www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2026-01-06 09:01:14 +03:00
Code Activity

mod_authnz_ldap: Search or Comparison during authorization phase

Browse Source 
can use the credentials from the authentication phase
(AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
PR 48340 

Submitted by: Domenico Rotiroti, Eric Covener
Reviewed by: Eric Covener



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@950248 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Eric Covener
2010-06-01 21:19:06 +00:00
parent 481638ba5a
commit a8720fa901
4 changed files with 208 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -28,6 +28,11 @@ Changes with Apache 2.3.7
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
*) mod_authnz_ldap: Search or Comparison during authorization phase
can use the credentials from the authentication phase
(AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
PR 48340 [Domenico Rotiroti, Eric Covener]
*) mod_authnz_ldap: Allow the initial DN search during authentication
to use the HTTP username/pass instead of an anonymous or hard-coded
LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).

72
docs/manual/mod/mod_authnz_ldap.html.en
View File

@@ -64,6 +64,7 @@ for HTTP Basic authentication.</td></tr>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbinddn">AuthLDAPBindDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbindpassword">AuthLDAPBindPassword</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapcharsetconfig">AuthLDAPCharsetConfig</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapcompareasuser">AuthLDAPCompareAsUser</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li>
@@ -73,6 +74,7 @@ for HTTP Basic authentication.</td></tr>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapmaxsubgroupdepth">AuthLDAPMaxSubGroupDepth</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserattribute">AuthLDAPRemoteUserAttribute</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapsearchasuser">AuthLDAPSearchAsUser</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapsubgroupattribute">AuthLDAPSubGroupAttribute</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapsubgroupclass">AuthLDAPSubGroupClass</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapurl">AuthLDAPUrl</a></li>
@@ -870,6 +872,40 @@ authorization</td></tr>
<p>The case of the extension does not matter. Blank lines, and lines
beginning with a hash character (<code>#</code>) are ignored.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthLDAPCompareAsUser" id="AuthLDAPCompareAsUser">AuthLDAPCompareAsUser</a> <a name="authldapcompareasuser" id="authldapcompareasuser">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use the authenticated users credentials to perform authorization comparisons</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPCompareAsUser on|off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPCompareAsUser off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.3.7 and later</td></tr>
</table>
<p>When set, and <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> has authenticated the
user, comparisons for authorization use the credentials provided via
HTTP basic authentication instead of the servers own credentials.</p>
<p> The <em>ldap-attribute</em>, <em>ldap-user</em>, and <em>ldap-group</em> (single-level only)
authorization checks use comparisons.</p>
<p>This directive only has effect on the comparisons performed during
nested group processing when <code class="directive"><a href="#&#10; authldapsearchasuser">
AuthLDAPSearchAsUser</a></code> is also enabled.</p>
<p> This directive should only be used when your LDAP server doesn't
accept anonymous comparisons and you cannot use a dedicated
<code class="directive"><a href="#authldapbinddn">AuthLDAPBindDN</a></code>.
</p>
<h3>See also</h3>
<ul>
<li><code class="directive"><a href="#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></code></li>
<li><code class="directive"><a href="#authldapsearchasuser">AuthLDAPSearchAsUser</a></code></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthLDAPCompareDNOnServer" id="AuthLDAPCompareDNOnServer">AuthLDAPCompareDNOnServer</a> <a name="authldapcomparednonserver" id="authldapcomparednonserver">Directive</a></h2>
@@ -990,6 +1026,8 @@ own username, instead of anonymously or with hard-coded credentials for the serv
<ul>
<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapinitialbindpattern">AuthLDAPInitialBindPattern</a></code></li>
<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapbinddn">AuthLDAPBindDN</a></code></li>
<li><code class="directive"><a href="#authldapcompareasuser">AuthLDAPCompareAsUser</a></code></li>
<li><code class="directive"><a href="#authldapsearchasuser">AuthLDAPSearchAsUser</a></code></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
@@ -1099,6 +1137,40 @@ environment variable</td></tr>
the username that was passed by the client. It is turned off by
default.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthLDAPSearchAsUser" id="AuthLDAPSearchAsUser">AuthLDAPSearchAsUser</a> <a name="authldapsearchasuser" id="authldapsearchasuser">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use the authenticated users credentials to perform authorization searches</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPSearchAsUser on|off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPSearchAsUser off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.3.7 and later</td></tr>
</table>
<p>When set, and <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> has authenticated the
user, searches for authorization use the credentials provided via
HTTP basic authentication instead of the servers own credentials.</p>
<p> The <em>ldap-filter</em> and <em>ldap-dn</em> authorization
checks use searches.</p>
<p>This directive only has effect on the comparisons performed during
nested group processing when <code class="directive"><a href="#&#10; authldapcompareasuser">
AuthLDAPCompareAsUser</a></code> is also enabled.</p>
<p> This directive should only be used when your LDAP server doesn't
accept anonymous searches and you cannot use a dedicated
<code class="directive"><a href="#authldapbinddn">AuthLDAPBindDN</a></code>.
</p>
<h3>See also</h3>
<ul>
<li><code class="directive"><a href="#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></code></li>
<li><code class="directive"><a href="#authldapcompareasuser">AuthLDAPCompareAsUser</a></code></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthLDAPSubGroupAttribute" id="AuthLDAPSubGroupAttribute">AuthLDAPSubGroupAttribute</a> <a name="authldapsubgroupattribute" id="authldapsubgroupattribute">Directive</a></h2>

