VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-06 11:06:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Incorporate the ap_ldap incomplete API, as there is no interest or effort

Browse Source 
at APR to make this a complete abstraction, and it was voted 'off the island'
with APR 2.0.  This will allow httpd 2.3 to build against either apr-2.0
or apr+util 1.x.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1129808 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
William A. Rowe Jr
2011-05-31 17:10:11 +00:00
parent e66d41d2d1
commit 37770675d7
23 changed files with 3459 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
modules/ldap/util_ldap.c
View File

@ -38,17 +38,8 @@
#include <unistd.h>
#endif
#if !APR_HAS_LDAP
#error mod_ldap requires APR-util to have LDAP support built in
#endif
/* Default define for ldap functions that need a SIZELIMIT but
* do not have the define
* XXX This should be removed once a supporting #define is
* released through APR-Util.
*/
#ifndef APR_LDAP_SIZELIMIT
#define APR_LDAP_SIZELIMIT -1
#if !AP_HAS_LDAP
#error mod_ldap requires httpd to detect LDAP support
#endif
#ifdef LDAP_OPT_DEBUG_LEVEL
@ -181,7 +172,7 @@ static apr_status_t uldap_connection_unbind(void *param)
/* forget the rebind info for this conn */
if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
apr_ldap_rebind_remove(ldc->ldap);
ap_ldap_rebind_remove(ldc->ldap);
apr_pool_clear(ldc->rebind_pool);
}
}
@ -251,7 +242,7 @@ static int uldap_connection_init(request_rec *r,
{
int rc = 0, ldap_option = 0;
int version = LDAP_VERSION3;
apr_ldap_err_t *result = NULL;
ap_ldap_err_t *result = NULL;
#ifdef LDAP_OPT_NETWORK_TIMEOUT
struct timeval connectionTimeout = {10,0}; /* 10 second connection timeout */
#endif
@ -265,10 +256,10 @@ static int uldap_connection_init(request_rec *r,
* some hosts with ports and some without. All hosts which do not
* specify a port will use the default port.
*/
apr_ldap_init(r->pool, &(ldc->ldap),
ap_ldap_init(r->pool, &(ldc->ldap),
ldc->host,
APR_LDAP_SSL == ldc->secure ? LDAPS_PORT : LDAP_PORT,
APR_LDAP_NONE,
AP_LDAP_SSL == ldc->secure ? LDAPS_PORT : LDAP_PORT,
AP_LDAP_NONE,
&(result));
if (NULL == result) {
@ -300,7 +291,7 @@ static int uldap_connection_init(request_rec *r,
if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
/* Now that we have an ldap struct, add it to the referral list for rebinds. */
rc = apr_ldap_rebind_add(ldc->rebind_pool, ldc->ldap, ldc->binddn, ldc->bindpw);
rc = ap_ldap_rebind_add(ldc->rebind_pool, ldc->ldap, ldc->binddn, ldc->bindpw);
if (rc != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, rc, r->server,
"LDAP: Unable to add rebind cross reference entry. Out of memory?");
@ -315,7 +306,7 @@ static int uldap_connection_init(request_rec *r,
/* set client certificates */
if (!apr_is_empty_array(ldc->client_certs)) {
apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
ap_ldap_set_option(r->pool, ldc->ldap, AP_LDAP_OPT_TLS_CERT,
ldc->client_certs, &(result));
if (LDAP_SUCCESS != result->rc) {
uldap_connection_unbind( ldc );
@ -325,9 +316,9 @@ static int uldap_connection_init(request_rec *r,
}
/* switch on SSL/TLS */
if (APR_LDAP_NONE != ldc->secure) {
apr_ldap_set_option(r->pool, ldc->ldap,
APR_LDAP_OPT_TLS, &ldc->secure, &(result));
if (AP_LDAP_NONE != ldc->secure) {
ap_ldap_set_option(r->pool, ldc->ldap,
AP_LDAP_OPT_TLS, &ldc->secure, &(result));
if (LDAP_SUCCESS != result->rc) {
uldap_connection_unbind( ldc );
ldc->reason = result->reason;
@ -344,8 +335,8 @@ static int uldap_connection_init(request_rec *r,
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"LDAP: Setting referrals to %s.",
((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"));
apr_ldap_set_option(r->pool, ldc->ldap,
APR_LDAP_OPT_REFERRALS,
ap_ldap_set_option(r->pool, ldc->ldap,
AP_LDAP_OPT_REFERRALS,
(void *)((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ?
LDAP_OPT_ON : LDAP_OPT_OFF),
&(result));
@ -365,8 +356,8 @@ static int uldap_connection_init(request_rec *r,
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Setting referral hop limit to %d.",
ldc->ReferralHopLimit);
apr_ldap_set_option(r->pool, ldc->ldap,
APR_LDAP_OPT_REFHOPLIMIT,
ap_ldap_set_option(r->pool, ldc->ldap,
AP_LDAP_OPT_REFHOPLIMIT,
(void *)&ldc->ReferralHopLimit,
&(result));
if (result->rc != LDAP_SUCCESS) {
@ -382,31 +373,8 @@ static int uldap_connection_init(request_rec *r,
}
}
/*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
#ifdef APR_LDAP_OPT_VERIFY_CERT
apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_VERIFY_CERT,
ap_ldap_set_option(r->pool, ldc->ldap, AP_LDAP_OPT_VERIFY_CERT,
&(st->verify_svr_cert), &(result));
#else
#if defined(LDAPSSL_VERIFY_SERVER)
if (st->verify_svr_cert) {
result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER);
}
else {
result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE);
}
#elif defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
/* This is not a per-connection setting so just pass NULL for the
Ldap connection handle */
if (st->verify_svr_cert) {
int i = LDAP_OPT_X_TLS_DEMAND;
result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
}
else {
int i = LDAP_OPT_X_TLS_NEVER;
result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
}
#endif
#endif
#ifdef LDAP_OPT_NETWORK_TIMEOUT
if (st->connectionTimeout > 0) {
@ -414,7 +382,7 @@ static int uldap_connection_init(request_rec *r,
}
if (st->connectionTimeout >= 0) {
rc = apr_ldap_set_option(r->pool, ldc->ldap, LDAP_OPT_NETWORK_TIMEOUT,
rc = ap_ldap_set_option(r->pool, ldc->ldap, LDAP_OPT_NETWORK_TIMEOUT,
(void *)&connectionTimeout, &(result));
if (APR_SUCCESS != rc) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
@ -433,7 +401,7 @@ static int uldap_connection_init(request_rec *r,
* XXX: ldap_result() with a timeout.
*/
if (st->opTimeout) {
rc = apr_ldap_set_option(r->pool, ldc->ldap, LDAP_OPT_TIMEOUT,
rc = ap_ldap_set_option(r->pool, ldc->ldap, LDAP_OPT_TIMEOUT,
st->opTimeout, &(result));
if (APR_SUCCESS != rc) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
@ -588,7 +556,7 @@ static int compare_client_certs(apr_array_header_t *srcs,
apr_array_header_t *dests)
{
int i = 0;
struct apr_ldap_opt_tls_cert_t *src, *dest;
struct ap_ldap_opt_tls_cert_t *src, *dest;
/* arrays both NULL? if so, then equal */
if (srcs == NULL && dests == NULL) {
@ -601,8 +569,8 @@ static int compare_client_certs(apr_array_header_t *srcs,
}
/* run an actual comparison */
src = (struct apr_ldap_opt_tls_cert_t *)srcs->elts;
dest = (struct apr_ldap_opt_tls_cert_t *)dests->elts;
src = (struct ap_ldap_opt_tls_cert_t *)srcs->elts;
dest = (struct ap_ldap_opt_tls_cert_t *)dests->elts;
for (i = 0; i < srcs->nelts; i++) {
if ((strcmp(src[i].path, dest[i].path)) ||
(src[i].type != dest[i].type) ||
@ -649,7 +617,7 @@ static util_ldap_connection_t *
apr_thread_mutex_lock(st->mutex);
#endif
if (secure < APR_LDAP_NONE) {
if (secure < AP_LDAP_NONE) {
secureflag = st->secure;
}
@ -763,7 +731,7 @@ static util_ldap_connection_t *
l->ReferralHopLimit = dc->ReferralHopLimit;
/* The security mode after parsing the URL will always be either
* APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
* AP_LDAP_NONE (ldap://) or AP_LDAP_SSL (ldaps://).
* If the security setting is NONE, override it to the security
* setting optionally supplied by the admin using LDAPTrustedMode
*/
@ -885,7 +853,7 @@ start_over:
/* search for reqdn */
result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
"(objectclass=*)", NULL, 1,
NULL, NULL, st->opTimeout, APR_LDAP_SIZELIMIT, &res);
NULL, NULL, st->opTimeout, AP_LDAP_SIZELIMIT, &res);
if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "DN Comparison ldap_search_ext_s() "
@ -1144,7 +1112,7 @@ start_over:
/* try to do the search */
result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
(char *)"cn=*", subgroupAttrs, 0,
NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
NULL, NULL, NULL, AP_LDAP_SIZELIMIT, &sga_res);
if (AP_LDAP_IS_SERVER_DOWN(result)) {
ldc->reason = "ldap_search_ext_s() for subgroups failed with server"
" down";
@ -1615,7 +1583,7 @@ start_over:
result = ldap_search_ext_s(ldc->ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
NULL, NULL, st->opTimeout, APR_LDAP_SIZELIMIT, &res);
NULL, NULL, st->opTimeout, AP_LDAP_SIZELIMIT, &res);
if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "ldap_search_ext_s() for user failed with server down";
@ -1866,7 +1834,7 @@ start_over:
result = ldap_search_ext_s(ldc->ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
NULL, NULL, st->opTimeout, APR_LDAP_SIZELIMIT, &res);
NULL, NULL, st->opTimeout, AP_LDAP_SIZELIMIT, &res);
if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "ldap_search_ext_s() for user failed with server down";
@ -2136,72 +2104,72 @@ static const char *util_ldap_set_opcache_entries(cmd_parms *cmd, void *dummy,
* CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64,
* CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, KEY_BASE64
*
* If no matches are found, APR_LDAP_CA_TYPE_UNKNOWN is returned.
