mainnika
/
nginx-auth-ldap
mirror of https://github.com/mainnika/nginx-auth-ldap
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add auth_ldap_require valid_user

Browse Source
main
Valery Komarov 14 years ago
parent 29ca665654
commit 4e1ad9585e
2 changed files with 56 additions and 43 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      example.conf
  2. 97
      ngx_http_auth_ldap_module.c

2
example.conf
Unescape View File

@ -24,6 +24,8 @@ http {
location / { location / {
auth_ldap "Closed content"; auth_ldap "Closed content";
#auth_ldap_require valid_user;
auth_ldap_require user 'cn=Super User,ou=user,dc=example,dc=com'; auth_ldap_require user 'cn=Super User,ou=user,dc=example,dc=com';
auth_ldap_require group 'cn=admins,ou=group,dc=example,dc=com'; auth_ldap_require group 'cn=admins,ou=group,dc=example,dc=com';
auth_ldap_require group 'cn=user,ou=group,dc=example,dc=com'; auth_ldap_require group 'cn=user,ou=group,dc=example,dc=com';

97
ngx_http_auth_ldap_module.c
Unescape View File

@ -33,6 +33,7 @@ typedef struct {
ngx_array_t *require_group; ngx_array_t *require_group;
ngx_array_t *require_user; ngx_array_t *require_user;
ngx_flag_t require_valid_user;
ngx_flag_t satisfy_all; ngx_flag_t satisfy_all;
} ngx_http_auth_ldap_loc_conf_t; } ngx_http_auth_ldap_loc_conf_t;
@ -81,7 +82,7 @@ static ngx_command_t ngx_http_auth_ldap_commands[] = {
NULL }, NULL },
{ {
ngx_string("auth_ldap_require"), ngx_string("auth_ldap_require"),
NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_TAKE2, NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_TAKE12,
ngx_http_auth_ldap_require, ngx_http_auth_ldap_require,
NGX_HTTP_LOC_CONF_OFFSET, NGX_HTTP_LOC_CONF_OFFSET,
0, 0,
@ -190,8 +191,8 @@ ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
} }
if (alcf->ludpp->lud_attrs == NULL) { if (alcf->ludpp->lud_attrs == NULL) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "LDAP: No attrs in auth_ldap_url."); ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "LDAP: No attrs in auth_ldap_url.");
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
alcf->url.len=ngx_strlen(alcf->ludpp->lud_scheme) + ngx_strlen(alcf->ludpp->lud_host)+11; // 11 = len("://:/") + len("65535") + len("\0") alcf->url.len=ngx_strlen(alcf->ludpp->lud_scheme) + ngx_strlen(alcf->ludpp->lud_host)+11; // 11 = len("://:/") + len("65535") + len("\0")
@ -225,29 +226,33 @@ ngx_http_auth_ldap_satisfy(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
static char * static char *
ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
ngx_http_auth_ldap_loc_conf_t *alcf = conf; ngx_http_auth_ldap_loc_conf_t *alcf = conf;
ngx_str_t *value, *rule; ngx_str_t *value, *rule;
value = cf->args->elts; value = cf->args->elts;
if (alcf->require_user == NULL) {
alcf->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t));
if (alcf->require_user == NULL) { if (alcf->require_user == NULL) {
return NGX_CONF_ERROR; alcf->require_user = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t));
if (alcf->require_user == NULL) {
return NGX_CONF_ERROR;
}
} }
}
if (alcf->require_group == NULL) { if (alcf->require_group == NULL) {
alcf->require_group = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t)); alcf->require_group = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t));
if (alcf->require_group == NULL) { if (alcf->require_group == NULL) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
} }
if (ngx_strcmp(value[1].data, "valid_user") == 0) {
alcf->require_valid_user=1;
}
if (ngx_strcmp(value[1].data, "user") == 0) { if (ngx_strcmp(value[1].data, "user") == 0) {
rule = ngx_array_push(alcf->require_user); rule = ngx_array_push(alcf->require_user);
if (rule == NULL) { if (rule == NULL) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
rule->data = value[2].data; rule->data = value[2].data;
rule->len = value[2].len; rule->len = value[2].len;
@ -256,7 +261,7 @@ ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
if (ngx_strcmp(value[1].data, "group") == 0) { if (ngx_strcmp(value[1].data, "group") == 0) {
rule = ngx_array_push(alcf->require_group); rule = ngx_array_push(alcf->require_group);
if (rule == NULL) { if (rule == NULL) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
rule->data = value[2].data; rule->data = value[2].data;
rule->len = value[2].len; rule->len = value[2].len;
@ -273,6 +278,7 @@ ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) {
return NULL; return NULL;
} }
conf->satisfy_all = NGX_CONF_UNSET; conf->satisfy_all = NGX_CONF_UNSET;
conf->require_valid_user = NGX_CONF_UNSET;
conf->group_attribute_dn = NGX_CONF_UNSET; conf->group_attribute_dn = NGX_CONF_UNSET;
return conf; return conf;
} }
@ -291,6 +297,7 @@ ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) {
ngx_conf_merge_str_value(conf->bind_dn_passwd, prev->bind_dn_passwd, ""); ngx_conf_merge_str_value(conf->bind_dn_passwd, prev->bind_dn_passwd, "");
ngx_conf_merge_str_value(conf->group_attribute, prev->group_attribute, "member"); ngx_conf_merge_str_value(conf->group_attribute, prev->group_attribute, "member");
ngx_conf_merge_value(conf->require_valid_user, prev->require_valid_user,0);
ngx_conf_merge_value(conf->satisfy_all, prev->satisfy_all,0); ngx_conf_merge_value(conf->satisfy_all, prev->satisfy_all,0);
