📄 mod_auth_ldap.c
字号:
sec->url = ""; sec->host = NULL; sec->binddn = NULL; sec->bindpw = NULL; sec->deref = always; sec->group_attrib_is_dn = 1; sec->frontpage_hack = 0; sec->secure = 0; sec->user_is_dn = 0; sec->compare_dn_on_server = 0; return sec;}/* * Use the ldap url parsing routines to break up the ldap url into * host and port. */static const char *mod_auth_ldap_parse_url(cmd_parms *cmd, void *config, const char *url){ int result; apr_ldap_url_desc_t *urld; mod_auth_ldap_config_t *sec = config; ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] auth_ldap url parse: `%s'", getpid(), url); result = apr_ldap_url_parse(url, &(urld)); if (result != LDAP_SUCCESS) { switch (result) { case LDAP_URL_ERR_NOTLDAP: return "LDAP URL does not begin with ldap://"; case LDAP_URL_ERR_NODN: return "LDAP URL does not have a DN"; case LDAP_URL_ERR_BADSCOPE: return "LDAP URL has an invalid scope"; case LDAP_URL_ERR_MEM: return "Out of memory parsing LDAP URL"; default: return "Could not parse LDAP URL"; } } sec->url = apr_pstrdup(cmd->pool, url); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] auth_ldap url parse: Host: %s", getpid(), urld->lud_host); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] auth_ldap url parse: Port: %d", getpid(), urld->lud_port); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] auth_ldap url parse: DN: %s", getpid(), urld->lud_dn); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] auth_ldap url parse: attrib: %s", getpid(), urld->lud_attrs? urld->lud_attrs[0] : "(null)"); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] auth_ldap url parse: scope: %s", getpid(), (urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" : urld->lud_scope == LDAP_SCOPE_BASE? "base" : urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown")); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] auth_ldap url parse: filter: %s", getpid(), urld->lud_filter); /* Set all the values, or at least some sane defaults */ if (sec->host) { char *p = apr_palloc(cmd->pool, strlen(sec->host) + strlen(urld->lud_host) + 2); strcpy(p, urld->lud_host); strcat(p, " "); strcat(p, sec->host); sec->host = p; } else { sec->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost"; } sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : ""; if (urld->lud_attrs && urld->lud_attrs[0]) { int i = 1; while (urld->lud_attrs[i]) { i++; } sec->attributes = apr_pcalloc(cmd->pool, sizeof(char *) * (i+1)); i = 0; while (urld->lud_attrs[i]) { sec->attributes[i] = apr_pstrdup(cmd->pool, urld->lud_attrs[i]); i++; } sec->attribute = sec->attributes[0]; } else { sec->attribute = "uid"; } sec->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ? LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE; if (urld->lud_filter) { if (urld->lud_filter[0] == '(') { /* * Get rid of the surrounding parens; later on when generating the * filter, they'll be put back. */ sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter+1); sec->filter[strlen(sec->filter)-1] = '\0'; } else { sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter); } } else { sec->filter = "objectclass=*"; } /* "ldaps" indicates secure ldap connections desired */ if (strncasecmp(url, "ldaps", 5) == 0) { sec->secure = 1; sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT; ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "LDAP: auth_ldap using SSL connections"); } else { sec->secure = 0; sec->port = urld->lud_port? urld->lud_port : LDAP_PORT; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, "LDAP: auth_ldap not using SSL connections"); } sec->have_ldap_url = 1; apr_ldap_free_urldesc(urld); return NULL;}static const char *mod_auth_ldap_set_deref(cmd_parms *cmd, void *config, const char *arg){ mod_auth_ldap_config_t *sec = config; if (strcmp(arg, "never") == 0 || strcasecmp(arg, "off") == 0) { sec->deref = never; } else if (strcmp(arg, "searching") == 0) { sec->deref = searching; } else if (strcmp(arg, "finding") == 0) { sec->deref = finding; } else if (strcmp(arg, "always") == 0 || strcasecmp(arg, "on") == 0) { sec->deref = always; } else { return "Unrecognized value for AuthLDAPAliasDereference directive"; } return NULL;}static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg){ struct mod_auth_ldap_groupattr_entry_t *new; mod_auth_ldap_config_t *sec = config; if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS) return "Too many AuthLDAPGroupAttribute directives"; new = apr_array_push(sec->groupattr); new->name = apr_pstrdup(cmd->pool, arg); return NULL;}static const char *set_charset_config(cmd_parms *cmd, void *config, const char *arg){ ap_set_module_config(cmd->server->module_config, &auth_ldap_module, (void *)arg); return NULL;}command_rec mod_auth_ldap_cmds[] = { AP_INIT_TAKE1("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG, "URL to define LDAP connection. This should be an RFC 2255 complaint\n" "URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n" "<ul>\n" "<li>Host is the name of the LDAP server. Use a space separated list of hosts \n" "to specify redundant servers.\n" "<li>Port is optional, and specifies the port to connect to.\n" "<li>basedn specifies the base DN to start searches from\n" "<li>Attrib specifies what attribute to search for in the directory. If not " "provided, it defaults to <b>uid</b>.\n" "<li>Scope is the scope of the search, and can be either <b>sub</b> or " "<b>one</b>. If not provided, the default is <b>sub</b>.\n" "<li>Filter is a filter to use in the search. If not provided, " "defaults to <b>(objectClass=*)</b>.