mainnika/nginx-auth-ldap
1
0
Fork 0
mirror of https://github.com/mainnika/nginx-auth-ldap.git synced 2026-06-13 02:13:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security fix: auth_ldap_require

Browse Source
This commit is contained in:
Valery Komarov
2011-05-17 11:55:46 +04:00
parent 624172c978
commit 56f958df32
1 changed files with 61 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ngx_http_auth_ldap_module.c
+14 -7
View File
@@ -394,7 +394,9 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
ngx_uint_t i; ngx_uint_t i;
ngx_str_t *value; ngx_str_t *value;
ngx_ldap_userinfo *uinfo; ngx_ldap_userinfo *uinfo;
ngx_uint_t pass = 0;
ngx_flag_t pass = NGX_CONF_UNSET;
char *dn; char *dn;
u_char *p, *filter; u_char *p, *filter;
@@ -449,7 +451,6 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
+ 1); + 1);
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter, ludpp->lud_attrs[0], uinfo->username.data); p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter, ludpp->lud_attrs[0], uinfo->username.data);
*p = 0; *p = 0;
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter);
/// Search the directory /// Search the directory
@@ -469,6 +470,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN %s", dn); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN %s", dn);
/// Check require user /// Check require user
if (conf->require_user != NULL) {
value = conf->require_user->elts; value = conf->require_user->elts;
for (i = 0; i < conf->require_user->nelts; i++) { for (i = 0; i < conf->require_user->nelts; i++) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data);
@@ -486,8 +488,10 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
} }
} }
} }
}
/// Check require group /// Check require group
if (conf->require_group != NULL) {
if (conf->group_attribute_dn == 1) { if (conf->group_attribute_dn == 1) {
bvalue.bv_val = dn; bvalue.bv_val = dn;
bvalue.bv_len = ngx_strlen(dn); bvalue.bv_len = ngx_strlen(dn);
@@ -524,9 +528,10 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
} }
} }
} }
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN1 %d", conf->require_valid_user); /// Check valid user
if (pass == 1 || (conf->require_valid_user == 1)) { if ( pass != 0 || (conf->require_valid_user == 1 && conf->satisfy_all == 0 && pass == 0)) {
/// Bind user to the server /// Bind user to the server
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
@@ -535,6 +540,7 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
pass = 0; pass = 0;
} else { } else {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL);
if (conf->require_valid_user == 1)
pass = 1; pass = 1;
} }
} }
@@ -546,10 +552,11 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http
ldap_msgfree(searchResult); ldap_msgfree(searchResult);
ldap_unbind_s(ld); ldap_unbind_s(ld);
if (pass == 0) { if (pass == 1) {
return ngx_http_auth_ldap_set_realm(r, &conf->realm);
}
return NGX_OK; return NGX_OK;
}
return ngx_http_auth_ldap_set_realm(r, &conf->realm);
} }
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) { static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) {