--- src/http_auth.c.orig 2008-11-06 12:50:26.000000000 +0000 +++ src/http_auth.c 2008-11-07 14:05:26.000000000 +0000 @@ -295,7 +295,7 @@ return ret; } -static int http_auth_match_rules(server *srv, mod_auth_plugin_data *p, const char *url, const char *username, const char *group, const char *host) { +static int http_auth_match_rules(server *srv, mod_auth_plugin_data *p, const char *url, const char *username, const char *group, const char *host, char *dn) { const char *r = NULL, *rules = NULL; size_t i; int username_len; @@ -400,7 +400,68 @@ } } else if (k_len == 5) { if (0 == strncmp(k, "group", k_len)) { - log_error_write(srv, __FILE__, __LINE__, "s", "group ... (not implemented)"); + if(p->conf.auth_backend == AUTH_BACKEND_LDAP && dn != NULL) { + /* lookup ldap group membership */ +#ifdef USE_LDAP + LDAP *ldap = NULL; + LDAPMessage *lm = NULL; + char *attrs[] = { LDAP_NO_ATTRS, NULL }; + + /* dn has been passed as char-pointer.. */ + if(NULL != (ldap = ldap_init(p->conf.auth_ldap_hostname->ptr, LDAP_PORT))) { + /* init ok, set version */ + int ret = LDAP_VERSION3; + if(LDAP_OPT_SUCCESS == (ret = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) { + /* set version ok .. contine with stuff */ + if(p->conf.auth_ldap_starttls == 1 && LDAP_SUCCESS != (ret = ldap_start_tls_s(ldap, NULL, NULL))) { + log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret)); + (void)ldap_unbind_s(ldap); + return -1; + } /* we should be ok to bind here, starttls breaks http_auth_basic_check if fails */ + if(LDAP_SUCCESS == (ret = ldap_simple_bind_s(ldap, p->conf.auth_ldap_binddn->used ? p->conf.auth_ldap_binddn->ptr : NULL, p->conf.auth_ldap_binddn->used ? p->conf.auth_ldap_bindpw->ptr : NULL))) { + /* build groupfilter */ + buffer *groupFilter = buffer_init_string("(&(objectClass=groupOfNames)(member="); + (void)buffer_append_string(groupFilter, dn); + (void)buffer_append_string(groupFilter, "))"); + + /* extract groupdn from require */ + buffer *groupDN = buffer_init(); + (void)buffer_copy_string_len(groupDN, v, (size_t)v_len); + + /* CHECK GROUP MEMBERSHIP - NEED TO EXTRACT groupDN from auth.require.. */ + if(LDAP_SUCCESS == ldap_search_s(ldap, groupDN->ptr, LDAP_SCOPE_SUBTREE, groupFilter->ptr, attrs, 0, &lm)) { + if( ldap_count_entries(ldap, lm) > 0 ) { + (void)buffer_free(groupDN); + (void)buffer_free(groupFilter); + (void)ldap_msgfree(lm); + (void)ldap_unbind_s(ldap); + return 0; + } else { + (void)buffer_free(groupDN); + (void)buffer_free(groupFilter); + (void)ldap_msgfree(lm); + (void)ldap_unbind_s(ldap); + } + } else { + (void)buffer_free(groupDN); + (void)buffer_free(groupFilter); + (void)ldap_msgfree(lm); + (void)ldap_unbind_s(ldap); + } + } else { + log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret)); + (void)ldap_unbind_s(ldap); + } + } else { + log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret)); + (void)ldap_unbind_s(ldap); + } + } else { + /* group set, but not auth.backend = "ldap" */ + log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", strerror(errno)); + } +#endif + } else { log_error_write(srv, __FILE__, __LINE__, "s", "group ... (not implemented)"); } } else { log_error_write(srv, __FILE__, __LINE__, "ss", "unknown key", k); return -1; @@ -598,7 +659,7 @@ * @param pw password-string from the client */ -static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p, array *req, buffer *username, buffer *realm, buffer *password, const char *pw) { +static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p, array *req, buffer *username, buffer *realm, buffer *password, const char *pw, char **dn) { UNUSED(srv); UNUSED(req); @@ -699,7 +760,6 @@ #ifdef USE_LDAP LDAP *ldap = NULL; LDAPMessage *lm, *first; - char *dn; int ret; char *attrs[] = { LDAP_NO_ATTRS, NULL }; size_t i; @@ -774,7 +834,7 @@ return -1; } - if (NULL == (dn = ldap_get_dn(p->conf.ldap, first))) { + if (NULL == (*dn = ldap_get_dn(p->conf.ldap, first))) { log_error_write(srv, __FILE__, __LINE__, "s", "ldap: ldap_get_dn failed"); ldap_msgfree(lm); @@ -819,7 +879,7 @@ } - if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(ldap, dn, pw))) { + if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(ldap, *dn, pw))) { log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret)); ldap_unbind_s(ldap); @@ -840,7 +900,8 @@ int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, buffer *url, const char *realm_str) { buffer *username, *password; - char *pw; + char *dn = NULL; //for checking ldap-group membership in http_auth_match_rules (set by http_auth_basic_compare) + char *pw = NULL; data_string *realm; @@ -879,7 +940,7 @@ } /* password doesn't match */ - if (http_auth_basic_password_compare(srv, p, req, username, realm->value, password, pw)) { + if (http_auth_basic_password_compare(srv, p, req, username, realm->value, password, pw, &dn)) { log_error_write(srv, __FILE__, __LINE__, "sbbss", "password doesn't match for ", con->uri.path, username, ", IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr))); buffer_free(username); @@ -889,7 +950,7 @@ } /* value is our allow-rules */ - if (http_auth_match_rules(srv, p, url->ptr, username->ptr, NULL, NULL)) { + if (http_auth_match_rules(srv, p, url->ptr, username->ptr, NULL, NULL, dn)) { buffer_free(username); buffer_free(password); @@ -1155,7 +1216,7 @@ } /* value is our allow-rules */ - if (http_auth_match_rules(srv, p, url->ptr, username, NULL, NULL)) { + if (http_auth_match_rules(srv, p, url->ptr, username, NULL, NULL, NULL)) { buffer_free(b); log_error_write(srv, __FILE__, __LINE__, "s",