diff --git a/example.conf b/example.conf index 51cd0ed..bbf2c4d 100644 --- a/example.conf +++ b/example.conf @@ -24,6 +24,8 @@ http { location / { auth_ldap "Closed content"; + + #auth_ldap_require valid_user; auth_ldap_require user 'cn=Super User,ou=user,dc=example,dc=com'; auth_ldap_require group 'cn=admins,ou=group,dc=example,dc=com'; auth_ldap_require group 'cn=user,ou=group,dc=example,dc=com'; diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c index fb65ab1..98b3f2a 100644 --- a/ngx_http_auth_ldap_module.c +++ b/ngx_http_auth_ldap_module.c @@ -33,6 +33,7 @@ typedef struct { ngx_array_t *require_group; ngx_array_t *require_user; + ngx_flag_t require_valid_user; ngx_flag_t satisfy_all; } ngx_http_auth_ldap_loc_conf_t; @@ -81,7 +82,7 @@ static ngx_command_t ngx_http_auth_ldap_commands[] = { NULL }, { ngx_string("auth_ldap_require"), - NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_TAKE2, + NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_TAKE12, ngx_http_auth_ldap_require, NGX_HTTP_LOC_CONF_OFFSET, 0, @@ -190,8 +191,8 @@ ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { } if (alcf->ludpp->lud_attrs == NULL) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "LDAP: No attrs in auth_ldap_url."); - return NGX_CONF_ERROR; + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "LDAP: No attrs in auth_ldap_url."); + return NGX_CONF_ERROR; } alcf->url.len=ngx_strlen(alcf->ludpp->lud_scheme) + ngx_strlen(alcf->ludpp->lud_host)+11; // 11 = len("://:/") + len("65535") + len("\0") @@ -225,29 +226,33 @@ ngx_http_auth_ldap_satisfy(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { static char * ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { - ngx_http_auth_ldap_loc_conf_t *alcf = conf; + ngx_http_auth_ldap_loc_conf_t *alcf = conf; - ngx_str_t *value, *rule; - value = cf->args->elts; + ngx_str_t *value, *rule; + value = cf->args->elts; - if (alcf->require_user == NULL) { - alcf->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t)); if (alcf->require_user == NULL) { - return NGX_CONF_ERROR; + alcf->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t)); + if (alcf->require_user == NULL) { + return NGX_CONF_ERROR; + } } - } if (alcf->require_group == NULL) { alcf->require_group = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t)); if (alcf->require_group == NULL) { - return NGX_CONF_ERROR; + return NGX_CONF_ERROR; } } + if (ngx_strcmp(value[1].data, "valid_user") == 0) { + alcf->require_valid_user=1; + } + if (ngx_strcmp(value[1].data, "user") == 0) { rule = ngx_array_push(alcf->require_user); if (rule == NULL) { - return NGX_CONF_ERROR; + return NGX_CONF_ERROR; } rule->data = value[2].data; rule->len = value[2].len; @@ -256,7 +261,7 @@ ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { if (ngx_strcmp(value[1].data, "group") == 0) { rule = ngx_array_push(alcf->require_group); if (rule == NULL) { - return NGX_CONF_ERROR; + return NGX_CONF_ERROR; } rule->data = value[2].data; rule->len = value[2].len; @@ -273,6 +278,7 @@ ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) { return NULL; } conf->satisfy_all = NGX_CONF_UNSET; + conf->require_valid_user = NGX_CONF_UNSET; conf->group_attribute_dn = NGX_CONF_UNSET; return conf; } @@ -291,6 +297,7 @@ ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) { ngx_conf_merge_str_value(conf->bind_dn_passwd, prev->bind_dn_passwd, ""); ngx_conf_merge_str_value(conf->group_attribute, prev->group_attribute, "member"); + ngx_conf_merge_value(conf->require_valid_user, prev->require_valid_user,0); ngx_conf_merge_value(conf->satisfy_all, prev->satisfy_all,0); ngx_conf_merge_value(conf->group_attribute_dn, prev->group_attribute_dn,1); @@ -380,9 +387,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t LDAPURLDesc *ludpp = conf->ludpp; int version = LDAP_VERSION3; struct berval bvalue; - struct timeval timeOut = { - 10, - 0 }; + struct timeval timeOut = {10, 0}; int reqcert = LDAP_OPT_X_TLS_ALLOW; int rc; @@ -410,7 +415,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); if (rc != LDAP_OPT_SUCCESS) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: unable to set require cert option: %s", - ldap_err2string(rc)); + ldap_err2string(rc)); return NGX_HTTP_INTERNAL_SERVER_ERROR; } @@ -422,9 +427,9 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t rc = ldap_initialize(&ld, (const char*)conf->url.data); if (rc != LDAP_SUCCESS) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)", - rc, ldap_err2string(rc), (const char*)conf->url.data); - return NGX_HTTP_INTERNAL_SERVER_ERROR; + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)", + rc, ldap_err2string(rc), (const char*)conf->url.data); + return NGX_HTTP_INTERNAL_SERVER_ERROR; } ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL); @@ -432,7 +437,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t rc = ldap_simple_bind_s(ld, (const char *) conf->bind_dn.data, (const char *) conf->bind_dn_passwd.data); if (rc != LDAP_SUCCESS) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc, - ldap_err2string(rc)); + ldap_err2string(rc)); ldap_unbind_s(ld); return NGX_HTTP_INTERNAL_SERVER_ERROR; } @@ -440,7 +445,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t /// Create filter for search users by uid filter = ngx_pcalloc(r->pool, ngx_strlen(ludpp->lud_filter)+ ngx_strlen("(&(=))") - + ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len +1); + + ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len +1); p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter,ludpp->lud_attrs[0], uinfo->username.data); *p = 0; @@ -452,7 +457,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t if (rc != LDAP_SUCCESS) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, - ldap_err2string(rc)); + ldap_err2string(rc)); ldap_msgfree(searchResult); ldap_unbind_s(ld); return NGX_HTTP_INTERNAL_SERVER_ERROR; @@ -467,20 +472,20 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t value = conf->require_user->elts; for (i = 0; i < conf->require_user->nelts; i++) { ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", - value[i].data); + value[i].data); if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) { - pass = 1; - if (conf->satisfy_all == 0) { - break; - } + pass = 1; + if (conf->satisfy_all == 0) { + break; + } } else { - if (conf->satisfy_all == 1) { - ldap_memfree(dn); - ldap_msgfree(searchResult); - ldap_unbind_s(ld); - return ngx_http_auth_ldap_set_realm(r, &conf->realm); - } - } + if (conf->satisfy_all == 1) { + ldap_memfree(dn); + ldap_msgfree(searchResult); + ldap_unbind_s(ld); + return ngx_http_auth_ldap_set_realm(r, &conf->realm); + } + } } /// Check require group @@ -496,11 +501,11 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t value = conf->require_group->elts; for (i = 0; i < conf->require_group->nelts; i++) { ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", - value[i].data); + value[i].data); rc = ldap_compare_ext_s(ld, (const char*) value[i].data, - (const char*) conf->group_attribute.data, - &bvalue, NULL, NULL); + (const char*) conf->group_attribute.data, + &bvalue, NULL, NULL); if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, @@ -524,16 +529,22 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t } } - if (pass == 1) { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN1 %d", conf->require_valid_user); + if (pass == 1 || (conf->require_valid_user == 1)) { /// Bind user to the server rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); if (rc != LDAP_SUCCESS) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "LDAP: ldap_simple_bind_s error: %d, %s", rc, ldap_err2string(rc)); - pass = 0; + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "LDAP: ldap_simple_bind_s error: %d, %s", rc, ldap_err2string(rc)); + pass = 0; + } else + { + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "LDAP: User bind successful", NULL); + pass = 1; } - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL); } + } ldap_memfree(dn); }