Added the directive "Requires ldap-attribute" that allows the module to only... (7e3b6d38) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+5 −0

Original line number	Diff line number	Diff line
		@@ -5,6 +5,11 @@ Changes with Apache 2.0.53
		user cache without having to require ldap authentication as well.
		[PR 31898] [Jari Ahonen jah progress.com, Brad Nicholes]

		*) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
		allows the module to only authorize a user if the attribute value
		specified matches the value of the user object. PR 31913
		[Ryan Morgan <rmorgan pobox.com>]

		*) SECURITY: CAN-2004-0942 (cve.mitre.org)
		Fix for memory consumption DoS in handling of MIME folded request
		headers. [Joe Orton]

STATUS

+1 −8

Original line number	Diff line number	Diff line
		APACHE 2.0 STATUS: --text--
		Last modified at [$Date: 2004/11/10 16:35:21 $]
		Last modified at [$Date: 2004/11/10 18:05:46 $]

		Release:

		@@ -75,13 +75,6 @@ PATCHES TO BACKPORT FROM 2.1
		[ please place file names and revisions from HEAD here, so it is easy to
		identify exactly what the proposed changes are! ]

		*) mod_authnz_ldap: Added the directive "Requires ldap-attribute" that
		allows the module to only authorize a user if the attribute value
		specified matches the value of the user object. PR 31913
		modules/aaa/mod_authnz_ldap.c: r1.7
		docs/manual/mod/mod_authnz_ldap.xml: r1.3
		+1: bnicholes, wrowe, jim

		*) mod_ssl: Fix an possible NULL pointer dereference in some configs.
		http://nagoya.apache.org/bugzilla/showattachment.cgi?attach_id=13182
		PR: 31848

docs/manual/mod/mod_auth_ldap.xml

+34 −1

Original line number	Diff line number	Diff line
		<?xml version="1.0"?>
		<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
		<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
		<!-- $Revision: 1.6.2.12 $ -->
		<!-- $Revision: 1.6.2.13 $ -->

		<!--
		Copyright 2002-2004 The Apache Software Foundation
		@@ -80,6 +80,7 @@ for HTTP Basic authentication.</description>
		<li><a href="#requser">require user</a></li>
		<li><a href="#reqgroup">require group</a></li>
		<li><a href="#reqdn">require dn</a></li>
		<li><a href="#reqattribute">require ldap-attribute</a></li>
		</ul>
		</li>

		@@ -198,6 +199,11 @@ for HTTP Basic authentication.</description>
		the DN fetched from the LDAP directory (or the username
		passed by the client) occurs in the LDAP group.</li>

		<li>Grant access if there is a <a href="#reqattribute">
		<code>require ldap-attribute</code></a>
		directive, and the attribute fetched from the LDAP directory
		matches the given value.</li>

		<li>otherwise, deny or decline access</li>
		</ul>

		@@ -336,6 +342,33 @@ uniqueMember: cn=Fred User, o=Airius<br />
		module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive>
		directive.</p>
		</section>

		<section id="reqattribute"><title>require ldap-attribute</title>

		<p>The <code>require ldap-attribute</code> directive allows the
		administrator to grant access based on attributes of the authenticated
		user in the LDAP directory. If the attribute in the directory
		matches the value given in the configuration, access is granted.</p>

		<p>The following directive would grant access to anyone with
		the attribute employeeType = active</p>

		<example>require ldap-attribute employeeType=active</example>

		<p>Multiple attribute/value pairs can be specified on the same line
		separated by spaces or they can be specified in multiple
		<code>require ldap-attribute</code> directives. The effect of listing
		multiple attribute/values pairs is an OR operation. Access will be
		granted if any of the listed attribute values match the value of a
		corresponding attribute in the user object. If the value of the
		attribute contains a space, only the value must be within double quotes.</p>

		<p>The following directive would grant access to anyone with
		the city attribute equal to "San Jose" or status equal to "Active"</p>

		<example>require ldap-attribute city="San Jose" status=active</example>
		</section>

		</section>

		<section id="examples"><title>Examples</title>

modules/experimental/mod_auth_ldap.c

+29 −1

Original line number	Diff line number	Diff line
		@@ -420,7 +420,7 @@ int mod_auth_ldap_auth_checker(request_rec *r)

		register int x;
		const char *t;
		char *w;
		char w, value;
		int method_restricted = 0;

		if (!sec->enabled) {
		@@ -627,6 +627,34 @@ int mod_auth_ldap_auth_checker(request_rec *r)
		}
		}
		}
		else if (strcmp(w, "ldap-attribute") == 0) {
		while (t[0]) {
		w = ap_getword(r->pool, &t, '=');
		value = ap_getword_conf(r->pool, &t);

		ap_log_rerror(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, r,
		"[%d] auth_ldap authorise: checking attribute"
		" %s has value %s", getpid(), w, value);
		result = util_ldap_cache_compare(r, ldc, sec->url, req->dn,
		w, value);
		switch(result) {
		case LDAP_COMPARE_TRUE: {
		ap_log_rerror(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO,
		0, r, "[%d] auth_ldap authorise: "
		"require attribute: authorisation "
		"successful", getpid());
		return OK;
		}
		default: {
		ap_log_rerror(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO,
		0, r, "[%d] auth_ldap authorise: "
		"require attribute: authorisation "
		"failed [%s][%s]", getpid(),
		ldc->reason, ldap_err2string(result));
		}
		}
		}
		}
		}

		if (!method_restricted) {