mirror of
https://github.com/mainnika/nginx-auth-ldap.git
synced 2026-06-13 02:13:36 +00:00
Fixing authentization process
This commit is contained in:
Tomáš Golembiovský
+50
-23
@@ -42,6 +42,14 @@
|
|||||||
extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url, LDAP **ld);
|
extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url, LDAP **ld);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#define OUTCOME_ERROR -1 /* Some error occured in the process */
|
||||||
|
#define OUTCOME_DENY 0
|
||||||
|
#define OUTCOME_ALLOW 1
|
||||||
|
#define OUTCOME_CACHED_DENY 2 /* Cached results */
|
||||||
|
#define OUTCOME_CACHED_ALLOW 3
|
||||||
|
#define OUTCOME_UNCERTAIN 4 /* Not yet decided */
|
||||||
|
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
LDAPURLDesc *ludpp;
|
LDAPURLDesc *ludpp;
|
||||||
ngx_str_t url;
|
ngx_str_t url;
|
||||||
@@ -82,7 +90,7 @@ typedef struct {
|
|||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
uint32_t small_hash; /* murmur2 hash of username ^ &server */
|
uint32_t small_hash; /* murmur2 hash of username ^ &server */
|
||||||
uint32_t outcome; /* 0 = authentication failed, 1 = succeeded */
|
uint32_t outcome; /* OUTCOME_DENY or OUTCOME_ALLOW */
|
||||||
ngx_msec_t time; /* ngx_current_msec when created */
|
ngx_msec_t time; /* ngx_current_msec when created */
|
||||||
u_char big_hash[16]; /* md5 hash of (username, server, password) */
|
u_char big_hash[16]; /* md5 hash of (username, server, password) */
|
||||||
} ngx_http_auth_ldap_cache_elt_t;
|
} ngx_http_auth_ldap_cache_elt_t;
|
||||||
@@ -1560,7 +1568,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
|
|||||||
switch (ctx->phase) {
|
switch (ctx->phase) {
|
||||||
case PHASE_START:
|
case PHASE_START:
|
||||||
ctx->server = ((ngx_http_auth_ldap_server_t **) conf->servers->elts)[ctx->server_index];
|
ctx->server = ((ngx_http_auth_ldap_server_t **) conf->servers->elts)[ctx->server_index];
|
||||||
ctx->outcome = -1;
|
ctx->outcome = OUTCOME_UNCERTAIN;
|
||||||
|
|
||||||
ngx_add_timer(r->connection->write, 10000); /* TODO: Per-server request timeout */
|
ngx_add_timer(r->connection->write, 10000); /* TODO: Per-server request timeout */
|
||||||
|
|
||||||
@@ -1568,8 +1576,8 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
|
|||||||
if (ngx_http_auth_ldap_cache.buckets != NULL) {
|
if (ngx_http_auth_ldap_cache.buckets != NULL) {
|
||||||
rc = ngx_http_auth_ldap_check_cache(r, ctx, &ngx_http_auth_ldap_cache, ctx->server);
|
rc = ngx_http_auth_ldap_check_cache(r, ctx, &ngx_http_auth_ldap_cache, ctx->server);
|
||||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Using cached outcome %d", rc);
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Using cached outcome %d", rc);
|
||||||
if (rc == 0 || rc == 1) {
|
if (rc == OUTCOME_DENY || rc == OUTCOME_ALLOW) {
|
||||||
ctx->outcome = 2 + rc;
|
ctx->outcome = (rc == OUTCOME_DENY ? OUTCOME_CACHED_DENY : OUTCOME_CACHED_ALLOW);
|
||||||
ctx->phase = PHASE_NEXT;
|
ctx->phase = PHASE_NEXT;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -1619,8 +1627,10 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* User validated, check group next */
|
/* User not yet fully authenticated, check group next */
|
||||||
if (ctx->server->require_group != NULL) {
|
if ((ctx->outcome == OUTCOME_UNCERTAIN) &&
|
||||||
|
(ctx->server->require_group != NULL)) {
|
||||||
|
|
||||||
ctx->phase = PHASE_CHECK_GROUP;
|
ctx->phase = PHASE_CHECK_GROUP;
|
||||||
ctx->iteration = 0;
|
ctx->iteration = 0;
|
||||||
break;
|
break;
|
||||||
@@ -1649,6 +1659,26 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case PHASE_CHECK_BIND:
|
case PHASE_CHECK_BIND:
|
||||||
|
|
||||||
|
if (ctx->outcome == OUTCOME_UNCERTAIN) {
|
||||||
|
/* If we're still uncertain when satisfy is 'any' and there
|
||||||
|
* is at least one require user/group rule, it means no
|
||||||
|
* rule has matched.
|
||||||
|
*/
|
||||||
|
if ((ctx->server->satisfy_all == 0) && (
|
||||||
|
(ctx->server->require_user != NULL) ||
|
||||||
|
(ctx->server->require_group != NULL))){
|
||||||
|
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: no requirement satisfied");
|
||||||
|
ctx->outcome = OUTCOME_DENY;
|
||||||
|
ctx->phase = PHASE_NEXT;
|
||||||
|
/*rc = NGX_DECLINED;*/
|
||||||
|
break;
|
||||||
|
} else {
|
||||||
|
/* So far so good */
|
||||||
|
ctx->outcome = OUTCOME_ALLOW;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (ctx->server->require_valid_user == 0) {
|
if (ctx->server->require_valid_user == 0) {
|
||||||
ctx->phase = PHASE_NEXT;
|
ctx->phase = PHASE_NEXT;
|
||||||
break;
|
break;
|
||||||
@@ -1687,12 +1717,13 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
|
|||||||
ngx_http_auth_ldap_return_connection(ctx->c);
|
ngx_http_auth_ldap_return_connection(ctx->c);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ngx_http_auth_ldap_cache.buckets != NULL && (ctx->outcome == 0 || ctx->outcome == 1)) {
|
if (ngx_http_auth_ldap_cache.buckets != NULL &&
|
||||||
|
(ctx->outcome == OUTCOME_DENY || ctx->outcome == OUTCOME_ALLOW)) {
|
||||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Caching outcome %d", ctx->outcome);
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Caching outcome %d", ctx->outcome);
|
||||||
ngx_http_auth_ldap_update_cache(ctx, &ngx_http_auth_ldap_cache, ctx->outcome);
|
ngx_http_auth_ldap_update_cache(ctx, &ngx_http_auth_ldap_cache, ctx->outcome);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ctx->outcome == 1 || ctx->outcome == 2 + 1) {
|
if (ctx->outcome == OUTCOME_ALLOW || ctx->outcome == OUTCOME_CACHED_ALLOW) {
|
||||||
return NGX_OK;
|
return NGX_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1775,19 +1806,19 @@ ngx_http_auth_ldap_check_user(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *c
|
|||||||
for (i = 0; i < ctx->server->require_user->nelts; i++) {
|
for (i = 0; i < ctx->server->require_user->nelts; i++) {
|
||||||
ngx_str_t val;
|
ngx_str_t val;
|
||||||
if (ngx_http_complex_value(r, &values[i], &val) != NGX_OK) {
|
if (ngx_http_complex_value(r, &values[i], &val) != NGX_OK) {
|
||||||
ctx->outcome = -1;
|
ctx->outcome = OUTCOME_ERROR;
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Comparing user DN with \"%V\"", &val);
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: Comparing user DN with \"%V\"", &val);
|
||||||
if (val.len == ctx->dn.len && ngx_memcmp(val.data, ctx->dn.data, val.len) == 0) {
|
if (val.len == ctx->dn.len && ngx_memcmp(val.data, ctx->dn.data, val.len) == 0) {
|
||||||
if (ctx->server->satisfy_all == 0) {
|
if (ctx->server->satisfy_all == 0) {
|
||||||
ctx->outcome = 1;
|
ctx->outcome = OUTCOME_ALLOW;
|
||||||
return NGX_OK;
|
return NGX_OK;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (ctx->server->satisfy_all == 1) {
|
if (ctx->server->satisfy_all == 1) {
|
||||||
ctx->outcome = 0;
|
ctx->outcome = OUTCOME_DENY;
|
||||||
return NGX_DECLINED;
|
return NGX_DECLINED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1807,12 +1838,12 @@ ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *
|
|||||||
if (ctx->iteration > 0) {
|
if (ctx->iteration > 0) {
|
||||||
if (ctx->error_code == LDAP_COMPARE_TRUE) {
|
if (ctx->error_code == LDAP_COMPARE_TRUE) {
|
||||||
if (ctx->server->satisfy_all == 0) {
|
if (ctx->server->satisfy_all == 0) {
|
||||||
ctx->outcome = 1;
|
ctx->outcome = OUTCOME_ALLOW;
|
||||||
return NGX_OK;
|
return NGX_OK;
|
||||||
}
|
}
|
||||||
} else if (ctx->error_code == LDAP_COMPARE_FALSE || ctx->error_code == LDAP_NO_SUCH_ATTRIBUTE) {
|
} else if (ctx->error_code == LDAP_COMPARE_FALSE || ctx->error_code == LDAP_NO_SUCH_ATTRIBUTE) {
|
||||||
if (ctx->server->satisfy_all == 1) {
|
if (ctx->server->satisfy_all == 1) {
|
||||||
ctx->outcome = 0;
|
ctx->outcome = OUTCOME_DENY;
|
||||||
return NGX_DECLINED;
|