66
docs/manual/mod/mod_authnz_ldap.xml
View File

@@ -837,6 +837,8 @@ own username, instead of anonymously or with hard-coded credentials for the serv
</usage>
<seealso><directive module="mod_authnnz_ldap">AuthLDAPInitialBindPattern</directive></seealso>
<seealso><directive module="mod_authnnz_ldap">AuthLDAPBindDN</directive></seealso>
<seealso><directive module="mod_authnz_ldap">AuthLDAPCompareAsUser</directive></seealso>
<seealso><directive module="mod_authnz_ldap">AuthLDAPSearchAsUser</directive></seealso>
</directivesynopsis>
<directivesynopsis>
@@ -938,6 +940,38 @@ to perform a DN lookup</description>
</usage>
</directivesynopsis>
<directivesynopsis>
<name>AuthLDAPCompareAsUser</name>
<description>Use the authenticated users credentials to perform authorization comparisons</description>
<syntax>AuthLDAPCompareAsUser on|off</syntax>
<default>AuthLDAPCompareAsUser off</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<compatibility>Available in version 2.3.7 and later</compatibility>
<override>AuthConfig</override>
<usage>
<p>When set, and <module>mod_authnz_ldap</module> has authenticated the
user, LDAP comparisons for authorization use the queried distinguished name (DN)
and HTTP basic authentication password of the authenticated user instead of
the servers configured credentials.</p>
<p> The <em>ldap-attribute</em>, <em>ldap-user</em>, and <em>ldap-group</em> (single-level only)
authorization checks use comparisons.</p>
<p>This directive only has effect on the comparisons performed during
nested group processing when <directive module="mod_authnz_ldap">
AuthLDAPSearchAsUser</directive> is also enabled.</p>
<p> This directive should only be used when your LDAP server doesn't
accept anonymous comparisons and you cannot use a dedicated
<directive module="mod_authnz_ldap">AuthLDAPBindDN</directive>.
</p>
</usage>
<seealso><directive module="mod_authnz_ldap">AuthLDAPInitialBindAsUser</directive></seealso>
<seealso><directive module="mod_authnz_ldap">AuthLDAPSearchAsUser</directive></seealso>
</directivesynopsis>
<directivesynopsis>
<name>AuthLDAPCompareDNOnServer</name>
<description>Use the LDAP server to compare the DNs</description>
@@ -1085,6 +1119,38 @@ environment variable</description>
</usage>
</directivesynopsis>
<directivesynopsis>
<name>AuthLDAPSearchAsUser</name>
<description>Use the authenticated users credentials to perform authorization searches</description>
<syntax>AuthLDAPSearchAsUser on|off</syntax>
<default>AuthLDAPSearchAsUser off</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<compatibility>Available in version 2.3.7 and later</compatibility>
<override>AuthConfig</override>
<usage>
<p>When set, and <module>mod_authnz_ldap</module> has authenticated the
user, LDAP searches for authorization use the queried distinguished name (DN)
and HTTP basic authentication password of the authenticated user instead of
the servers configured credentials.</p>
<p> The <em>ldap-filter</em> and <em>ldap-dn</em> authorization
checks use searches.</p>
<p>This directive only has effect on the comparisons performed during
nested group processing when <directive module="mod_authnz_ldap">
AuthLDAPCompareAsUser</directive> is also enabled.</p>
<p> This directive should only be used when your LDAP server doesn't
accept anonymous searches and you cannot use a dedicated
<directive module="mod_authnz_ldap">AuthLDAPBindDN</directive>.
</p>
</usage>
<seealso><directive module="mod_authnz_ldap">AuthLDAPInitialBindAsUser</directive></seealso>
<seealso><directive module="mod_authnz_ldap">AuthLDAPCompareAsUser</directive></seealso>
</directivesynopsis>
<directivesynopsis>
<name>AuthLDAPSubGroupAttribute</name>
<description>Specifies the attribute labels, one value per

