@@ -198,6 +199,11 @@ for HTTP Basic authentication.</description>
       the DN fetched from the LDAP directory (or the username
       passed by the client) occurs in the LDAP group.</li>
 
+      <li>Grant access if there is a <a href="#reqattribute">
+      <code>require ldap-attribute</code></a> 
+      directive, and the attribute fetched from the LDAP directory
+      matches the given value.</li> 
+
       <li>otherwise, deny or decline access</li>
     </ul>
 
@@ -336,6 +342,33 @@ uniqueMember: cn=Fred User, o=Airius<br />
     module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive>
     directive.</p>
 </section>
+
+<section id="reqattribute"><title>require ldap-attribute</title>
+
+    <p>The <code>require ldap-attribute</code> directive allows the
+    administrator to grant access based on attributes of the authenticated
+    user in the LDAP directory.  If the attribute in the directory
+    matches the value given in the configuration, access is granted.</p>
+    
+    <p>The following directive would grant access to anyone with
+    the attribute employeeType = active</p>
+
+    <example>require ldap-attribute employeeType=active</example>
+
+    <p>Multiple attribute/value pairs can be specified on the same line
+    separated by spaces or they can be specified in multiple 
+    <code>require ldap-attribute</code> directives. The effect of listing 
+    multiple attribute/values pairs is an OR operation. Access will be 
+    granted if any of the listed attribute values match the value of a 
+    corresponding attribute in the user object. If the value of the 
+    attribute contains a space, only the value must be within double quotes.</p>
+
+    <p>The following directive would grant access to anyone with
+    the city attribute equal to "San Jose" or status equal to "Active"</p>
+
+    <example>require ldap-attribute city="San Jose" status=active</example>
+</section>
+
 </section>
 
 <section id="examples"><title>Examples</title>
diff --git a/modules/experimental/mod_auth_ldap.c b/modules/experimental/mod_auth_ldap.c
index ee9ad718714..93b014071c1 100644
--- a/modules/experimental/mod_auth_ldap.c
+++ b/modules/experimental/mod_auth_ldap.c
@@ -420,7 +420,7 @@ int mod_auth_ldap_auth_checker(request_rec *r)
 
     register int x;
     const char *t;
-    char *w;
+    char *w, *value;
     int method_restricted = 0;
 
     if (!sec->enabled) {
@@ -627,6 +627,34 @@ int mod_auth_ldap_auth_checker(request_rec *r)
                 }
             }
         }
+        else if (strcmp(w, "ldap-attribute") == 0) {
+            while (t[0]) {
+                w = ap_getword(r->pool, &t, '=');
+                value = ap_getword_conf(r->pool, &t);
+
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+                              "[%d] auth_ldap authorise: checking attribute"
+                              " %s has value %s", getpid(), w, value);
+                result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
+                                                 w, value);
+                switch(result) {
+                    case LDAP_COMPARE_TRUE: {
+                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
+                                      0, r, "[%d] auth_ldap authorise: "
+                                      "require attribute: authorisation "
+                                      "successful", getpid());
+                        return OK;
+                    }
+                    default: {
+                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 
+                                      0, r, "[%d] auth_ldap authorise: "
+                                      "require attribute: authorisation "
+                                      "failed [%s][%s]", getpid(), 
+                                      ldc->reason, ldap_err2string(result));
+                    }
+                }
+            }
+        }
     }
 
     if (!method_restricted) {