Source format

main
Valery Komarov 14 years ago
parent 4e1ad9585e
commit 624172c978
  1. 82
      ngx_http_auth_ldap_module.c

@ -46,8 +46,8 @@ static void * ngx_http_auth_basic_create_loc_conf(ngx_conf_t *);
static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *); static char * ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *, void *, void *);
static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm); static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm);
static ngx_ldap_userinfo* ngx_http_auth_ldap_get_user_info(ngx_http_request_t *); static ngx_ldap_userinfo* ngx_http_auth_ldap_get_user_info(ngx_http_request_t *);
static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *, ngx_http_auth_ldap_ctx_t *, static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *, ngx_http_auth_ldap_ctx_t *, ngx_str_t *,
ngx_str_t *, ngx_http_auth_ldap_loc_conf_t *); ngx_http_auth_ldap_loc_conf_t *);
static char * ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data); static char * ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data);
static ngx_conf_post_handler_pt ngx_http_auth_ldap_p = ngx_http_auth_ldap; static ngx_conf_post_handler_pt ngx_http_auth_ldap_p = ngx_http_auth_ldap;
@ -123,8 +123,7 @@ static ngx_http_module_t ngx_http_auth_ldap_module_ctx = {
}; };
ngx_module_t ngx_http_auth_ldap_module = { ngx_module_t ngx_http_auth_ldap_module = {
NGX_MODULE_V1, NGX_MODULE_V1, &ngx_http_auth_ldap_module_ctx, /* module context */
&ngx_http_auth_ldap_module_ctx, /* module context */
ngx_http_auth_ldap_commands, /* module directives */ ngx_http_auth_ldap_commands, /* module directives */
NGX_HTTP_MODULE, /* module type */ NGX_HTTP_MODULE, /* module type */
NULL, /* init master */ NULL, /* init master */
@ -134,7 +133,8 @@ ngx_module_t ngx_http_auth_ldap_module = {
NULL, /* exit thread */ NULL, /* exit thread */
NULL, /* exit process */ NULL, /* exit process */
NULL, /* exit master */ NULL, /* exit master */
NGX_MODULE_V1_PADDING }; NGX_MODULE_V1_PADDING /**/
};
static char * static char *
ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
@ -195,10 +195,10 @@ ngx_http_auth_ldap_url(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
alcf->url.len=ngx_strlen(alcf->ludpp->lud_scheme) + ngx_strlen(alcf->ludpp->lud_host)+11; // 11 = len("://:/") + len("65535") + len("\0") alcf->url.len = ngx_strlen(alcf->ludpp->lud_scheme) + ngx_strlen(alcf->ludpp->lud_host) + 11; // 11 = len("://:/") + len("65535") + len("\0")
alcf->url.data = ngx_pcalloc(cf->pool, alcf->url.len); alcf->url.data = ngx_pcalloc(cf->pool, alcf->url.len);
p=ngx_sprintf(alcf->url.data, "%s://%s:%d/", (const char*)alcf->ludpp->lud_scheme, p = ngx_sprintf(alcf->url.data, "%s://%s:%d/", (const char*) alcf->ludpp->lud_scheme,
(const char*)alcf->ludpp->lud_host, alcf->ludpp->lud_port); (const char*) alcf->ludpp->lud_host, alcf->ludpp->lud_port);
*p = 0; *p = 0;
return NGX_CONF_OK; return NGX_CONF_OK;
@ -246,7 +246,7 @@ ngx_http_auth_ldap_require(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
} }
if (ngx_strcmp(value[1].data, "valid_user") == 0) { if (ngx_strcmp(value[1].data, "valid_user") == 0) {
alcf->require_valid_user=1; alcf->require_valid_user = 1;
} }
if (ngx_strcmp(value[1].data, "user") == 0) { if (ngx_strcmp(value[1].data, "user") == 0) {
@ -297,9 +297,9 @@ ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) {
ngx_conf_merge_str_value(conf->bind_dn_passwd, prev->bind_dn_passwd, ""); ngx_conf_merge_str_value(conf->bind_dn_passwd, prev->bind_dn_passwd, "");
ngx_conf_merge_str_value(conf->group_attribute, prev->group_attribute, "member"); ngx_conf_merge_str_value(conf->group_attribute, prev->group_attribute, "member");
