diff options
| author | Stefan Fritsch <sf@apache.org> | 2010-07-14 21:59:31 +0200 |
|---|---|---|
| committer | Stefan Fritsch <sf@apache.org> | 2010-07-14 21:59:31 +0200 |
| commit | f14218c7ad848377d62b7c24240832b67794eafd (patch) | |
| tree | 6d7554660d4505da1c356991121b9c5ef0aeaf3f /modules/aaa/mod_authnz_ldap.c | |
| parent | Allow for modules to keep track of worker slot (diff) | |
| download | apache2-f14218c7ad848377d62b7c24240832b67794eafd.tar.xz apache2-f14218c7ad848377d62b7c24240832b67794eafd.zip | |
The approach for allowing authorization by user or IP introduced in r956387,
etc. causes problems because the authentication module calls
note_*_auth_failure if authentication fails. This is inappropriate if access is
later allowed because of the IP.
So, instead of calling the auth_checker hook even if authentication failed, we
introduce a new access_checker_ex hook that runs between the access_checker and
the check_user_id hooks. If an access_checker_ex functions returns OK, the
request will be allowed without authentication.
To make use of this, change mod_authz_core to walk the require blocks in the
access_checker_ex phase and deny/allow the request if the authz result does not
depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an
authz provider from an authz provider needing an authenticated user, the latter
must return the new AUTHZ_DENIED_NO_USER code.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@964156 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/aaa/mod_authnz_ldap.c')
| -rw-r--r-- | modules/aaa/mod_authnz_ldap.c | 54 |
1 files changed, 20 insertions, 34 deletions
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 2444e4b454..1966556ea5 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -616,6 +616,10 @@ static authz_status ldapuser_check_authorization(request_rec *r, char filtbuf[FILTER_LENGTH]; const char *dn = NULL; + if (!r->user) { + return AUTHZ_DENIED_NO_USER; + } + if (!sec->have_ldap_url) { return AUTHZ_DENIED; } @@ -638,12 +642,6 @@ static authz_status ldapuser_check_authorization(request_rec *r, * and populated with the userid and DN of the account in LDAP */ - /* Check that we have a userid to start with */ - if (!r->user) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: no authenticated user", r->uri); - return AUTHZ_DENIED; - } if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, @@ -755,6 +753,10 @@ static authz_status ldapgroup_check_authorization(request_rec *r, struct mod_auth_ldap_groupattr_entry_t *ent; int i; + if (!r->user) { + return AUTHZ_DENIED_NO_USER; + } + if (!sec->have_ldap_url) { return AUTHZ_DENIED; } @@ -813,13 +815,6 @@ static authz_status ldapgroup_check_authorization(request_rec *r, * and populated with the userid and DN of the account in LDAP */ - /* Check that we have a userid to start with */ - if (!r->user) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: no authenticated user", r->uri); - return AUTHZ_DENIED; - } - if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "ldap authorize: Userid is blank, AuthType=%s", @@ -971,6 +966,10 @@ static authz_status ldapdn_check_authorization(request_rec *r, char filtbuf[FILTER_LENGTH]; const char *dn = NULL; + if (!r->user) { + return AUTHZ_DENIED_NO_USER; + } + if (!sec->have_ldap_url) { return AUTHZ_DENIED; } @@ -993,13 +992,6 @@ static authz_status ldapdn_check_authorization(request_rec *r, * and populated with the userid and DN of the account in LDAP */ - /* Check that we have a userid to start with */ - if (!r->user) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: no authenticated user", r->uri); - return AUTHZ_DENIED; - } - if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "ldap authorize: Userid is blank, AuthType=%s", @@ -1083,6 +1075,10 @@ static authz_status ldapattribute_check_authorization(request_rec *r, char filtbuf[FILTER_LENGTH]; const char *dn = NULL; + if (!r->user) { + return AUTHZ_DENIED_NO_USER; + } + if (!sec->have_ldap_url) { return AUTHZ_DENIED; } @@ -1105,13 +1101,6 @@ static authz_status ldapattribute_check_authorization(request_rec *r, * and populated with the userid and DN of the account in LDAP */ - /* Check that we have a userid to start with */ - if (!r->user) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: no authenticated user", r->uri); - return AUTHZ_DENIED; - } - if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "ldap authorize: Userid is blank, AuthType=%s", @@ -1199,6 +1188,10 @@ static authz_status ldapfilter_check_authorization(request_rec *r, char filtbuf[FILTER_LENGTH]; const char *dn = NULL; + if (!r->user) { + return AUTHZ_DENIED_NO_USER; + } + if (!sec->have_ldap_url) { return AUTHZ_DENIED; } @@ -1221,13 +1214,6 @@ static authz_status ldapfilter_check_authorization(request_rec *r, * and populated with the userid and DN of the account in LDAP */ - /* Check that we have a userid to start with */ - if (!r->user) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: no authenticated user", r->uri); - return AUTHZ_DENIED; - } - if (!strlen(r->user)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "ldap authorize: Userid is blank, AuthType=%s", |