📄 mod_authnz_ldap.c
字号:
"[%" APR_PID_T_FMT "] auth_ldap authorise: " "require user: user's DN has not been defined; failing authorisation", getpid()); return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; } /* * First do a whole-line compare, in case it's something like * require user Babs Jensen */ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, t); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require user: authorisation successful", getpid()); return OK; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: require user: " "authorisation failed [%s][%s]", getpid(), ldc->reason, ldap_err2string(result)); } } /* * Now break apart the line and compare each word on it */ while (t[0]) { w = ap_getword_conf(r->pool, &t); result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require user: authorisation successful", getpid()); return OK; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require user: authorisation failed [%s][%s]", getpid(), ldc->reason, ldap_err2string(result)); } } } } else if (strcmp(w, "ldap-dn") == 0) { required_ldap = 1; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require dn: user's DN has not been defined; failing authorisation", getpid()); return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; } result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require dn: authorisation successful", getpid()); return OK; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require dn \"%s\": LDAP error [%s][%s]", getpid(), t, ldc->reason, ldap_err2string(result)); } } } else if (strcmp(w, "ldap-group") == 0) { struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts; int i; required_ldap = 1; if (sec->group_attrib_is_dn) { if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " "user's DN has not been defined; failing authorisation", getpid()); return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; } } else { if (req->user == NULL || strlen(req->user) == 0) { /* We weren't called in the authentication phase, so we didn't have a * chance to set the user field. Do so now. */ req->user = r->user; } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " "testing for group membership in \"%s\"", getpid(), t); for (i = 0; i < sec->groupattr->nelts; i++) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " "testing for %s: %s (%s)", getpid(), ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " "authorisation successful (attribute %s) [%s][%s]", getpid(), ent[i].name, ldc->reason, ldap_err2string(result)); return OK; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: require group \"%s\": " "authorisation failed [%s][%s]", getpid(), t, ldc->reason, ldap_err2string(result)); } } } } else if (strcmp(w, "ldap-attribute") == 0) { required_ldap = 1; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require ldap-attribute: user's DN has not been defined; failing authorisation", getpid()); return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; } while (t[0]) { w = ap_getword(r->pool, &t, '='); value = ap_getword_conf(r->pool, &t); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: checking attribute" " %s has value %s", getpid(), w, value); result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, w, value); switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require attribute: authorisation " "successful", getpid()); return OK; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require attribute: authorisation " "failed [%s][%s]", getpid(), ldc->reason, ldap_err2string(result)); } } } } else if (strcmp(w, "ldap-filter") == 0) { required_ldap = 1; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require ldap-filter: user's DN has not been defined; failing authorisation", getpid()); return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; } if (t[0]) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: checking filter %s", getpid(), t); /* Build the username filter */ authn_ldap_build_filter(filtbuf, r, req->user, t, sec); /* Search for the user DN */ result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope, sec->attributes, filtbuf, &dn, &vals); /* Make sure that the filtered search returned the correct user dn */ if (result == LDAP_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: checking dn match %s", getpid(), dn); result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn, sec->compare_dn_on_server); } switch(result) { case LDAP_COMPARE_TRUE: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require ldap-filter: authorisation " "successful", getpid()); return OK; } case LDAP_FILTER_ERROR: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require ldap-filter: %s authorisation " "failed [%s][%s]", getpid(), filtbuf, ldc->reason, ldap_err2string(result)); break; } default: { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " "require ldap-filter: authorisation " "failed [%s][%s]", getpid(), ldc->reason, ldap_err2string(result)); } } } } } if (!method_restricted) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: agreeing because non-restricted", getpid()); return OK; } if (!required_ldap || !sec->auth_authoritative) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid()); return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: authorisation denied", getpid()); ap_note_basic_auth_failure (r); return HTTP_UNAUTHORIZED;}/* * Use the ldap url parsing routines to break up the ldap url into * host and port. */static const char *mod_auth_ldap_parse_url(cmd_parms *cmd, void *config, const char *url, const char *mode){ int rc; apr_ldap_url_desc_t *urld; apr_ldap_err_t *result; authn_ldap_config_t *sec = config; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, "[%" APR_PID_T_FMT "] auth_ldap url parse: `%s'", getpid(), url); rc = apr_ldap_url_parse(cmd->pool, url, &(urld), &(result)); if (rc != APR_SUCCESS) { return result->reason; } sec->url = apr_pstrdup(cmd->pool, url); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, "[%" APR_PID_T_FMT "] auth_ldap url parse: Host: %s", getpid(), urld->lud_host); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, "[%" APR_PID_T_FMT "] auth_ldap url parse: Port: %d", getpid(), urld->lud_port); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, "[%" APR_PID_T_FMT "] auth_ldap url parse: DN: %s", getpid(), urld->lud_dn); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, "[%" APR_PID_T_FMT "] auth_ldap url parse: attrib: %s", getpid(), urld->lud_attrs? urld->lud_attrs[0] : "(null)"); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, "[%" APR_PID_T_FMT "] auth_ldap url parse: scope: %s", getpid(), (urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" : urld->lud_scope == LDAP_SCOPE_BASE? "base" : urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown")); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, "[%" APR_PID_T_FMT "] auth_ldap url parse: filter: %s", getpid(), urld->lud_filter); /* Set all the values, or at least some sane defaults */ if (sec->host) { char *p = apr_palloc(cmd->pool, strlen(sec->host) + strlen(urld->lud_host) + 2); strcpy(p, urld->lud_host); strcat(p, " "); strcat(p, sec->host); sec->host = p; } else { sec->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost"; } sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : ""; if (urld->lud_attrs && urld->lud_attrs[0]) { int i = 1; while (urld->lud_attrs[i]) { i++; } sec->attributes = apr_pcalloc(cmd->pool, sizeof(char *) * (i+1)); i = 0; while (urld->lud_attrs[i]) { sec->attributes[i] = apr_pstrdup(cmd->pool, urld->lud_attrs[i]); i++; } sec->attribute = sec->attributes[0]; } else { sec->attribute = "uid"; } sec->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ? LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -