main
Valery Komarov 13 years ago
parent 4e617f9794
commit 440428e3c0
  1. 106
      ngx_http_auth_ldap_module.c

@ -20,6 +20,12 @@ typedef struct {
ngx_str_t password; ngx_str_t password;
} ngx_ldap_userinfo; } ngx_ldap_userinfo;
typedef struct {
ngx_str_t value;
ngx_array_t *lengths;
ngx_array_t *values;
} ngx_ldap_require_t;
typedef struct { typedef struct {
LDAPURLDesc *ludpp; LDAPURLDesc *ludpp;
ngx_str_t url; ngx_str_t url;
@ -31,8 +37,8 @@ typedef struct {
ngx_str_t group_attribute; ngx_str_t group_attribute;
ngx_flag_t group_attribute_dn; ngx_flag_t group_attribute_dn;
ngx_array_t *require_group; ngx_array_t *require_group; /* array of ngx_ldap_require_t */
ngx_array_t *require_user; ngx_array_t *require_user; /* array of ngx_ldap_require_t */
ngx_flag_t require_valid_user; ngx_flag_t require_valid_user;
ngx_flag_t satisfy_all; ngx_flag_t satisfy_all;
} ngx_http_auth_ldap_loc_conf_t; } ngx_http_auth_ldap_loc_conf_t;
@ -123,7 +129,8 @@ static ngx_http_module_t ngx_http_auth_ldap_module_ctx = {
}; };
ngx_module_t ngx_http_auth_ldap_module = { ngx_module_t ngx_http_auth_ldap_module = {
NGX_MODULE_V1, &ngx_http_auth_ldap_module_ctx, /* module context */ NGX_MODULE_V1,
&ngx_http_auth_ldap_module_ctx, /* module context */
ngx_http_auth_ldap_commands, /* module directives */ ngx_http_auth_ldap_commands, /* module directives */
NGX_HTTP_MODULE, /* module type */ NGX_HTTP_MODULE, /* module type */
NULL, /* init master */ NULL, /* init master */
@ -226,20 +233,22 @@ ngx_http_auth_ldap_satisfy(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
static char * static char *
ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
ngx_http_script_compile_t sc;
ngx_http_auth_ldap_loc_conf_t *alcf = conf; ngx_http_auth_ldap_loc_conf_t *alcf = conf;
ngx_str_t *value;
ngx_str_t *value, *rule;
value = cf->args->elts; value = cf->args->elts;
if (alcf->require_user == NULL) { if (alcf->require_user == NULL) {
alcf->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t)); alcf->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_ldap_require_t));
if (alcf->require_user == NULL) { if (alcf->require_user == NULL) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
} }
if (alcf->require_group == NULL) { if (alcf->require_group == NULL) {
alcf->require_group = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t)); alcf->require_group = ngx_array_create(cf->pool, 4, sizeof(ngx_ldap_require_t));
if (alcf->require_group == NULL) { if (alcf->require_group == NULL) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
@ -249,22 +258,42 @@ ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
alcf->require_valid_user = 1; alcf->require_valid_user = 1;
} }
if (ngx_strcmp(value[1].data, "user") == 0 || ngx_strcmp(value[1].data, "group") == 0)
{
ngx_int_t n;
ngx_ldap_require_t *rule = NULL;
if (ngx_strcmp(value[1].data, "user") == 0) { if (ngx_strcmp(value[1].data, "user") == 0) {
rule = ngx_array_push(alcf->require_user); rule = ngx_array_push(alcf->require_user);
if (rule == NULL) {
return NGX_CONF_ERROR;
}
rule->data = value[2].data;
rule->len = value[2].len;
} }
if (ngx_strcmp(value[1].data, "group") == 0) { if (ngx_strcmp(value[1].data, "group") == 0) {
rule = ngx_array_push(alcf->require_group); rule = ngx_array_push(alcf->require_group);
}
if (rule == NULL) { if (rule == NULL) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
rule->data = value[2].data;
rule->len = value[2].len; rule->value.data = value[2].data;
rule->value.len = value[2].len;
rule->values = NULL;
rule->lengths = NULL;
n = ngx_http_script_variables_count(&value[2]);
if(n > 0) {
ngx_memzero(&sc, sizeof(ngx_http_script_compile_t));
sc.cf = cf;
sc.source = &value[2];
sc.lengths = &rule->lengths;
sc.values = &rule->values;
sc.complete_lengths = 1;
sc.complete_values = 1;
if (ngx_http_script_compile(&sc) != NGX_OK) {
return NGX_CONF_ERROR;
}
}
} }
return NGX_CONF_OK; return NGX_CONF_OK;
@ -392,7 +421,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
int rc; int rc;
int isSecure = 0; int isSecure = 0;
ngx_uint_t i; ngx_uint_t i;
ngx_str_t *value; ngx_ldap_require_t *value;
ngx_ldap_userinfo *uinfo; ngx_ldap_userinfo *uinfo;
ngx_flag_t pass = NGX_CONF_UNSET; ngx_flag_t pass = NGX_CONF_UNSET;
@ -473,8 +502,26 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
if (conf->require_user != NULL) { if (conf->require_user != NULL) {
value = conf->require_user->elts; value = conf->require_user->elts;
for (i = 0; i < conf->require_user->nelts; i++) { for (i = 0; i < conf->require_user->nelts; i++) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); ngx_str_t val;
if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) { if (value[i].lengths == NULL)
{
val = value[i].value;
}
else
{
if (ngx_http_script_run(r, &val, value[i].lengths->elts, 0,
value[i].values->elts) == NULL)
{
ldap_memfree(dn);
ldap_msgfree(searchResult);
ldap_unbind_s(ld);
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
val.data[val.len] = '\0';
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", val.data);
if (ngx_strncmp(val.data, dn, val.len) == 0) {
pass = 1; pass = 1;
if (conf->satisfy_all == 0) { if (conf->satisfy_all == 0) {
break; break;
@ -501,20 +548,39 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
} }
value = conf->require_group->elts; value = conf->require_group->elts;
for (i = 0; i < conf->require_group->nelts; i++) { for (i = 0; i < conf->require_group->nelts; i++) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); ngx_str_t val;
if (value[i].lengths == NULL)
{
val = value[i].value;
}
else
{
if (ngx_http_script_run(r, &val, value[i].lengths->elts, 0,
value[i].values->elts) == NULL)
{
ldap_memfree(dn);
ldap_msgfree(searchResult);
ldap_unbind_s(ld);
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
val.data[val.len] = '\0';
}
rc = ldap_compare_ext_s(ld, (const char*) value[i].data, (const char*) conf->group_attribute.data, ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: group compare with: %s", val.data);
rc = ldap_compare_ext_s(ld, (const char*) val.data, (const char*) conf->group_attribute.data,
&bvalue, NULL, NULL); &bvalue, NULL, NULL);
if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE && rc != LDAP_NO_SUCH_ATTRIBUTE ) { /*if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE && rc != LDAP_NO_SUCH_ATTRIBUTE ) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc,
ldap_err2string(rc)); ldap_err2string(rc));
ldap_memfree(dn); ldap_memfree(dn);
ldap_msgfree(searchResult); ldap_msgfree(searchResult);
ldap_unbind_s(ld); ldap_unbind_s(ld);
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
} }*/
if (rc == LDAP_COMPARE_TRUE) { if (rc == LDAP_COMPARE_TRUE) {
pass = 1; pass = 1;

Loading…
Cancel
Save