ngx_conf_merge_value(conf->require_valid_user, prev->require_valid_user,0); ngx_conf_merge_value(conf->require_valid_user, prev->require_valid_user, 0);
ngx_conf_merge_value(conf->satisfy_all, prev->satisfy_all,0); ngx_conf_merge_value(conf->satisfy_all, prev->satisfy_all, 0);
ngx_conf_merge_value(conf->group_attribute_dn, prev->group_attribute_dn,1); ngx_conf_merge_value(conf->group_attribute_dn, prev->group_attribute_dn, 1);
if (conf->require_user == NULL) { if (conf->require_user == NULL) {
conf->require_user = prev->require_user; conf->require_user = prev->require_user;
@ -316,8 +316,7 @@ ngx_http_auth_ldap_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) {
return NGX_CONF_OK; return NGX_CONF_OK;
} }
static ngx_int_t static ngx_int_t ngx_http_auth_ldap_handler(ngx_http_request_t *r) {
ngx_http_auth_ldap_handler(ngx_http_request_t *r) {
int rc; int rc;
ngx_http_auth_ldap_ctx_t *ctx; ngx_http_auth_ldap_ctx_t *ctx;
ngx_http_auth_ldap_loc_conf_t *alcf; ngx_http_auth_ldap_loc_conf_t *alcf;
@ -363,6 +362,7 @@ ngx_http_auth_ldap_get_user_info(ngx_http_request_t *r) {
break; break;
} }
} }
uname_buf = ngx_palloc(r->pool, len + 1); uname_buf = ngx_palloc(r->pool, len + 1);
if (uname_buf == NULL) { if (uname_buf == NULL) {
return NULL; return NULL;
@ -378,8 +378,7 @@ ngx_http_auth_ldap_get_user_info(ngx_http_request_t *r) {
return uinfo; return uinfo;
} }
static ngx_int_t static ngx_int_t ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx,
ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *ctx,
ngx_str_t *passwd, ngx_http_auth_ldap_loc_conf_t *conf) { ngx_str_t *passwd, ngx_http_auth_ldap_loc_conf_t *conf) {
LDAP *ld; LDAP *ld;
@ -387,7 +386,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
LDAPURLDesc *ludpp = conf->ludpp; LDAPURLDesc *ludpp = conf->ludpp;
int version = LDAP_VERSION3; int version = LDAP_VERSION3;
struct berval bvalue; struct berval bvalue;
struct timeval timeOut = {10, 0}; struct timeval timeOut = { 10, 0 };
int reqcert = LDAP_OPT_X_TLS_ALLOW; int reqcert = LDAP_OPT_X_TLS_ALLOW;
int rc; int rc;
@ -425,10 +424,10 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: URL: %s", conf->url.data); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: URL: %s", conf->url.data);
rc = ldap_initialize(&ld, (const char*)conf->url.data); rc = ldap_initialize(&ld, (const char*) conf->url.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)", ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: Session initializing failed: %d, %s, (%s)", rc,
rc, ldap_err2string(rc), (const char*)conf->url.data); ldap_err2string(rc), (const char*) conf->url.data);
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
} }
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Session initialized", NULL);
@ -444,20 +443,21 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Bind successful", NULL); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: Bind successful", NULL);
/// Create filter for search users by uid /// Create filter for search users by uid
filter = ngx_pcalloc(r->pool, ngx_strlen(ludpp->lud_filter)+ ngx_strlen("(&(=))") filter = ngx_pcalloc(
+ ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len +1); r->pool,
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter,ludpp->lud_attrs[0], uinfo->username.data); ngx_strlen(ludpp->lud_filter) + ngx_strlen("(&(=))") + ngx_strlen(ludpp->lud_attrs[0]) + uinfo->username.len
+ 1);
p = ngx_sprintf(filter, "(&%s(%s=%s))", ludpp->lud_filter, ludpp->lud_attrs[0], uinfo->username.data);
*p = 0; *p = 0;
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: filter %s", (const char*) filter);
