From ff15591ddd0d51a6363da8ce8325bcdaf9a6af35 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Thu, 25 Feb 2010 02:25:35 +0000 Subject: [PATCH] backport r881808 from trunk: Add AuthLDAPBindAuthoritative to allow other authentication providers a chance to run when mod_authnz_ldap finds a user but can't verify their password. Submitted By: Justin Erenkrantz, Joe Schaefer, Tony Stevenson Reviewed By: covener, pgollucci, rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@916091 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 15 --------------- docs/manual/mod/mod_authnz_ldap.xml | 27 +++++++++++++++++++++++++++ modules/aaa/mod_authnz_ldap.c | 14 ++++++++++++++ 4 files changed, 45 insertions(+), 15 deletions(-) diff --git a/CHANGES b/CHANGES index 10b118b792c..fef32ad78c6 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes with Apache 2.2.15 access control is still vulnerable, unless using OpenSSL >= 0.9.8l. [Joe Orton, Ruediger Pluem, Hartmut Keil ] + *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to + try other providers in the case of an LDAP bind failure. + PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] + *) mod_proxy, mod_proxy_http: Support remote https proxies by using HTTP CONNECT. PR 19188. [Philippe Dutrueux , Rainer Jung] diff --git a/STATUS b/STATUS index f8fee9fe86f..3903d0ab396 100644 --- a/STATUS +++ b/STATUS @@ -87,21 +87,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow other authentication - providers a chance to run when mod_authnz_ldap finds a user but can't - verify their password. PR46608. - Trunk patch: http://svn.apache.org/viewvc?rev=881808&view=rev - doc: http://svn.apache.org/viewvc?view=revision&revision=881812 - 2.2.x patch: http://people.apache.org/~covener/patches/2.2.x-ldap_bind_authoritative.diff - 2.2.x doc : http://people.apache.org/~covener/patches/2.2.x-ldap_bind_authoritative-doc.diff - (resolves loglevel conflict introduced after the trunk commit) - +1: covener, pgollucci - rpluem says: I am +1 once you provide proper documentation for the manual - covener says: doc revision added above - minfrin says: The trunk patches no longer apply clean, is it possible to - create a v2.2. patch? - covener: resolved conflict - * mod_include: Allow fine control over the removal of Last-Modified and ETag headers within the INCLUDES filter, making it possible to cache responses if desired. Fix the default value of the SSIAccessEnable directive. diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 75642b0d7de..510ecdfb021 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -674,6 +674,33 @@ authenticating the user if this one fails + +AuthLDAPBindAuthoritative +Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot successfully bind with the users credentials. +AuthLDAPBindAuthoritativeoff|on +AuthLDAPBindAuhtoritative on +directory.htaccess + +AuthConfig +Available in versions later than 2.2.14 + + +

By default, subsequent authentication providers are only queried if a + user cannot be mapped to a DN, but not if the user can be mapped to a DN and their + password cannot be verified with an LDAP bind. + If AuthLDAPBindAuthoritative + is set to off, other configured authentication modules will have + a chance to validate the user if the LDAP bind (with the current users credentials) + fails for any reason.

+

This allows users present in both LDAP and + AuthUserFile to authenticate + when the LDAP server is available but the users account is locked or password + is otherwise unusable.

+ +AuthUserFile +AuthBasicProvider + + AuthLDAPBindDN Optional DN to use in binding to the LDAP server diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 03925b7e8b4..bb08d20f406 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -63,6 +63,7 @@ typedef struct { deref_options deref; /* how to handle alias dereferening */ char *binddn; /* DN to bind to server (can be NULL) */ char *bindpw; /* Password to bind to server (can be NULL) */ + int bind_authoritative; /* If true, will return errors when bind fails */ int user_is_dn; /* If true, connection->user is DN instead of userid */ char *remote_user_attribute; /* If set, connection->user is this attribute instead of userid */ @@ -294,6 +295,7 @@ static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d) sec->host = NULL; sec->binddn = NULL; sec->bindpw = NULL; + sec->bind_authoritative = 1; sec->deref = always; sec->group_attrib_is_dn = 1; sec->auth_authoritative = 1; @@ -409,6 +411,14 @@ start_over: /* handle bind failure */ if (result != LDAP_SUCCESS) { + if (!sec->bind_authoritative) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authenticate: " + "user %s authentication failed; URI %s [%s][%s] (not authoritative)", + getpid(), user, r->uri, ldc->reason, ldap_err2string(result)); + return AUTH_USER_NOT_FOUND; + } + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: " "user %s authentication failed; URI %s [%s][%s]", @@ -1065,6 +1075,10 @@ static const command_rec authnz_ldap_cmds[] = (void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG, "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."), + AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot, + (void *)APR_OFFSETOF(authn_ldap_config_t, bind_authoritative), OR_AUTHCFG, + "Set to 'on' to return failures when user-specific bind fails - defaults to on."), + AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot, (void *)APR_OFFSETOF(authn_ldap_config_t, user_is_dn), OR_AUTHCFG, "Set to 'on' to set the REMOTE_USER environment variable to be the full " -- 2.47.2