|
|
@ -46,8 +46,8 @@ static void * ngx_http_auth_basic_create_loc_conf(ngx_conf_t *); |
|
|
|
static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *); |
|
|
|
static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *); |
|
|
|
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm); |
|
|
|
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm); |
|
|
|
static ngx_ldap_userinfo* ngx_http_auth_ldap_get_user_info(ngx_http_request_t *); |
|
|
|
static ngx_ldap_userinfo* ngx_http_auth_ldap_get_user_info(ngx_http_request_t *); |
|
|
|
static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *, ngx_http_auth_ldap_ctx_t *, |
|
|
|
static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *, ngx_http_auth_ldap_ctx_t *, ngx_str_t *, |
|
|
|
ngx_str_t *, ngx_http_auth_ldap_loc_conf_t *); |
|
|
|
ngx_http_auth_ldap_loc_conf_t *); |
|
|
|
static char * ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data); |
|
|
|
static char * ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data); |
|
|
|
static ngx_conf_post_handler_pt ngx_http_auth_ldap_p = ngx_http_auth_ldap; |
|
|
|
static ngx_conf_post_handler_pt ngx_http_auth_ldap_p = ngx_http_auth_ldap; |
|
|
|
|
|
|
|
|
|
|
@ -123,8 +123,7 @@ static ngx_http_module_t ngx_http_auth_ldap_module_ctx = { |
|
|
|
}; |
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
ngx_module_t ngx_http_auth_ldap_module = { |
|
|
|
ngx_module_t ngx_http_auth_ldap_module = { |
|
|
|
NGX_MODULE_V1, |
|
|
|
NGX_MODULE_V1, &ngx_http_auth_ldap_module_ctx, /* module context */ |
|
|
|
&ngx_http_auth_ldap_module_ctx, /* module context */ |
|
|
|
|
|
|
|
ngx_http_auth_ldap_commands, /* module directives */ |
|
|
|
ngx_http_auth_ldap_commands, /* module directives */ |
|
|
|
NGX_HTTP_MODULE, /* module type */ |
|
|
|
NGX_HTTP_MODULE, /* module type */ |
|
|
|
NULL, /* init master */ |
|
|
|
NULL, /* init master */ |
|
|
@ -134,7 +133,8 @@ ngx_module_t ngx_http_auth_ldap_module = { |
|
|
|
NULL, /* exit thread */ |
|
|
|
NULL, /* exit thread */ |
|
|
|
NULL, /* exit process */ |
|
|
|
NULL, /* exit process */ |
|
|
|
NULL, /* exit master */ |
|
|
|
NULL, /* exit master */ |
|
|
|
NGX_MODULE_V1_PADDING }; |
|
|
|
NGX_MODULE_V1_PADDING /**/ |
|
|
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
static char * |
|
|
|
static char * |
|
|
|
ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { |
|
|
|
ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { |
|
|
@ -195,10 +195,10 @@ ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { |
|
|
|
return NGX_CONF_ERROR; |
|
|
|
return NGX_CONF_ERROR; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
alcf->url.len=ngx_strlen(alcf->ludpp->lud_scheme) + ngx_strlen(alcf->ludpp->lud_host)+11; // 11 = len("://:/") + len("65535") + len("\0")
|
|
|
|
alcf->url.len = ngx_strlen(alcf->ludpp->lud_scheme) + ngx_strlen(alcf->ludpp->lud_host) + 11; // 11 = len("://:/") + len("65535") + len("\0")
|
|
|
|
alcf->url.data = ngx_pcalloc(cf->pool, alcf->url.len); |
|
|
|
alcf->url.data = ngx_pcalloc(cf->pool, alcf->url.len); |
|
|
|
p=ngx_sprintf(alcf->url.data, "%s://%s:%d/", (const char*)alcf->ludpp->lud_scheme, |
|
|
|
p = ngx_sprintf(alcf->url.data, "%s://%s:%d/", (const char*) alcf->ludpp->lud_scheme, |
|
|
|
(const char*)alcf->ludpp->lud_host, alcf->ludpp->lud_port); |
|
|
|
(const char*) alcf->ludpp->lud_host, alcf->ludpp->lud_port); |
|
|
|
*p = 0; |
|
|
|
*p = 0; |
|
|
|
|
|
|
|
|
|
|
|
return NGX_CONF_OK; |
|
