|
 |
c0c6d9 |
diff --git a/docs/manual/expr.html.en b/docs/manual/expr.html.en
|
|
|
c0c6d9 |
index 5c3ae45..8bd941a 100644
|
|
|
c0c6d9 |
--- a/docs/manual/expr.html.en
|
|
|
c0c6d9 |
+++ b/docs/manual/expr.html.en
|
|
|
c0c6d9 |
@@ -46,7 +46,7 @@
|
|
|
c0c6d9 |
 Other
|
|
|
c0c6d9 |
Comparison with SSLRequire
|
|
|
c0c6d9 |
Version History
|
|
|
c0c6d9 |
-See also
|
|
|
c0c6d9 |
+See also
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en
|
|
|
c0c6d9 |
index 7199052..c86dc8a 100644
|
|
|
c0c6d9 |
--- a/docs/manual/mod/mod_authnz_ldap.html.en
|
|
|
c0c6d9 |
+++ b/docs/manual/mod/mod_authnz_ldap.html.en
|
|
|
c0c6d9 |
@@ -350,6 +350,9 @@ for HTTP Basic authentication.
|
|
|
c0c6d9 |
ldap-filter. Other authorization types may also be
|
|
|
c0c6d9 |
used but may require that additional authorization modules be loaded.
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
+ Since v2.5.0, expressions are supported
|
|
|
c0c6d9 |
+ within the LDAP require directives.
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
The Require ldap-user directive specifies what
|
|
|
c0c6d9 |
@@ -576,6 +579,16 @@ Require ldap-group cn=Administrators, o=Example
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
+ Grant access to anybody in the group whose name matches the
|
|
|
c0c6d9 |
+ hostname of the virtual host. In this example an
|
|
|
c0c6d9 |
+ expression is used to build the filter.
|
|
|
c0c6d9 |
+<highlight language="config">
|
|
|
c0c6d9 |
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid
|
|
|
c0c6d9 |
+Require ldap-group cn=%{SERVER_NAME}, o=Example
|
|
|
c0c6d9 |
+</highlight>
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
The next example assumes that everyone at Example who
|
|
|
c0c6d9 |
carries an alphanumeric pager will have an LDAP attribute
|
|
|
c0c6d9 |
of qpagePagerID. The example will grant access
|
|
|
c0c6d9 |
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
|
|
|
c0c6d9 |
index 2c25dbc..063debe 100644
|
|
|
c0c6d9 |
--- a/modules/aaa/mod_authnz_ldap.c
|
|
|
c0c6d9 |
+++ b/modules/aaa/mod_authnz_ldap.c
|
|
|
c0c6d9 |
@@ -607,6 +607,10 @@ static authz_status ldapuser_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
util_ldap_connection_t *ldc = NULL;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
+ const char *err = NULL;
|
|
|
c0c6d9 |
+ const ap_expr_info_t *expr = parsed_require_args;
|
|
|
c0c6d9 |
+ const char *require;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
const char *t;
|
|
|
c0c6d9 |
char *w;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
@@ -680,11 +684,19 @@ static authz_status ldapuser_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
return AUTHZ_DENIED;
|
|
|
c0c6d9 |
}
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
+ require = ap_expr_str_exec(r, expr, &err;;
|
|
|
c0c6d9 |
+ if (err) {
|
|
|
c0c6d9 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02585)
|
|
|
c0c6d9 |
+ "auth_ldap authorize: require user: Can't evaluate expression: %s",
|
|
|
c0c6d9 |
+ err);
|
|
|
c0c6d9 |
+ return AUTHZ_DENIED;
|
|
|
c0c6d9 |
+ }
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
/*
|
|
|
c0c6d9 |
* First do a whole-line compare, in case it's something like
|
|
|
c0c6d9 |
* require user Babs Jensen
|
|
|
c0c6d9 |
*/
|
|
|
c0c6d9 |
- result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require_args);
|
|
|
c0c6d9 |
+ result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, require);
|
|
|
c0c6d9 |
switch(result) {
|
|
|
c0c6d9 |
case LDAP_COMPARE_TRUE: {
|
|
|
c0c6d9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01703)
|
|
|
c0c6d9 |
@@ -704,7 +716,7 @@ static authz_status ldapuser_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
/*
|
|
|
c0c6d9 |
* Now break apart the line and compare each word on it
|
|
|