\n" "</ul>\n" "Searches are performed using the attribute and the filter combined. " "For example, assume that the\n" "LDAP URL is <b>ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*)</b>. " "Searches will\n" "be done using the filter <b>(&((posixid=*))(uid=<i>username</i>))</b>, " "where <i>username</i>\n" "is the user name passed by the HTTP client. The search will be a subtree " "search on the branch <b>ou=People, o=Airius</b>."), AP_INIT_TAKE1("AuthLDAPBindDN", ap_set_string_slot, (void *)APR_OFFSETOF(mod_auth_ldap_config_t, binddn), OR_AUTHCFG, "DN to use to bind to LDAP server. If not provided, will do an anonymous bind."), AP_INIT_TAKE1("AuthLDAPBindPassword", ap_set_string_slot, (void *)APR_OFFSETOF(mod_auth_ldap_config_t, bindpw), OR_AUTHCFG, "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."), AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot, (void *)APR_OFFSETOF(mod_auth_ldap_config_t, user_is_dn), OR_AUTHCFG, "Set to 'on' to set the REMOTE_USER environment variable to be the full " "DN of the remote user. By default, this is set to off, meaning that " "the REMOTE_USER variable will contain whatever value the remote user sent."), AP_INIT_FLAG("AuthLDAPAuthoritative", ap_set_flag_slot, (void *)APR_OFFSETOF(mod_auth_ldap_config_t, auth_authoritative), OR_AUTHCFG, "Set to 'off' to allow access control to be passed along to lower modules if " "the UserID and/or group is not known to this module"), AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot, (void *)APR_OFFSETOF(mod_auth_ldap_config_t, compare_dn_on_server), OR_AUTHCFG, "Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" " "directive) using the server, and set it 'off' to do the compares locally " "(at the expense of possible false matches). See the documentation for " "a complete description of this option."), AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG, "A list of attributes used to define group membership - defaults to " "member and uniquemember"), AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot, (void *)APR_OFFSETOF(mod_auth_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG, "If set to 'on', auth_ldap uses the DN that is retrieved from the server for" "subsequent group comparisons. If set to 'off', auth_ldap uses the string" "provided by the client directly. Defaults to 'on'."), AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, "Determines how aliases are handled during a search. Can bo one of the" "values \"never\", \"searching\", \"finding\", or \"always\". " "Defaults to always."), AP_INIT_FLAG("AuthLDAPEnabled", ap_set_flag_slot, (void *)APR_OFFSETOF(mod_auth_ldap_config_t, enabled), OR_AUTHCFG, "Set to off to disable auth_ldap, even if it's been enabled in a higher tree"), AP_INIT_FLAG("AuthLDAPFrontPageHack", ap_set_flag_slot, (void *)APR_OFFSETOF(mod_auth_ldap_config_t, frontpage_hack), OR_AUTHCFG, "Set to 'on' to support Microsoft FrontPage"), AP_INIT_TAKE1("AuthLDAPCharsetConfig", set_charset_config, NULL, RSRC_CONF, "Character set conversion configuration file. If omitted, character set" "conversion is disabled."), {NULL}};static int auth_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s){ ap_configfile_t *f; char l[MAX_STRING_LEN]; const char *charset_confname = ap_get_module_config(s->module_config, &auth_ldap_module); apr_status_t status; /* mod_auth_ldap_config_t *sec = (mod_auth_ldap_config_t *) ap_get_module_config(s->module_config, &auth_ldap_module); if (sec->secure) { if (!util_ldap_ssl_supported(s)) { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, "LDAP: SSL connections (ldaps://) not supported by utilLDAP"); return(!OK); } } */ /* make sure that mod_ldap (util_ldap) is loaded */ if (ap_find_linked_module("util_ldap.c") == NULL) { ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, "Module mod_ldap missing. Mod_ldap (aka. util_ldap) " "must be loaded in order for mod_auth_ldap to function properly"); return HTTP_INTERNAL_SERVER_ERROR; } if (!charset_confname) { return OK; } charset_confname = ap_server_root_relative(p, charset_confname); if (!charset_confname) { ap_log_error(APLOG_MARK, APLOG_ERR, APR_EBADPATH, s, "Invalid charset conversion config path %s", (const char *)ap_get_module_config(s->module_config, &auth_ldap_module)); return HTTP_INTERNAL_SERVER_ERROR; } if ((status = ap_pcfg_openfile(&f, ptemp, charset_confname)) != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_ERR, status, s, "could not open charset conversion config file %s.", charset_confname); return HTTP_INTERNAL_SERVER_ERROR; } charset_conversions = apr_hash_make(p); while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { const char *ll = l; char *lang; if (l[0] == '#') { continue; } lang = ap_getword_conf(p, &ll); ap_str_tolower(lang); if (ll[0]) { char *charset = ap_getword_conf(p, &ll); apr_hash_set(charset_conversions, lang, APR_HASH_KEY_STRING, charset); } } ap_cfg_closefile(f); to_charset = derive_codepage_from_lang (p, "utf-8"); if (to_charset == NULL) { ap_log_error(APLOG_MARK, APLOG_ERR, status, s, "could not find the UTF-8 charset in the file %s.", charset_confname); return HTTP_INTERNAL_SERVER_ERROR; } return OK;}static void mod_auth_ldap_register_hooks(apr_pool_t *p){ ap_hook_post_config(auth_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE); ap_hook_check_user_id(mod_auth_ldap_check_user_id, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_auth_checker(mod_auth_ldap_auth_checker, NULL, NULL, APR_HOOK_MIDDLE);}module auth_ldap_module = { STANDARD20_MODULE_STUFF, mod_auth_ldap_create_dir_config, /* dir config creater */ NULL, /* dir merger --- default is to override */ NULL, /* server config */ NULL, /* merge server config */ mod_auth_ldap_cmds, /* command table */ mod_auth_ldap_register_hooks, /* set up request processing hooks */};⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -