mainnika/nginx-auth-ldap
1
0
Fork 0
mirror of https://github.com/mainnika/nginx-auth-ldap.git synced 2026-06-12 18:03:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove ngx_ldap_userinfo and custom parsing of the Authorization header

Browse Source 
The core fills both decoded user name and password into r->headers_in.user
or r->headers_in.passwd, respectively, when ngx_http_auth_basic_user() is
called. Maybe it did not work like this before, but there is definitely no
need to handle the decoding ourselves now (nginx 1.4.1).
This commit is contained in:
Jiri Hruska
2013-07-22 15:18:15 +02:00
parent 4228721e81
commit 17fce4fe0a
1 changed files with 10 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ngx_http_auth_ldap_module.c
+10 -54
View File
@@ -29,11 +29,6 @@
#include <ngx_http.h> #include <ngx_http.h>
#include <ldap.h> #include <ldap.h>
typedef struct {
ngx_str_t username;
ngx_str_t password;
} ngx_ldap_userinfo;
typedef struct { typedef struct {
ngx_str_t value; ngx_str_t value;
ngx_array_t *lengths; ngx_array_t *lengths;
@@ -79,9 +74,8 @@ static ngx_int_t ngx_http_auth_ldap_init(ngx_conf_t *cf);
static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *); static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *);
static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *); static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *);
static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server, static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server,
ngx_ldap_userinfo *uinfo, ngx_http_auth_ldap_loc_conf_t *conf); ngx_http_auth_ldap_loc_conf_t *conf);
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm); static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm);
static ngx_ldap_userinfo * ngx_http_auth_ldap_get_user_info(ngx_http_request_t *);
static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_loc_conf_t *conf, static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_loc_conf_t *conf,
ngx_http_auth_ldap_conf_t *mconf); ngx_http_auth_ldap_conf_t *mconf);
static char * ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data); static char * ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data);
@@ -505,38 +499,6 @@ static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r) {
return ngx_http_auth_ldap_authenticate(r, alcf, cnf); return ngx_http_auth_ldap_authenticate(r, alcf, cnf);
} }
/**
* Get login and password from http request.
*/
static ngx_ldap_userinfo*
ngx_http_auth_ldap_get_user_info(ngx_http_request_t *r) {
size_t len;
ngx_ldap_userinfo* uinfo;
u_char *uname_buf, *p;
uinfo = ngx_palloc(r->pool, sizeof(ngx_ldap_userinfo));
for (len = 0; len < r->headers_in.user.len; len++) {
if (r->headers_in.user.data[len] == ':') {
break;
}
}
uname_buf = ngx_palloc(r->pool, len + 1);
if (uname_buf == NULL) {
return NULL;
}
p = ngx_cpymem(uname_buf, r->headers_in.user.data, len);
*p = '\0';
uinfo->username.data = uname_buf;
uinfo->username.len = len;
uinfo->password.data = r->headers_in.passwd.data;
uinfo->password.len = r->headers_in.passwd.len;
return uinfo;
}
/** /**
* Read user credentials from request, set LDAP parameters and call authentication against required servers * Read user credentials from request, set LDAP parameters and call authentication against required servers
*/ */
@@ -551,18 +513,12 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
int version = LDAP_VERSION3; int version = LDAP_VERSION3;
int reqcert = LDAP_OPT_X_TLS_ALLOW; int reqcert = LDAP_OPT_X_TLS_ALLOW;
ngx_ldap_userinfo *uinfo;
struct timeval timeOut = { 10, 0 }; struct timeval timeOut = { 10, 0 };
ngx_flag_t pass = NGX_CONF_UNSET; ngx_flag_t pass = NGX_CONF_UNSET;
uinfo = ngx_http_auth_ldap_get_user_info(r); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP username: %V", &r->headers_in.user);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP username: %s", uinfo->username.data);
if (uinfo == NULL) { if (r->headers_in.passwd.len == 0)
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
if (uinfo->password.len == 0)
{ {
return ngx_http_auth_ldap_set_realm(r, &conf->realm); return ngx_http_auth_ldap_set_realm(r, &conf->realm);
} }
@@ -586,7 +542,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
server = &servers[i]; server = &servers[i];
if (server->alias.len == alias->len && ngx_strncmp(server->alias.data, alias->data, server->alias.len) == 0) { if (server->alias.len == alias->len && ngx_strncmp(server->alias.data, alias->data, server->alias.len) == 0) {
found = 1; found = 1;
pass = ngx_http_auth_ldap_authenticate_against_server(r, server, uinfo, conf); pass = ngx_http_auth_ldap_authenticate_against_server(r, server, conf);
if (pass == 1) { if (pass == 1) {
return NGX_OK; return NGX_OK;
} else if (pass == NGX_HTTP_INTERNAL_SERVER_ERROR) { } else if (pass == NGX_HTTP_INTERNAL_SERVER_ERROR) {
@@ -609,7 +565,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
* Actual authentication against LDAP server * Actual authentication against LDAP server
*/ */
static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server, static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server,
ngx_ldap_userinfo *uinfo, ngx_http_auth_ldap_loc_conf_t *conf) { ngx_http_auth_ldap_loc_conf_t *conf) {
LDAPURLDesc *ludpp = server->ludpp; LDAPURLDesc *ludpp = server->ludpp;
int rc; int rc;
@@ -652,9 +608,9 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
filter = ngx_pcalloc( filter = ngx_pcalloc(
r->pool, r->pool,
(ludpp->lud_filter != NULL ? ngx_strlen(ludpp->lud_filter) : ngx_strlen("(objectClass=*)")) + ngx_strlen("(&(=))") + ngx_strlen(ludpp->lud_attrs[0]) (ludpp->lud_filter != NULL ? ngx_strlen(ludpp->lud_filter) : ngx_strlen("(objectClass=*)")) + ngx_strlen("(&(=))") + ngx_strlen(ludpp->lud_attrs[0])
+ uinfo->username.len + 1); + r->headers_in.user.len + 1);
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter != NULL ? ludpp->lud_filter : "(objectClass=*)", ludpp->lud_attrs[0], uinfo->username.data); p = ngx_sprintf(filter, "(&%s(%s=%V))", ludpp->lud_filter != NULL ? ludpp->lud_filter : "(objectClass=*)", ludpp->lud_attrs[0], &r->headers_in.user);
*p = 0; *p = 0;
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter);
@@ -716,8 +672,8 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
bvalue.bv_val = dn; bvalue.bv_val = dn;
bvalue.bv_len = ngx_strlen(dn); bvalue.bv_len = ngx_strlen(dn);
} else { } else {
bvalue.bv_val = (char*) uinfo->username.data; bvalue.bv_val = (char*) r->headers_in.user.data;
bvalue.bv_len = uinfo->username.len; bvalue.bv_len = r->headers_in.user.len;
} }
value = server->require_group->elts; value = server->require_group->elts;
@@ -769,7 +725,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
/// Check valid user /// Check valid user
if ( pass != 0 || (server->require_valid_user == 1 && server->satisfy_all == 0 && pass == 0)) { if ( pass != 0 || (server->require_valid_user == 1 && server->satisfy_all == 0 && pass == 0)) {
/// Bind user to the server /// Bind user to the server
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); rc = ldap_simple_bind_s(ld, dn, (const char *) r->headers_in.passwd.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc,
ldap_err2string(rc)); ldap_err2string(rc));