|
|
|
@ -394,7 +394,9 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http |
|
|
|
ngx_uint_t i; |
|
|
|
ngx_uint_t i; |
|
|
|
ngx_str_t *value; |
|
|
|
ngx_str_t *value; |
|
|
|
ngx_ldap_userinfo *uinfo; |
|
|
|
ngx_ldap_userinfo *uinfo; |
|
|
|
ngx_uint_t pass = 0; |
|
|
|
|
|
|
|
|
|
|
|
ngx_flag_t pass = NGX_CONF_UNSET; |
|
|
|
|
|
|
|
|
|
|
|
char *dn; |
|
|
|
char *dn; |
|
|
|
u_char *p, *filter; |
|
|
|
u_char *p, *filter; |
|
|
|
|
|
|
|
|
|
|
|
@ -449,7 +451,6 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http |
|
|
|
+ 1); |
|
|
|
+ 1); |
|
|
|
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter, ludpp->lud_attrs[0], uinfo->username.data); |
|
|
|
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter, ludpp->lud_attrs[0], uinfo->username.data); |
|
|
|
*p = 0; |
|
|
|
*p = 0; |
|
|
|
|
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); |
|
|
|
|
|
|
|
|
|
|
|
/// Search the directory
|
|
|
|
/// Search the directory
|
|
|
|
@ -469,64 +470,68 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN %s", dn); |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN %s", dn); |
|
|
|
|
|
|
|
|
|
|
|
/// Check require user
|
|
|
|
/// Check require user
|
|
|
|
value = conf->require_user->elts; |
|
|
|
if (conf->require_user != NULL) { |
|
|
|
for (i = 0; i < conf->require_user->nelts; i++) { |
|
|
|
value = conf->require_user->elts; |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); |
|
|
|
for (i = 0; i < conf->require_user->nelts; i++) { |
|
|
|
if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) { |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); |
|
|
|
pass = 1; |
|
|
|
if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) { |
|
|
|
if (conf->satisfy_all == 0) { |
|
|
|
pass = 1; |
|
|
|
break; |
|
|
|
if (conf->satisfy_all == 0) { |
|
|
|
} |
|
|
|
break; |
|
|
|
} else { |
|
|
|
} |
|
|
|
if (conf->satisfy_all == 1) { |
|
|
|
} else { |
|
|
|
ldap_memfree(dn); |
|
|
|
if (conf->satisfy_all == 1) { |
|
|
|
ldap_msgfree(searchResult); |
|
|
|
ldap_memfree(dn); |
|
|
|
ldap_unbind_s(ld); |
|
|
|
ldap_msgfree(searchResult); |
|
|
|
return ngx_http_auth_ldap_set_realm(r, &conf->realm); |
|
|
|
ldap_unbind_s(ld); |
|
|
|
|
|
|
|
return ngx_http_auth_ldap_set_realm(r, &conf->realm); |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
/// Check require group
|
|
|
|
/// Check require group
|
|
|
|
if (conf->group_attribute_dn == 1) { |
|
|
|
if (conf->require_group != NULL) { |
|
|
|
bvalue.bv_val = dn; |
|
|
|
if (conf->group_attribute_dn == 1) { |
|
|
|
bvalue.bv_len = ngx_strlen(dn); |
|
|
|
bvalue.bv_val = dn; |
|
|
|
} else { |
|
|
|
bvalue.bv_len = ngx_strlen(dn); |
|
|
|
bvalue.bv_val = (char*) uinfo->username.data; |
|
|
|
} else { |
|
|
|
bvalue.bv_len = uinfo->username.len; |
|
|
|
bvalue.bv_val = (char*) uinfo->username.data; |
|
|
|
} |
|
|
|
bvalue.bv_len = uinfo->username.len; |
|
|
|
|
|
|
|
} |
|
|
|
value = conf->require_group->elts; |
|
|
|
|
|
|
|
for (i = 0; i < conf->require_group->nelts; i++) { |
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
rc = ldap_compare_ext_s(ld, (const char*) value[i].data, (const char*) conf->group_attribute.data, |