83
modules/aaa/mod_authnz_ldap.c
View File

@@ -83,18 +83,25 @@ typedef struct {
int initial_bind_as_user; /* true if we should try to bind (to lookup DN) directly with the basic auth username */
ap_regex_t *bind_regex; /* basic auth -> bind'able username regex */
const char *bind_subst; /* basic auth -> bind'able username substitution */
int search_as_user; /* true if authz searches should be done with the users credentials (when we did authn) */
int compare_as_user; /* true if authz compares should be done with the users credentials (when we did authn) */
} authn_ldap_config_t;
typedef struct {
char *dn; /* The saved dn from a successful search */
char *user; /* The username provided by the client */
const char **vals; /* The additional values pulled during the DN search*/
char *password; /* if this module successfully authenticates, the basic auth password, else null */
} authn_ldap_request_t;
enum auth_ldap_phase{
enum auth_ldap_phase {
LDAP_AUTHN, LDAP_AUTHZ
};
enum auth_ldap_optype {
LDAP_SEARCH, LDAP_COMPARE, LDAP_COMPARE_AND_SEARCH /* nested groups */
};
/* maximum group elements supported */
#define GROUPATTR_MAX_ELTS 10
@@ -412,6 +419,32 @@ static const char *ldap_determine_binddn(request_rec *r, const char *user) {
return result;
}
/* Some LDAP servers restrict who can search or compare, and the hard-coded ID
* might be good for the DN lookup but not for later operations.
*/
static util_ldap_connection_t *get_connection_for_authz(request_rec *r, enum auth_ldap_optype type) {
authn_ldap_request_t *req =
(authn_ldap_request_t *)ap_get_module_config(r->request_config, &authnz_ldap_module);
authn_ldap_config_t *sec =
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
char *binddn = sec->binddn;
char *bindpw = sec->bindpw;
/* If the per-request config isn't set, we didn't authenticate this user, and leave the default credentials */
if (req && req->password &&
((type == LDAP_SEARCH && sec->search_as_user) ||
(type == LDAP_COMPARE && sec->compare_as_user) ||
(type == LDAP_COMPARE_AND_SEARCH && sec->compare_as_user && sec->search_as_user))){
binddn = req->dn;
bindpw = req->password;
}
return util_ldap_connection_find(r, sec->host, sec->port,
binddn, bindpw,
sec->deref, sec->secure);
}
/*
* Authentication Phase
* --------------------
@@ -545,6 +578,7 @@ start_over:
/* mark the user and DN */
req->dn = apr_pstrdup(r->pool, dn);
req->user = apr_pstrdup(r->pool, user);
req->password = apr_pstrdup(r->pool, password);
if (sec->user_is_dn) {
r->user = req->dn;
}
@@ -591,9 +625,7 @@ static authz_status ldapuser_check_authorization(request_rec *r,
}
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->secure);
ldc = get_connection_for_authz(r, LDAP_COMPARE);
apr_pool_cleanup_register(r->pool, ldc,
authnz_ldap_cleanup_connection_close,
apr_pool_cleanup_null);
@@ -732,9 +764,7 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
}
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->secure);
ldc = get_connection_for_authz(r, LDAP_COMPARE); /* for the top-level group only */