return NGX_DECLINED;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@@ -1825,12 +1856,8 @@ ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *
|
|||||||
/* Check next group */
|
/* Check next group */
|
||||||
if (ctx->iteration >= ctx->server->require_group->nelts) {
|
if (ctx->iteration >= ctx->server->require_group->nelts) {
|
||||||
/* No more groups */
|
/* No more groups */
|
||||||
if (ctx->server->satisfy_all == 0) {
|
|
||||||
return NGX_DECLINED;
|
|
||||||
} else {
|
|
||||||
return NGX_OK;
|
return NGX_OK;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if (!ngx_http_auth_ldap_get_connection(ctx)) {
|
if (!ngx_http_auth_ldap_get_connection(ctx)) {
|
||||||
return NGX_AGAIN;
|
return NGX_AGAIN;
|
||||||
@@ -1839,7 +1866,7 @@ ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *
|
|||||||
ngx_str_t val;
|
ngx_str_t val;
|
||||||
values = ctx->server->require_group->elts;
|
values = ctx->server->require_group->elts;
|
||||||
if (ngx_http_complex_value(r, &values[ctx->iteration], &val) != NGX_OK) {
|
if (ngx_http_complex_value(r, &values[ctx->iteration], &val) != NGX_OK) {
|
||||||
ctx->outcome = -1;
|
ctx->outcome = OUTCOME_ERROR;
|
||||||
ngx_http_auth_ldap_return_connection(ctx->c);
|
ngx_http_auth_ldap_return_connection(ctx->c);
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
@@ -1859,7 +1886,7 @@ ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *
|
|||||||
if (rc != LDAP_SUCCESS) {
|
if (rc != LDAP_SUCCESS) {
|
||||||
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_compare_ext() failed (%d: %s)",
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_compare_ext() failed (%d: %s)",
|
||||||
rc, ldap_err2string(rc));
|
rc, ldap_err2string(rc));
|
||||||
ctx->outcome = -1;
|
ctx->outcome = OUTCOME_ERROR;
|
||||||
ngx_http_auth_ldap_return_connection(ctx->c);
|
ngx_http_auth_ldap_return_connection(ctx->c);
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
@@ -1892,7 +1919,7 @@ ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *c
|
|||||||
if (rc != LDAP_SUCCESS) {
|
if (rc != LDAP_SUCCESS) {
|
||||||
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)",
|
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)",
|
||||||
rc, ldap_err2string(rc));
|
rc, ldap_err2string(rc));
|
||||||
ctx->outcome = -1;
|
ctx->outcome = OUTCOME_ERROR;
|
||||||
ngx_http_auth_ldap_return_connection(ctx->c);
|
ngx_http_auth_ldap_return_connection(ctx->c);
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
@@ -1908,10 +1935,10 @@ ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *c
|
|||||||
if (ctx->error_code != LDAP_SUCCESS) {
|
if (ctx->error_code != LDAP_SUCCESS) {
|
||||||
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: User bind failed (%d: %s)",
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: User bind failed (%d: %s)",
|
||||||
ctx->error_code, ldap_err2string(ctx->error_code));
|
ctx->error_code, ldap_err2string(ctx->error_code));
|
||||||
ctx->outcome = 0;
|
ctx->outcome = OUTCOME_DENY;
|
||||||
} else {
|
} else {
|
||||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: User bind successful");
|
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: User bind successful");
|
||||||
ctx->outcome = 1;
|
ctx->outcome = OUTCOME_ALLOW;
|
||||||
}
|
}
|
||||||
return NGX_OK;
|
return NGX_OK;
|
||||||
}
|
}
|
||||||
@@ -1935,7 +1962,7 @@ ngx_http_auth_ldap_recover_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
|
|||||||
if (rc != LDAP_SUCCESS) {
|
if (rc != LDAP_SUCCESS) {
|
||||||
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)",
|
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "http_auth_ldap: ldap_sasl_bind() failed (%d: %s)",
|
||||||
rc, ldap_err2string(rc));
|
rc, ldap_err2string(rc));
|
||||||
ctx->outcome = -1;
|
ctx->outcome = OUTCOME_ERROR;
|
||||||
ngx_http_auth_ldap_return_connection(ctx->c);
|
ngx_http_auth_ldap_return_connection(ctx->c);
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user