c0c6d9 |
*/
|
|
|
c0c6d9 |
- t = require_args;
|
|
|
c0c6d9 |
+ t = require;
|
|
|
c0c6d9 |
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
|
|
|
c0c6d9 |
result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
|
|
|
c0c6d9 |
switch(result) {
|
|
|
c0c6d9 |
@@ -744,6 +756,10 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
util_ldap_connection_t *ldc = NULL;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
+ const char *err = NULL;
|
|
|
c0c6d9 |
+ const ap_expr_info_t *expr = parsed_require_args;
|
|
|
c0c6d9 |
+ const char *require;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
const char *t;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
char filtbuf[FILTER_LENGTH];
|
|
|
c0c6d9 |
@@ -863,7 +879,15 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
}
|
|
|
c0c6d9 |
}
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
- t = require_args;
|
|
|
c0c6d9 |
+ require = ap_expr_str_exec(r, expr, &err;;
|
|
|
c0c6d9 |
+ if (err) {
|
|
|
c0c6d9 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02586)
|
|
|
c0c6d9 |
+ "auth_ldap authorize: require group: Can't evaluate expression: %s",
|
|
|
c0c6d9 |
+ err);
|
|
|
c0c6d9 |
+ return AUTHZ_DENIED;
|
|
|
c0c6d9 |
+ }
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ t = require;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01713)
|
|
|
c0c6d9 |
"auth_ldap authorize: require group: testing for group "
|
|
|
c0c6d9 |
@@ -959,6 +983,10 @@ static authz_status ldapdn_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
util_ldap_connection_t *ldc = NULL;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
+ const char *err = NULL;
|
|
|
c0c6d9 |
+ const ap_expr_info_t *expr = parsed_require_args;
|
|
|
c0c6d9 |
+ const char *require;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
const char *t;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
char filtbuf[FILTER_LENGTH];
|
|
|
c0c6d9 |
@@ -1021,7 +1049,15 @@ static authz_status ldapdn_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
req->user = r->user;
|
|
|
c0c6d9 |
}
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
- t = require_args;
|
|
|
c0c6d9 |
+ require = ap_expr_str_exec(r, expr, &err;;
|
|
|
c0c6d9 |
+ if (err) {
|
|
|
c0c6d9 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02587)
|
|
|
c0c6d9 |
+ "auth_ldap authorize: require dn: Can't evaluate expression: %s",
|
|
|
c0c6d9 |
+ err);
|
|
|
c0c6d9 |
+ return AUTHZ_DENIED;
|
|
|
c0c6d9 |
+ }
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ t = require;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
if (req->dn == NULL || strlen(req->dn) == 0) {
|
|
|
c0c6d9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01725)
|
|
|
c0c6d9 |
@@ -1068,6 +1104,10 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
util_ldap_connection_t *ldc = NULL;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
+ const char *err = NULL;
|
|
|
c0c6d9 |
+ const ap_expr_info_t *expr = parsed_require_args;
|
|
|
c0c6d9 |
+ const char *require;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
const char *t;
|
|
|
c0c6d9 |
char *w, *value;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
@@ -1138,7 +1178,16 @@ static authz_status ldapattribute_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
return AUTHZ_DENIED;
|
|
|
c0c6d9 |
}
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
- t = require_args;
|
|
|
c0c6d9 |
+ require = ap_expr_str_exec(r, expr, &err;;
|
|
|
c0c6d9 |
+ if (err) {
|
|
|
c0c6d9 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02588)
|
|
|
c0c6d9 |
+ "auth_ldap authorize: require ldap-attribute: Can't "
|
|
|
c0c6d9 |
+ "evaluate expression: %s", err);
|
|
|
c0c6d9 |
+ return AUTHZ_DENIED;
|
|
|
c0c6d9 |
+ }
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ t = require;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
while (t[0]) {
|
|
|
c0c6d9 |
w = ap_getword(r->pool, &t, '=');
|
|
|
c0c6d9 |
value = ap_getword_conf(r->pool, &t);
|
|
|
c0c6d9 |
@@ -1183,6 +1232,11 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
util_ldap_connection_t *ldc = NULL;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ const char *err = NULL;
|
|
|
c0c6d9 |
+ const ap_expr_info_t *expr = parsed_require_args;
|
|
|
c0c6d9 |
+ const char *require;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
const char *t;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
char filtbuf[FILTER_LENGTH];
|
|
|
c0c6d9 |
@@ -1252,7 +1306,15 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
return AUTHZ_DENIED;
|
|
|
c0c6d9 |
}
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
- t = require_args;
|
|
|
c0c6d9 |
+ require = ap_expr_str_exec(r, expr, &err;;
|
|
|
c0c6d9 |
+ if (err) {
|
|
|
c0c6d9 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02589)
|
|
|
c0c6d9 |
+ "auth_ldap authorize: require ldap-filter: Can't "
|
|
|
c0c6d9 |
+ "evaluate require expression: %s", err);
|
|
|
c0c6d9 |
+ return AUTHZ_DENIED;
|
|
|
c0c6d9 |
+ }
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ t = require;
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
if (t[0]) {
|
|
|
c0c6d9 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01743)
|
|
|
c0c6d9 |
@@ -1311,6 +1373,25 @@ static authz_status ldapfilter_check_authorization(request_rec *r,
|
|
|
c0c6d9 |
return AUTHZ_DENIED;
|
|
|
c0c6d9 |
}
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
+static const char *ldap_parse_config(cmd_parms *cmd, const char *require_line,
|
|
|
c0c6d9 |
+ const void **parsed_require_line)
|
|
|
c0c6d9 |
+{
|
|
|
c0c6d9 |
+ const char *expr_err = NULL;
|
|
|
c0c6d9 |
+ ap_expr_info_t *expr;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
|
|
|
c0c6d9 |
+ &expr_err, NULL);
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ if (expr_err)
|
|
|
c0c6d9 |
+ return apr_pstrcat(cmd->temp_pool,
|
|
|
c0c6d9 |
+ "Cannot parse expression in require line: ",
|
|
|
c0c6d9 |
+ expr_err, NULL);
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ *parsed_require_line = expr;
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
+ return NULL;
|
|
|
c0c6d9 |
+}
|
|
|
c0c6d9 |
+
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
/*
|
|
|
c0c6d9 |
* Use the ldap url parsing routines to break up the ldap url into
|
|
|
c0c6d9 |
@@ -1769,30 +1850,30 @@ static const authn_provider authn_ldap_provider =
|
|
|
c0c6d9 |
static const authz_provider authz_ldapuser_provider =
|
|
|
c0c6d9 |
{
|
|
|
c0c6d9 |
&ldapuser_check_authorization,
|
|
|
c0c6d9 |
- NULL,
|
|
|
c0c6d9 |
+ &ldap_parse_config,
|
|
|
c0c6d9 |
};
|
|
|
c0c6d9 |
static const authz_provider authz_ldapgroup_provider =
|
|
|
c0c6d9 |
{
|
|
|
c0c6d9 |
&ldapgroup_check_authorization,
|
|
|
c0c6d9 |
- NULL,
|
|
|
c0c6d9 |
+ &ldap_parse_config,
|
|
|
c0c6d9 |
};
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
static const authz_provider authz_ldapdn_provider =
|
|
|
c0c6d9 |
{
|
|
|
c0c6d9 |
&ldapdn_check_authorization,
|
|
|
c0c6d9 |
- NULL,
|
|
|
c0c6d9 |
+ &ldap_parse_config,
|
|
|
c0c6d9 |
};
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
static const authz_provider authz_ldapattribute_provider =
|
|
|
c0c6d9 |
{
|
|
|
c0c6d9 |
&ldapattribute_check_authorization,
|
|
|
c0c6d9 |
- NULL,
|
|
|
c0c6d9 |
+ &ldap_parse_config,
|
|
|
c0c6d9 |
};
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
static const authz_provider authz_ldapfilter_provider =
|
|
|
c0c6d9 |
{
|
|
|
c0c6d9 |
&ldapfilter_check_authorization,
|
|
|
c0c6d9 |
- NULL,
|
|
|
c0c6d9 |
+ &ldap_parse_config,
|
|
|
c0c6d9 |
};
|
|
|
c0c6d9 |
|
|
|
c0c6d9 |
static void ImportULDAPOptFn(void)
|