ngx_conf_merge_value(conf->group_attribute_dn, prev->group_attribute_dn,1); ngx_conf_merge_value(conf->group_attribute_dn, prev->group_attribute_dn,1);
@ -380,9 +387,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
LDAPURLDesc *ludpp = conf->ludpp; LDAPURLDesc *ludpp = conf->ludpp;
int version = LDAP_VERSION3; int version = LDAP_VERSION3;
struct berval bvalue; struct berval bvalue;
struct timeval timeOut = { struct timeval timeOut = {10, 0};
10,
0 };
int reqcert = LDAP_OPT_X_TLS_ALLOW; int reqcert = LDAP_OPT_X_TLS_ALLOW;
int rc; int rc;
@ -410,7 +415,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
if (rc != LDAP_OPT_SUCCESS) { if (rc != LDAP_OPT_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: unable to set require cert option: %s", ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: unable to set require cert option: %s",
ldap_err2string(rc)); ldap_err2string(rc));
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
} }
@ -422,9 +427,9 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
rc = ldap_initialize(&ld, (const char*)conf->url.data); rc = ldap_initialize(&ld, (const char*)conf->url.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)", ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)",
rc, ldap_err2string(rc), (const char*)conf->url.data); rc, ldap_err2string(rc), (const char*)conf->url.data);
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
} }
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL);
@ -432,7 +437,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
rc = ldap_simple_bind_s(ld, (const char *) conf->bind_dn.data, (const char *) conf->bind_dn_passwd.data); rc = ldap_simple_bind_s(ld, (const char *) conf->bind_dn.data, (const char *) conf->bind_dn_passwd.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc,
ldap_err2string(rc)); ldap_err2string(rc));
ldap_unbind_s(ld); ldap_unbind_s(ld);
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
} }
@ -440,7 +445,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
/// Create filter for search users by uid /// Create filter for search users by uid
filter = ngx_pcalloc(r->pool, ngx_strlen(ludpp->lud_filter)+ ngx_strlen("(&(=))") filter = ngx_pcalloc(r->pool, ngx_strlen(ludpp->lud_filter)+ ngx_strlen("(&(=))")
+ ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len +1); + ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len +1);
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter,ludpp->lud_attrs[0], uinfo->username.data); p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter,ludpp->lud_attrs[0], uinfo->username.data);
*p = 0; *p = 0;
@ -452,7 +457,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc,
ldap_err2string(rc)); ldap_err2string(rc));
ldap_msgfree(searchResult); ldap_msgfree(searchResult);
ldap_unbind_s(ld); ldap_unbind_s(ld);
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
@ -467,20 +472,20 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
value = conf->require_user->elts; value = conf->require_user->elts;
for (i = 0; i < conf->require_user->nelts; i++) { for (i = 0; i < conf->require_user->nelts; i++) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s",
value[i].data); value[i].data);
if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) { if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) {
pass = 1; pass = 1;
if (conf->satisfy_all == 0) { if (conf->satisfy_all == 0) {
break; break;
} }
} else { } else {
if (conf->satisfy_all == 1) { if (conf->satisfy_all == 1) {
ldap_memfree(dn); ldap_memfree(dn);
ldap_msgfree(searchResult); ldap_msgfree(searchResult);
ldap_unbind_s(ld); ldap_unbind_s(ld);
return ngx_http_auth_ldap_set_realm(r, &conf->realm); return ngx_http_auth_ldap_set_realm(r, &conf->realm);
} }
} }
} }
/// Check require group /// Check require group
@ -496,11 +501,11 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
value = conf->require_group->elts; value = conf->require_group->elts;
for (i = 0; i < conf->require_group->nelts; i++) { for (i = 0; i < conf->require_group->nelts; i++) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s",
value[i].data); value[i].data);
rc = ldap_compare_ext_s(ld, (const char*) value[i].data, rc = ldap_compare_ext_s(ld, (const char*) value[i].data,
(const char*) conf->group_attribute.data, (const char*) conf->group_attribute.data,
&bvalue, NULL, NULL); &bvalue, NULL, NULL);
if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) { if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc,
@ -524,16 +529,22 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
} }
} }
if (pass == 1) { ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN1 %d", conf->require_valid_user);
if (pass == 1 || (conf->require_valid_user == 1)) {
/// Bind user to the server /// Bind user to the server
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"LDAP: ldap_simple_bind_s error: %d, %s", rc, ldap_err2string(rc)); "LDAP: ldap_simple_bind_s error: %d, %s", rc, ldap_err2string(rc));
pass = 0; pass = 0;
} else
{
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"LDAP: User bind successful", NULL);
pass = 1;
} }
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL);
} }
} }
ldap_memfree(dn); ldap_memfree(dn);
} }

Write Preview
Loading…
Cancel
Save