|
|
return NGX_CONF_OK; |
|
|
@ -246,7 +246,7 @@ ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
if (ngx_strcmp(value[1].data, "valid_user") == 0) { |
|
|
|
if (ngx_strcmp(value[1].data, "valid_user") == 0) { |
|
|
|
alcf->require_valid_user=1; |
|
|
|
alcf->require_valid_user = 1; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
if (ngx_strcmp(value[1].data, "user") == 0) { |
|
|
|
if (ngx_strcmp(value[1].data, "user") == 0) { |
|
|
@ -297,9 +297,9 @@ ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) { |
|
|
|
ngx_conf_merge_str_value(conf->bind_dn_passwd, prev->bind_dn_passwd, ""); |
|
|
|
ngx_conf_merge_str_value(conf->bind_dn_passwd, prev->bind_dn_passwd, ""); |
|
|
|
ngx_conf_merge_str_value(conf->group_attribute, prev->group_attribute, "member"); |
|
|
|
ngx_conf_merge_str_value(conf->group_attribute, prev->group_attribute, "member"); |
|
|
|
|
|
|
|
|
|
|
|
ngx_conf_merge_value(conf->require_valid_user, prev->require_valid_user,0); |
|
|
|
ngx_conf_merge_value(conf->require_valid_user, prev->require_valid_user, 0); |
|
|
|
ngx_conf_merge_value(conf->satisfy_all, prev->satisfy_all,0); |
|
|
|
ngx_conf_merge_value(conf->satisfy_all, prev->satisfy_all, 0); |
|
|
|
ngx_conf_merge_value(conf->group_attribute_dn, prev->group_attribute_dn,1); |
|
|
|
ngx_conf_merge_value(conf->group_attribute_dn, prev->group_attribute_dn, 1); |
|
|
|
|
|
|
|
|
|
|
|
if (conf->require_user == NULL) { |
|
|
|
if (conf->require_user == NULL) { |
|
|
|
conf->require_user = prev->require_user; |
|
|
|
conf->require_user = prev->require_user; |
|
|
@ -316,8 +316,7 @@ ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) { |
|
|
|
return NGX_CONF_OK; |
|
|
|
return NGX_CONF_OK; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
static ngx_int_t |
|
|
|
static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r) { |
|
|
|
ngx_http_auth_ldap_handler(ngx_http_request_t *r) { |
|
|
|
|
|
|
|
int rc; |
|
|
|
int rc; |
|
|
|
ngx_http_auth_ldap_ctx_t *ctx; |
|
|
|
ngx_http_auth_ldap_ctx_t *ctx; |
|
|
|
ngx_http_auth_ldap_loc_conf_t *alcf; |
|
|
|
ngx_http_auth_ldap_loc_conf_t *alcf; |
|
|
@ -363,6 +362,7 @@ ngx_http_auth_ldap_get_user_info(ngx_http_request_t *r) { |
|
|
|
break; |
|
|
|
break; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
uname_buf = ngx_palloc(r->pool, len + 1); |
|
|
|
uname_buf = ngx_palloc(r->pool, len + 1); |
|
|
|
if (uname_buf == NULL) { |
|
|
|
if (uname_buf == NULL) { |
|
|
|
return NULL; |
|
|
|
return NULL; |
|
|
@ -378,8 +378,7 @@ ngx_http_auth_ldap_get_user_info(ngx_http_request_t *r) { |
|
|
|
return uinfo; |
|
|
|
return uinfo; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
static ngx_int_t |
|
|
|
static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, |
|
|
|
ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx, |
|
|
|
|
|
|
|
ngx_str_t *passwd, ngx_http_auth_ldap_loc_conf_t *conf) { |
|
|
|
ngx_str_t *passwd, ngx_http_auth_ldap_loc_conf_t *conf) { |
|
|
|
|
|
|
|
|
|
|
|
LDAP *ld; |
|
|
|
LDAP *ld; |
|
|
@ -387,7 +386,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t |
|
|
|
LDAPURLDesc *ludpp = conf->ludpp; |
|
|
|
LDAPURLDesc *ludpp = conf->ludpp; |
|
|
|
int version = LDAP_VERSION3; |
|
|
|
int version = LDAP_VERSION3; |
|
|
|
struct berval bvalue; |
|
|
|
struct berval bvalue; |
|
|
|
struct timeval timeOut = {10, 0}; |
|
|
|
struct timeval timeOut = { 10, 0 }; |
|
|
|
int reqcert = LDAP_OPT_X_TLS_ALLOW; |
|
|
|
