Initialize count on line 806. Prevents compilation errors.
```
nginx-auth-ldap/ngx_http_auth_ldap_module.c:815:26: error: variable 'count' may be uninitialized when used here [-Werror,-Wconditional-uninitialized]
cache->num_buckets = count;
^~~~~
nginx-auth-ldap/ngx_http_auth_ldap_module.c:793:27: note: initialize the variable 'count' to silence this warning
ngx_uint_t want, count, i;
^
= 0
```
Enable configure timeouts for LDAP connections and queries
on ldap_server section.
Example config:
ldap_server myldap {
url ldap://myldap.org/CN=users,CN=accounts,DC=myorg?uid?sub?(objectClass=person);
connections 10;
connect_timeout 30s;
reconnect_timeout 5s;
bind_timeout 15s;
request_timeout 20s;
require valid_user;
}
When timeout settings are not defined, the previous hardcoded values are used as
default : 5s (bind), 10s (connect, reconnect, request).
This fixes issue #40. User passwords should *always* be checked during authentication (except when a user fails to satisfy given requirements). Previously, the PHASE_CHECK_BIND step of authentication would not check passwords in any LDAP configuration where ``require valid_user`` was not specified (eg using ``require user`` or ``require group``).
Sometimes the authentication handler got called again just after the
search operation has been started, immediately failing because nothing
has been found yet. Added an extra safety check for these cases.
A connection is opened using nginx framework and then fed to OpenLDAP using
ldap_init_fd() call with custom SockBuf IO handlers. When some credentials
need to be validated, ngx_http_auth_ldap_authenticate() is called multiple
times, returning NGX_AGAIN each time the process is waiting for the LDAP
server to reply.
(Note: This only an initial implementation and as such, it is of course
very buggy and limited. Further work is needed to make it useful.)
A configured number of cached (server,username,password) entries is held
for a configured amount of time to avoid repeated authentications for
each of several requests quickly following each other.
The configuration can now contain a directive like this
require valid_user cn=$remote_user,dc=example,dc=com
which will result in the bind as the respective user to be the
only command sent to the server, skipping the search request.
The core fills both decoded user name and password into r->headers_in.user
or r->headers_in.passwd, respectively, when ngx_http_auth_basic_user() is
called. Maybe it did not work like this before, but there is definitely no
need to handle the decoding ourselves now (nginx 1.4.1).
- Renamed ngx_ldap_server to ngx_http_auth_ldap_server_t.
- Used NGX_CONF_ANY instead of many NGX_CONF_TAKExxxx for the configuration
option taking any number of arguments.
Victor Hahn
rascal-hats
Victor Hahn Castell
Petrovich
Jakub Podeszwik
Jean-Baptiste Quenot
Donald Huang
cryptogopher
Luca Milanesio
Andrii Moiseiev
Patrik Weiskircher
Patrik Weiskircher
Tomáš Golembiovský
David Beitey
Prune
Robert Nelson
Tomáš Golembiovský
Jiri Hruska
Pavel Brylov
Valery
Jan Marc Hoffmann
harveyzh