|
|
|
value = conf->require_group->elts; |
|
|
|
&bvalue, NULL, NULL); |
|
|
|
for (i = 0; i < conf->require_group->nelts; i++) { |
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); |
|
|
|
|
|
|
|
|
|
|
|
if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) { |
|
|
|
rc = ldap_compare_ext_s(ld, (const char*) value[i].data, (const char*) conf->group_attribute.data, |
|
|
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, |
|
|
|
&bvalue, NULL, NULL); |
|
|
|
ldap_err2string(rc)); |
|
|
|
|
|
|
|
ldap_memfree(dn); |
|
|
|
|
|
|
|
ldap_msgfree(searchResult); |
|
|
|
|
|
|
|
ldap_unbind_s(ld); |
|
|
|
|
|
|
|
return NGX_HTTP_INTERNAL_SERVER_ERROR; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (rc == LDAP_COMPARE_TRUE) { |
|
|
|
if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) { |
|
|
|
pass = 1; |
|
|
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, |
|
|
|
if (conf->satisfy_all == 0) { |
|
|
|
ldap_err2string(rc)); |
|
|
|
break; |
|
|
|
ldap_memfree(dn); |
|
|
|
|
|
|
|
ldap_msgfree(searchResult); |
|
|
|
|
|
|
|
ldap_unbind_s(ld); |
|
|
|
|
|
|
|
return NGX_HTTP_INTERNAL_SERVER_ERROR; |
|
|
|
} |
|
|
|
} |
|
|
|
} else { |
|
|
|
|
|
|
|
if (conf->satisfy_all == 1) { |
|
|
|
if (rc == LDAP_COMPARE_TRUE) { |
|
|
|
pass = 0; |
|
|
|
pass = 1; |
|
|
|
break; |
|
|
|
if (conf->satisfy_all == 0) { |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} else { |
|
|
|
|
|
|
|
if (conf->satisfy_all == 1) { |
|
|
|
|
|
|
|
pass = 0; |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: result DN1 %d", conf->require_valid_user); |
|
|
|
/// Check valid user
|
|
|
|
if (pass == 1 || (conf->require_valid_user == 1)) { |
|
|
|
if ( pass != 0 || (conf->require_valid_user == 1 && conf->satisfy_all == 0 && pass == 0)) { |
|
|
|
/// Bind user to the server
|
|
|
|
/// Bind user to the server
|
|
|
|
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); |
|
|
|
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); |
|
|
|
if (rc != LDAP_SUCCESS) { |
|
|
|
if (rc != LDAP_SUCCESS) { |
|
|
|
@ -535,7 +540,8 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http |
|
|
|
pass = 0; |
|
|
|
pass = 0; |
|
|
|
} else { |
|
|
|
} else { |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL); |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL); |
|
|
|
pass = 1; |
|
|
|
if (conf->require_valid_user == 1) |
|
|
|
|
|
|
|
pass = 1; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@ -546,10 +552,11 @@ static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http |
|
|
|
ldap_msgfree(searchResult); |
|
|
|
ldap_msgfree(searchResult); |
|
|
|
ldap_unbind_s(ld); |
|
|
|
ldap_unbind_s(ld); |
|
|
|
|
|
|
|
|
|
|
|
if (pass == 0) { |
|
|
|
if (pass == 1) { |
|
|
|
return ngx_http_auth_ldap_set_realm(r, &conf->realm); |
|
|
|
return NGX_OK; |
|
|
|
} |
|
|
|
} |
|
|
|
return NGX_OK; |
|
|
|
|
|
|
|
|
|
|
|
return ngx_http_auth_ldap_set_realm(r, &conf->realm); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) { |
|
|
|
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) { |
|
|
|
|
Valery Komarov
14 years ago