From: Eric Covener Date: Wed, 18 Nov 2009 15:49:48 +0000 (+0000) Subject: Add AuthLDAPBindAuthoritative to allow other authentication providers a chance X-Git-Tag: 2.3.4~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d5861f048a3d10d2e740f15976dab5161dcb889b;p=thirdparty%2Fapache%2Fhttpd.git Add AuthLDAPBindAuthoritative to allow other authentication providers a chance to run when mod_authnz_ldap finds a user but can't verify their password. Submitted By: Justin Erenkrantz, Joe Schaefer, Tony Stevenson git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@881808 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 91b0c89425d..a2fecb967da 100644 --- a/CHANGES +++ b/CHANGES @@ -10,6 +10,10 @@ Changes with Apache 2.3.3 mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch , Joe Orton] + *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to + try other providers in the case of an LDAP bind failure. + PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] + *) Build: fix --with-module to work as documented PR 43881 [Gez Saunders ] diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 8097b3c2bef..15aec4de73e 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -63,6 +63,7 @@ typedef struct { deref_options deref; /* how to handle alias dereferening */ char *binddn; /* DN to bind to server (can be NULL) */ char *bindpw; /* Password to bind to server (can be NULL) */ + int bind_authoritative; /* If true, will return errors when bind fails */ int user_is_dn; /* If true, connection->user is DN instead of userid */ char *remote_user_attribute; /* If set, connection->user is this attribute instead of userid */ @@ -296,6 +297,7 @@ static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d) sec->host = NULL; sec->binddn = NULL; sec->bindpw = NULL; + sec->bind_authoritative = 1; sec->deref = always; sec->group_attrib_is_dn = 1; sec->secure = -1; /*Initialize to unset*/ @@ -407,6 +409,14 @@ start_over: /* handle bind failure */ if (result != LDAP_SUCCESS) { + if (!sec->bind_authoritative) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "[%" APR_PID_T_FMT "] auth_ldap authenticate: " + "user %s authentication failed; URI %s [%s][%s] (not authoritative)", + getpid(), user, r->uri, ldc->reason, ldap_err2string(result)); + return AUTH_USER_NOT_FOUND; + } + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: " "user %s authentication failed; URI %s [%s][%s]", @@ -1425,6 +1435,10 @@ static const command_rec authnz_ldap_cmds[] = (void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG, "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."), + AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot, + (void *)APR_OFFSETOF(authn_ldap_config_t, bind_authoritative), OR_AUTHCFG, + "Set to 'on' to return failures when user-specific bind fails - defaults to on."), + AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot, (void *)APR_OFFSETOF(authn_ldap_config_t, user_is_dn), OR_AUTHCFG, "Set to 'on' to set the REMOTE_USER environment variable to be the full "