apr_pool_cleanup_register(r->pool, ldc,
authnz_ldap_cleanup_connection_close,
apr_pool_cleanup_null);
@@ -869,6 +899,15 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
return AUTHZ_GRANTED;
}
case LDAP_COMPARE_FALSE: {
/* nested groups need searches and compares, so grab a new handle */
authnz_ldap_cleanup_connection_close(ldc);
apr_pool_cleanup_kill(r->pool, ldc,authnz_ldap_cleanup_connection_close);
ldc = get_connection_for_authz(r, LDAP_COMPARE_AND_SEARCH);
apr_pool_cleanup_register(r->pool, ldc,
authnz_ldap_cleanup_connection_close,
apr_pool_cleanup_null);
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: require group \"%s\": "
"failed [%s][%d - %s], checking sub-groups",
@@ -932,9 +971,7 @@ static authz_status ldapdn_check_authorization(request_rec *r,
}
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->secure);
ldc = get_connection_for_authz(r, LDAP_SEARCH); /* _comparedn is a searche */
apr_pool_cleanup_register(r->pool, ldc,
authnz_ldap_cleanup_connection_close,
apr_pool_cleanup_null);
@@ -1046,9 +1083,7 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
}
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->secure);
ldc = get_connection_for_authz(r, LDAP_COMPARE);
apr_pool_cleanup_register(r->pool, ldc,
authnz_ldap_cleanup_connection_close,
apr_pool_cleanup_null);
@@ -1165,9 +1200,7 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
}
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->secure);
ldc = get_connection_for_authz(r, LDAP_SEARCH);
apr_pool_cleanup_register(r->pool, ldc,
authnz_ldap_cleanup_connection_close,
apr_pool_cleanup_null);
@@ -1249,8 +1282,14 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorize: checking dn match %s",
getpid(), dn);
if (sec->compare_as_user) {
/* ldap-filter is the only authz that requires a search and a compare */
apr_pool_cleanup_kill(r->pool, ldc, authnz_ldap_cleanup_connection_close);
authnz_ldap_cleanup_connection_close(ldc);
ldc = get_connection_for_authz(r, LDAP_COMPARE);
}
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,
sec->compare_dn_on_server);
sec->compare_dn_on_server);
}
switch(result) {
@@ -1607,6 +1646,14 @@ static const command_rec authnz_ldap_cmds[] =
AP_INIT_TAKE2("AuthLDAPInitialBindPattern", set_bind_pattern, NULL, OR_AUTHCFG,
"The regex and substitution to determine a username that can bind based on an HTTP basic auth username"),
AP_INIT_FLAG("AuthLDAPSearchAsUser", ap_set_flag_slot,
(void *)APR_OFFSETOF(authn_ldap_config_t, search_as_user), OR_AUTHCFG,
"Set to 'on' to perform authorization-based searches with the users credentials, when this module"
" has also performed authentication. Does not affect nested groups lookup."),
AP_INIT_FLAG("AuthLDAPCompareAsUser", ap_set_flag_slot,
(void *)APR_OFFSETOF(authn_ldap_config_t, compare_as_user), OR_AUTHCFG,
"Set to 'on' to perform authorization-based compares with the users credentials, when this module"
" has also performed authentication. Does not affect nested groups lookups."),
{NULL}
};