/// Search the directory /// Search the directory
rc = ldap_search_ext_s(ld, ludpp->lud_dn, ludpp->lud_scope, (const char*) filter, NULL, 0, rc = ldap_search_ext_s(ld, ludpp->lud_dn, ludpp->lud_scope, (const char*) filter, NULL, 0, NULL, NULL, &timeOut, 0,
NULL, NULL, &timeOut, 0, &searchResult); &searchResult);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_search_ext_s: %d, %s", rc, ldap_err2string(rc));
ldap_err2string(rc));
ldap_msgfree(searchResult); ldap_msgfree(searchResult);
ldap_unbind_s(ld); ldap_unbind_s(ld);
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
@ -471,8 +471,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
/// Check require user /// Check require user
value = conf->require_user->elts; value = conf->require_user->elts;
for (i = 0; i < conf->require_user->nelts; i++) { for (i = 0; i < conf->require_user->nelts; i++) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data);
value[i].data);
if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) { if (ngx_strncmp(value[i].data, dn, value[i].len) == 0) {
pass = 1; pass = 1;
if (conf->satisfy_all == 0) { if (conf->satisfy_all == 0) {
@ -489,8 +488,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
} }
/// Check require group /// Check require group
if (conf->group_attribute_dn == 1) if (conf->group_attribute_dn == 1) {
{
bvalue.bv_val = dn; bvalue.bv_val = dn;
bvalue.bv_len = ngx_strlen(dn); bvalue.bv_len = ngx_strlen(dn);
} else { } else {
@ -500,11 +498,9 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
value = conf->require_group->elts; value = conf->require_group->elts;
for (i = 0; i < conf->require_group->nelts; i++) { for (i = 0; i < conf->require_group->nelts; i++) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: compare with: %s", value[i].data);
value[i].data);
rc = ldap_compare_ext_s(ld, (const char*) value[i].data, rc = ldap_compare_ext_s(ld, (const char*) value[i].data, (const char*) conf->group_attribute.data,
(const char*) conf->group_attribute.data,
&bvalue, NULL, NULL); &bvalue, NULL, NULL);
if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) { if (rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE) {
@ -534,13 +530,11 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
/// Bind user to the server /// Bind user to the server
rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data); rc = ldap_simple_bind_s(ld, dn, (const char *) uinfo->password.data);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "LDAP: ldap_simple_bind_s error: %d, %s", rc,
"LDAP: ldap_simple_bind_s error: %d, %s", rc, ldap_err2string(rc)); ldap_err2string(rc));
pass = 0; pass = 0;
} else } else {
{ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "LDAP: User bind successful", NULL);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"LDAP: User bind successful", NULL);
pass = 1; pass = 1;
} }
} }
@ -558,8 +552,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
return NGX_OK; return NGX_OK;
} }
static ngx_int_t static ngx_int_t ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) {
ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) {
r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers);
if (r->headers_out.www_authenticate == NULL) { if (r->headers_out.www_authenticate == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
@ -604,8 +597,7 @@ ngx_http_auth_ldap(ngx_conf_t *cf, void *post, void *data) {
return NGX_CONF_OK; return NGX_CONF_OK;
} }
static ngx_int_t static ngx_int_t ngx_http_auth_ldap_init(ngx_conf_t *cf) {
ngx_http_auth_ldap_init(ngx_conf_t *cf) {
ngx_http_handler_pt *h; ngx_http_handler_pt *h;
ngx_http_core_main_conf_t *cmcf; ngx_http_core_main_conf_t *cmcf;

Loading…
Cancel
Save