int reqcert = LDAP_OPT_X_TLS_ALLOW; |
|
|
|
|
|
|
|
|
|
|
|
int rc; |
|
|
|
int rc; |
|
|
@ -425,10 +424,10 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t |
|
|
|
|
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: URL: %s", conf->url.data); |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: URL: %s", conf->url.data); |
|
|
|
|
|
|
|
|
|
|
|
rc = ldap_initialize(&ld, (const char*)conf->url.data); |
|
|
|
rc = ldap_initialize(&ld, (const char*) conf->url.data); |
|
|
|
if (rc != LDAP_SUCCESS) { |
|
|
|
if (rc != LDAP_SUCCESS) { |
|
|
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)", |
|
|
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)", rc, |
|
|
|
rc, ldap_err2string(rc), (const char*)conf->url.data); |
|
|
|
ldap_err2string(rc), (const char*) conf->url.data); |
|
|
|
return NGX_HTTP_INTERNAL_SERVER_ERROR; |
|
|
|
return NGX_HTTP_INTERNAL_SERVER_ERROR; |
|
|
|
} |
|
|
|
} |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL); |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL); |
|
|
@ -444,20 +443,21 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Bind successful", NULL); |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Bind successful", NULL); |
|
|
|
|
|
|
|
|
|
|
|
/// Create filter for search users by uid
|
|
|
|
/// Create filter for search users by uid
|
|
|
|
filter = ngx_pcalloc(r->pool, ngx_strlen(ludpp->lud_filter)+ ngx_strlen("(&(=))") |
|
|
|
filter = ngx_pcalloc( |
|
|
|
+ ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len +1); |
|
|
|
r->pool, |
|
|
|
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter,ludpp->lud_attrs[0], uinfo->username.data); |
|
|
|
ngx_strlen(ludpp->lud_filter) + ngx_strlen("(&(=))") + ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len |
|
|
|
|
|
|
|
+ 1); |
|
|
|
|
|
|
|
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter, ludpp->lud_attrs[0], uinfo->username.data); |
|
|
|
*p = 0; |
|
|
|
*p = 0; |
|
|
|
|
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); |
|
|
|
|
|
|
|
|
|
|
|
/// Search the directory
|
|
|
|
/// Search the directory
|
|
|
|
rc = ldap_search_ext_s(ld, ludpp->lud_dn, ludpp->lud_scope, (const char*) filter, NULL, 0, |
|
|
|
rc = ldap_search_ext_s(ld, ludpp->lud_dn, ludpp->lud_scope, (const char*) filter, NULL, 0, NULL, NULL, &timeOut, 0, |
|
|
|
NULL, NULL, &timeOut, 0, &searchResult); |
|
|
|
&searchResult); |
|
|
|
|
|
|
|
|
|
|
|
if (rc != LDAP_SUCCESS) { |
|
|
|
if (rc != LDAP_SUCCESS) { |
|
|
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, |
|
|
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, ldap_err2string(rc)); |
|
|
|
ldap_err2string(rc)); |
|
|
|
|
|
|
|
ldap_msgfree(searchResult); |
|
|
|
ldap_msgfree(searchResult); |
|
|
|
ldap_unbind_s(ld); |
|
|
|
ldap_unbind_s(ld); |
|
|
|
return NGX_HTTP_INTERNAL_SERVER_ERROR; |
|
|
|
return NGX_HTTP_INTERNAL_SERVER_ERROR; |
|
|
@ -471,8 +471,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t |
|
|
|
/// Check require user
|
|
|
|
/// Check require user
|
|
|
|
value = conf->require_user->elts; |
|
|
|
value = conf->require_user->elts; |
|
|
|
for (i = 0; i < conf->require_user->nelts; i++) { |
|
|
|
for (i = 0; i < conf->require_user->nelts; i++) { |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); |
|
|
|
value[i].data); |
|
|
|
|
|
|
|
if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) { |
|
|
|
if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) { |
|
|
|
pass = 1; |
|
|
