mainnika
/
nginx-auth-ldap
mirror of https://github.com/mainnika/nginx-auth-ldap
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove ngx_ldap_userinfo and custom parsing of the Authorization header

Browse Source 
The core fills both decoded user name and password into r->headers_in.user
or r->headers_in.passwd, respectively, when ngx_http_auth_basic_user() is
called. Maybe it did not work like this before, but there is definitely no
need to handle the decoding ourselves now (nginx 1.4.1).
main
Jiri Hruska 12 years ago
parent 4228721e81
commit 17fce4fe0a
1 changed files with 10 additions and 54 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 64
      ngx_http_auth_ldap_module.c

64
ngx_http_auth_ldap_module.c
Unescape View File

@ -29,11 +29,6 @@
#include <ngx_http.h> #include <ngx_http.h>
#include <ldap.h> #include <ldap.h>
typedef struct {
ngx_str_t username;
ngx_str_t password;
} ngx_ldap_userinfo;
typedef struct { typedef struct {
ngx_str_t value; ngx_str_t value;
ngx_array_t *lengths; ngx_array_t *lengths;
@ -79,9 +74,8 @@ static ngx_int_t ngx_http_auth_ldap_init(ngx_conf_t *cf);
static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *); static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *);
static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *); static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *);
static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server, static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server,
ngx_ldap_userinfo *uinfo, ngx_http_auth_ldap_loc_conf_t *conf); ngx_http_auth_ldap_loc_conf_t *conf);
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm); static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm);
static ngx_ldap_userinfo * ngx_http_auth_ldap_get_user_info(ngx_http_request_t *);
static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_loc_conf_t *conf, static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_loc_conf_t *conf,
ngx_http_auth_ldap_conf_t *mconf); ngx_http_auth_ldap_conf_t *mconf);
static char * ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data); static char * ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data);
@ -505,38 +499,6 @@ static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r) {
return ngx_http_auth_ldap_authenticate(r, alcf, cnf); return ngx_http_auth_ldap_authenticate(r, alcf, cnf);
} }
/**
* Get login and password from http request.
*/
static ngx_ldap_userinfo*
ngx_http_auth_ldap_get_user_info(ngx_http_request_t *r) {
size_t len;
ngx_ldap_userinfo* uinfo;
u_char *uname_buf, *p;
uinfo = ngx_palloc(r->pool, sizeof(ngx_ldap_userinfo));
for (len = 0; len < r->headers_in.user.len; len++) {
if (r->headers_in.user.data[len] == ':') {
break;
}
}
uname_buf = ngx_palloc(r->pool, len + 1);
if (uname_buf == NULL) {
return NULL;
}
p = ngx_cpymem(uname_buf, r->headers_in.user.data, len);
*p = '\0';
uinfo->username.data = uname_buf;
uinfo->username.len = len;
uinfo->password.data = r->headers_in.passwd.data;
uinfo->password.len = r->headers_in.passwd.len;
return uinfo;
}
/** /**
* Read user credentials from request, set LDAP parameters and call authentication against required servers * Read user credentials from request, set LDAP parameters and call authentication against required servers
*/ */
@ -551,18 +513,12 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
int version = LDAP_VERSION3; int version = LDAP_VERSION3;
int reqcert = LDAP_OPT_X_TLS_ALLOW; int reqcert = LDAP_OPT_X_TLS_ALLOW;
ngx_ldap_userinfo *uinfo;
struct timeval timeOut = { 10, 0 }; struct timeval timeOut = { 10, 0 };
ngx_flag_t pass = NGX_CONF_UNSET; ngx_flag_t pass = NGX_CONF_UNSET;
uinfo = ngx_http_auth_ldap_get_user_info(r); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP username: %V", &r->headers_in.user);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP username: %s", uinfo->username.data);
if (uinfo == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
if (uinfo->password.len == 0) if (r->headers_in.passwd.len == 0)
{ {
return ngx_http_auth_ldap_set_realm(r, &conf->realm); return ngx_http_auth_ldap_set_realm(r, &conf->realm);
} }
@ -586,7 +542,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
server = &servers[i]; server = &servers[i];
if (server->alias.len == alias->len && ngx_strncmp(server->alias.data, alias->data, server->alias.len) == 0) { if (server->alias.len == alias->len && ngx_strncmp(server->alias.data, alias->data, server->alias.len) == 0) {
found = 1; found = 1;
pass = ngx_http_auth_ldap_authenticate_against_server(r, server, uinfo, conf); pass = ngx_http_auth_ldap_authenticate_against_server(r, server, conf);
if (pass == 1) { if (pass == 1) {
return NGX_OK; return NGX_OK;
} else if (pass == NGX_HTTP_INTERNAL_SERVER_ERROR) { } else if (pass == NGX_HTTP_INTERNAL_SERVER_ERROR) {
@ -609,7 +565,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
* Actual authentication against LDAP server * Actual authentication against LDAP server
*/ */
static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server, static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request_t *r, ngx_http_auth_ldap_server_t *server,
ngx_ldap_userinfo *uinfo, ngx_http_auth_ldap_loc_conf_t *conf) { ngx_http_auth_ldap_loc_conf_t *conf) {
LDAPURLDesc *ludpp = server->ludpp; LDAPURLDesc *ludpp = server->ludpp;
int rc; int rc;
@ -652,9 +608,9 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
filter = ngx_pcalloc( filter = ngx_pcalloc(
r->pool, r->pool,
(ludpp->lud_filter != NULL ? ngx_strlen(ludpp->lud_filter) : ngx_strlen("(objectClass=*)")) + ngx_strlen("(&(=))") + ngx_strlen(ludpp->lud_attrs[0]) (ludpp->lud_filter != NULL ? ngx_strlen(ludpp->lud_filter) : ngx_strlen("(objectClass=*)")) + ngx_strlen("(&(=))") + ngx_strlen(ludpp->lud_attrs[0])
+ uinfo->username.len + 1); + r->headers_in.user.len + 1);
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter != NULL ? ludpp->lud_filter : "(objectClass=*)", ludpp->lud_attrs[0], uinfo->username.data); p = ngx_sprintf(filter, "(&%s(%s=%V))", ludpp->lud_filter != NULL ? ludpp->lud_filter : "(objectClass=*)", ludpp->lud_attrs[0], &r->headers_in.user);
*p = 0; *p = 0;
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter);
@ -716,8 +672,8 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
bvalue.bv_val = dn; bvalue.bv_val = dn;
bvalue.bv_len = ngx_strlen(dn); bvalue.bv_len = ngx_strlen(dn);
} else { } else {
bvalue.bv_val = (char*) uinfo->username.data; bvalue.bv_val = (char*) r->headers_in.user.data;
bvalue.bv_len = uinfo->username.len; bvalue.bv_len = r->headers_in.user.len;
} }
value = server->require_group->elts; value = server->require_group->elts;
@ -769,7 +725,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate_against_server(ngx_http_request
/// Check valid user /// Check valid user
if ( pass != 0 || (server->require_valid_user == 1 && server->satisfy_all == 0 && pass == 0)) { if ( pass != 0 || (server->require_valid_user == 1 && server->satisfy_all == 0 && pass == 0)) {
/// Bind user to the server /// Bind user to the server
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); rc = ldap_simple_bind_s(ld, dn, (const char *) r->headers_in.passwd.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc,
ldap_err2string(rc)); ldap_err2string(rc));

Write Preview
Loading…
Cancel
Save