From 4e1ad9585e372be14313df223e62ef0c4498379e Mon Sep 17 00:00:00 2001
From: Valery Komarov <valery.komarov@gmail.com>
Date: Mon, 16 May 2011 23:41:15 +0400
Subject: [PATCH] add auth_ldap_require valid_user

---
 example.conf                |  2 +
 ngx_http_auth_ldap_module.c | 97 +++++++++++++++++++++----------------
 2 files changed, 56 insertions(+), 43 deletions(-)

diff --git a/example.conf b/example.conf
index 51cd0ed..bbf2c4d 100644
--- a/example.conf
+++ b/example.conf
@@ -24,6 +24,8 @@ http {
 
 	location / {
 	    auth_ldap "Closed content";
+	    
+	    #auth_ldap_require valid_user;
 	    auth_ldap_require user 'cn=Super User,ou=user,dc=example,dc=com';
 	    auth_ldap_require group 'cn=admins,ou=group,dc=example,dc=com';
 	    auth_ldap_require group 'cn=user,ou=group,dc=example,dc=com';
diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c
index fb65ab1..98b3f2a 100644
--- a/ngx_http_auth_ldap_module.c
+++ b/ngx_http_auth_ldap_module.c
@@ -33,6 +33,7 @@ typedef struct {
 
     ngx_array_t *require_group;
     ngx_array_t *require_user;
+    ngx_flag_t require_valid_user;
     ngx_flag_t satisfy_all;
 } ngx_http_auth_ldap_loc_conf_t;
 
@@ -81,7 +82,7 @@ static ngx_command_t ngx_http_auth_ldap_commands[] = {
         NULL },
     {
         ngx_string("auth_ldap_require"),
-        NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_TAKE2,
+        NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_TAKE12,
         ngx_http_auth_ldap_require,
         NGX_HTTP_LOC_CONF_OFFSET,
         0,
@@ -190,8 +191,8 @@ ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
     }
 
     if (alcf->ludpp->lud_attrs == NULL) {
-    	ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "LDAP: No attrs in auth_ldap_url.");
-    	return NGX_CONF_ERROR;
+	ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "LDAP: No attrs in auth_ldap_url.");
+	return NGX_CONF_ERROR;
     }
 
     alcf->url.len=ngx_strlen(alcf->ludpp->lud_scheme) + ngx_strlen(alcf->ludpp->lud_host)+11; // 11 = len("://:/") + len("65535") + len("\0")
@@ -225,29 +226,33 @@ ngx_http_auth_ldap_satisfy(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
 
 static char *
 ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
-    ngx_http_auth_ldap_loc_conf_t *alcf = conf;
+	ngx_http_auth_ldap_loc_conf_t *alcf = conf;
 
-    ngx_str_t *value, *rule;
-    value = cf->args->elts;
+	ngx_str_t *value, *rule;
+	value = cf->args->elts;
 
-    if (alcf->require_user == NULL) {
-	alcf->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t));
 	if (alcf->require_user == NULL) {
-	    return NGX_CONF_ERROR;
+		alcf->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t));
+		if (alcf->require_user == NULL) {
+			return NGX_CONF_ERROR;
+		}
 	}
-    }
 
     if (alcf->require_group == NULL) {
 	alcf->require_group = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t));
 	if (alcf->require_group == NULL) {
-	    return NGX_CONF_ERROR;
+		return NGX_CONF_ERROR;
 	}
     }
 
+    if (ngx_strcmp(value[1].data, "valid_user") == 0) {
+	alcf->require_valid_user=1;
+    }
+
     if (ngx_strcmp(value[1].data, "user") == 0) {
 	rule = ngx_array_push(alcf->require_user);
 	if (rule == NULL) {
-	    return NGX_CONF_ERROR;
+		return NGX_CONF_ERROR;
 	}
 	rule->data = value[2].data;
 	rule->len = value[2].len;
@@ -256,7 +261,7 @@ ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
     if (ngx_strcmp(value[1].data, "group") == 0) {
 	rule = ngx_array_push(alcf->require_group);
 	if (rule == NULL) {
-	    return NGX_CONF_ERROR;
+		return NGX_CONF_ERROR;
 	}
 	rule->data = value[2].data;
 	rule->len = value[2].len;
@@ -273,6 +278,7 @@ ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) {
 	return NULL;
     }
     conf->satisfy_all = NGX_CONF_UNSET;
+    conf->require_valid_user = NGX_CONF_UNSET;
     conf->group_attribute_dn = NGX_CONF_UNSET;
     return conf;
 }
@@ -291,6 +297,7 @@ ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) {
     ngx_conf_merge_str_value(conf->bind_dn_passwd, prev->bind_dn_passwd, "");
     ngx_conf_merge_str_value(conf->group_attribute, prev->group_attribute, "member");
 