|
pass = 1; |
|
|
|
if (conf->satisfy_all == 0) { |
|
|
|
if (conf->satisfy_all == 0) { |
|
|
@ -489,8 +488,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
/// Check require group
|
|
|
|
/// Check require group
|
|
|
|
if (conf->group_attribute_dn == 1) |
|
|
|
if (conf->group_attribute_dn == 1) { |
|
|
|
{ |
|
|
|
|
|
|
|
bvalue.bv_val = dn; |
|
|
|
bvalue.bv_val = dn; |
|
|
|
bvalue.bv_len = ngx_strlen(dn); |
|
|
|
bvalue.bv_len = ngx_strlen(dn); |
|
|
|
} else { |
|
|
|
} else { |
|
|
@ -500,11 +498,9 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t |
|
|
|
|
|
|
|
|
|
|
|
value = conf->require_group->elts; |
|
|
|
value = conf->require_group->elts; |
|
|
|
for (i = 0; i < conf->require_group->nelts; i++) { |
|
|
|
for (i = 0; i < conf->require_group->nelts; i++) { |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data); |
|
|
|
value[i].data); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
rc = ldap_compare_ext_s(ld, (const char*) value[i].data, |
|
|
|
rc = ldap_compare_ext_s(ld, (const char*) value[i].data, (const char*) conf->group_attribute.data, |
|
|
|
(const char*) conf->group_attribute.data, |
|
|
|
|
|
|
|
&bvalue, NULL, NULL); |
|
|
|
&bvalue, NULL, NULL); |
|
|
|
|
|
|
|
|
|
|
|
if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) { |
|
|
|
if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) { |
|
|
@ -534,13 +530,11 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t |
|
|
|
/// Bind user to the server
|
|
|
|
/// Bind user to the server
|
|
|
|
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); |
|
|
|
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); |
|
|
|
if (rc != LDAP_SUCCESS) { |
|
|
|
if (rc != LDAP_SUCCESS) { |
|
|
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
|
|
|
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc, |
|
|
|
"LDAP: ldap_simple_bind_s error: %d, %s", rc, ldap_err2string(rc)); |
|
|
|
ldap_err2string(rc)); |
|
|
|
pass = 0; |
|
|
|
pass = 0; |
|
|
|
} else |
|
|
|
} else { |
|
|
|
{ |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL); |
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
|
|
|
|
|
|
|
"LDAP: User bind successful", NULL); |
|
|
|
|
|
|
|
pass = 1; |
|
|
|
pass = 1; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
@ -558,8 +552,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t |
|
|
|
return NGX_OK; |
|
|
|
return NGX_OK; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
static ngx_int_t |
|
|
|
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) { |
|
|
|
ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) { |
|
|
|
|
|
|
|
r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); |
|
|
|
r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); |
|
|
|
if (r->headers_out.www_authenticate == NULL) { |
|
|
|
if (r->headers_out.www_authenticate == NULL) { |
|
|
|
return NGX_HTTP_INTERNAL_SERVER_ERROR; |
|
|
|
return NGX_HTTP_INTERNAL_SERVER_ERROR; |
|
|
@ -604,8 +597,7 @@ ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data) { |
|
|
|
return NGX_CONF_OK; |
|
|
|
return NGX_CONF_OK; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
static ngx_int_t |
|
|
|
static ngx_int_t ngx_http_auth_ldap_init(ngx_conf_t *cf) { |
|
|
|
ngx_http_auth_ldap_init(ngx_conf_t *cf) { |
|
|
|
|
|
|
|
ngx_http_handler_pt *h; |
|
|
|
ngx_http_handler_pt *h; |
|
|
|
ngx_http_core_main_conf_t *cmcf; |
|
|
|
ngx_http_core_main_conf_t *cmcf; |
|
|
|
|
|
|
|
|
|
|
|