+    ngx_conf_merge_value(conf->require_valid_user, prev->require_valid_user,0);
     ngx_conf_merge_value(conf->satisfy_all, prev->satisfy_all,0);
     ngx_conf_merge_value(conf->group_attribute_dn, prev->group_attribute_dn,1);
 
@@ -380,9 +387,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
     LDAPURLDesc *ludpp = conf->ludpp;
     int version = LDAP_VERSION3;
     struct berval bvalue;
-    struct timeval timeOut = {
-	10,
-	0 };
+    struct timeval timeOut = {10, 0};
     int reqcert = LDAP_OPT_X_TLS_ALLOW;
 
     int rc;
@@ -410,7 +415,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
     rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
     if (rc != LDAP_OPT_SUCCESS) {
 	ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: unable to set require cert option: %s",
-	    ldap_err2string(rc));
+			ldap_err2string(rc));
 	return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
 
@@ -422,9 +427,9 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
 
     rc = ldap_initialize(&ld, (const char*)conf->url.data);
     if (rc != LDAP_SUCCESS) {
-    	ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)",
-    			rc, ldap_err2string(rc), (const char*)conf->url.data);
-    	return NGX_HTTP_INTERNAL_SERVER_ERROR;
+	ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)",
+			rc, ldap_err2string(rc), (const char*)conf->url.data);
+	return NGX_HTTP_INTERNAL_SERVER_ERROR;
 	}
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL);
 
@@ -432,7 +437,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
     rc = ldap_simple_bind_s(ld, (const char *) conf->bind_dn.data, (const char *) conf->bind_dn_passwd.data);
     if (rc != LDAP_SUCCESS) {
 	ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc,
-	    ldap_err2string(rc));
+			ldap_err2string(rc));
 	ldap_unbind_s(ld);
 	return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
@@ -440,7 +445,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
 
     /// Create filter for search users by uid
     filter = ngx_pcalloc(r->pool, ngx_strlen(ludpp->lud_filter)+ ngx_strlen("(&(=))")
-	    + ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len +1);
+	+ ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len +1);
     p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter,ludpp->lud_attrs[0], uinfo->username.data);
     *p = 0;
 
@@ -452,7 +457,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
 
     if (rc != LDAP_SUCCESS) {
 	ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc,
-	    ldap_err2string(rc));
+			ldap_err2string(rc));
 	ldap_msgfree(searchResult);
 	ldap_unbind_s(ld);
 	return NGX_HTTP_INTERNAL_SERVER_ERROR;
@@ -467,20 +472,20 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
 	    value = conf->require_user->elts;
 	    for (i = 0; i < conf->require_user->nelts; i++) {
 		ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s",
-		    value[i].data);
+				value[i].data);
 		if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) {
-		    pass = 1;
-		    if (conf->satisfy_all == 0) {
-			break;
-		    }
+			pass = 1;
+			if (conf->satisfy_all == 0) {
+				break;
+			}
 		} else {
-		    if (conf->satisfy_all == 1) {
-			ldap_memfree(dn);
-			ldap_msgfree(searchResult);
-			ldap_unbind_s(ld);
-			return ngx_http_auth_ldap_set_realm(r, &conf->realm);
-		    }
-		}
+			if (conf->satisfy_all == 1) {
+				ldap_memfree(dn);
+				ldap_msgfree(searchResult);
+				ldap_unbind_s(ld);
+				return ngx_http_auth_ldap_set_realm(r, &conf->realm);
+			}
+	    	}
 	    }
 
 	    /// Check require group
@@ -496,11 +501,11 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
 	    value = conf->require_group->elts;
 	    for (i = 0; i < conf->require_group->nelts; i++) {
 		ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s",
-		    value[i].data);
+				value[i].data);
 
 		rc = ldap_compare_ext_s(ld, (const char*) value[i].data,
-			(const char*) conf->group_attribute.data,
-			&bvalue, NULL, NULL);
+				(const char*) conf->group_attribute.data,
+				&bvalue, NULL, NULL);
 
 		if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) {
 		    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc,
@@ -524,16 +529,22 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
 		}
 	    }
 
-	    if (pass == 1) {
+	    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN1 %d", conf->require_valid_user);
+	    if (pass == 1 || (conf->require_valid_user == 1)) {
 		/// Bind user to the server
 		rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data);
 		if (rc != LDAP_SUCCESS) {
-		    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
-			"LDAP: ldap_simple_bind_s error: %d, %s", rc, ldap_err2string(rc));
-		    pass = 0;
+			ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+					"LDAP: ldap_simple_bind_s error: %d, %s", rc, ldap_err2string(rc));
+			pass = 0;
+		} else
+		{
+			ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+					"LDAP: User bind successful", NULL);
+			pass = 1;
 		}
-		ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL);
 	    }
+
 	}
 	ldap_memfree(dn);
     }