* If no matches are found, AP_LDAP_CA_TYPE_UNKNOWN is returned.
*/
static int util_ldap_parse_cert_type(const char *type)
{
/* Authority file in binary DER format */
if (0 == strcasecmp("CA_DER", type)) {
return APR_LDAP_CA_TYPE_DER;
return AP_LDAP_CA_TYPE_DER;
}
/* Authority file in Base64 format */
else if (0 == strcasecmp("CA_BASE64", type)) {
return APR_LDAP_CA_TYPE_BASE64;
return AP_LDAP_CA_TYPE_BASE64;
}
/* Netscape certificate database file/directory */
else if (0 == strcasecmp("CA_CERT7_DB", type)) {
return APR_LDAP_CA_TYPE_CERT7_DB;
return AP_LDAP_CA_TYPE_CERT7_DB;
}
/* Netscape secmod file/directory */
else if (0 == strcasecmp("CA_SECMOD", type)) {
return APR_LDAP_CA_TYPE_SECMOD;
return AP_LDAP_CA_TYPE_SECMOD;
}
/* Client cert file in DER format */
else if (0 == strcasecmp("CERT_DER", type)) {
return APR_LDAP_CERT_TYPE_DER;
return AP_LDAP_CERT_TYPE_DER;
}
/* Client cert file in Base64 format */
else if (0 == strcasecmp("CERT_BASE64", type)) {
return APR_LDAP_CERT_TYPE_BASE64;
return AP_LDAP_CERT_TYPE_BASE64;
}
/* Client cert file in PKCS#12 format */
else if (0 == strcasecmp("CERT_PFX", type)) {
return APR_LDAP_CERT_TYPE_PFX;
return AP_LDAP_CERT_TYPE_PFX;
}
/* Netscape client cert database file/directory */
else if (0 == strcasecmp("CERT_KEY3_DB", type)) {
return APR_LDAP_CERT_TYPE_KEY3_DB;
return AP_LDAP_CERT_TYPE_KEY3_DB;
}
/* Netscape client cert nickname */
else if (0 == strcasecmp("CERT_NICKNAME", type)) {
return APR_LDAP_CERT_TYPE_NICKNAME;
return AP_LDAP_CERT_TYPE_NICKNAME;
}
/* Client cert key file in DER format */
else if (0 == strcasecmp("KEY_DER", type)) {
return APR_LDAP_KEY_TYPE_DER;
return AP_LDAP_KEY_TYPE_DER;
}
/* Client cert key file in Base64 format */
else if (0 == strcasecmp("KEY_BASE64", type)) {
return APR_LDAP_KEY_TYPE_BASE64;
return AP_LDAP_KEY_TYPE_BASE64;
}
/* Client cert key file in PKCS#12 format */
else if (0 == strcasecmp("KEY_PFX", type)) {
return APR_LDAP_KEY_TYPE_PFX;
return AP_LDAP_KEY_TYPE_PFX;
}
else {
return APR_LDAP_CA_TYPE_UNKNOWN;
return AP_LDAP_CA_TYPE_UNKNOWN;
}
}
@ -2230,7 +2198,7 @@ static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd,
apr_finfo_t finfo;
apr_status_t rv;
int cert_type = 0;
apr_ldap_opt_tls_cert_t *cert;
ap_ldap_opt_tls_cert_t *cert;
if (err != NULL) {
return err;
@ -2239,7 +2207,7 @@ static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd,
/* handle the certificate type */
if (type) {
cert_type = util_ldap_parse_cert_type(type);
if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
if (AP_LDAP_CA_TYPE_UNKNOWN == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type %s is "
"not recognised. It should be one "
"of CA_DER, CA_BASE64, CA_CERT7_DB, "
@ -2257,14 +2225,14 @@ static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd,
file, type);
/* add the certificate to the global array */
cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
cert = (ap_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
cert->type = cert_type;
cert->path = file;
cert->password = password;
/* if file is a file or path, fix the path */
if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
cert_type != APR_LDAP_CERT_TYPE_NICKNAME) {
if (cert_type != AP_LDAP_CA_TYPE_UNKNOWN &&
cert_type != AP_LDAP_CERT_TYPE_NICKNAME) {
cert->path = ap_server_root_relative(cmd->pool, file);
if (cert->path &&
@ -2301,12 +2269,12 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,
apr_finfo_t finfo;
apr_status_t rv;
int cert_type = 0;
apr_ldap_opt_tls_cert_t *cert;
ap_ldap_opt_tls_cert_t *cert;
/* handle the certificate type */
if (type) {
cert_type = util_ldap_parse_cert_type(type);
if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
if (AP_LDAP_CA_TYPE_UNKNOWN == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
"not recognised. It should be one "
"of CA_DER, CA_BASE64, "
@ -2315,10 +2283,10 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,
"KEY_DER, KEY_BASE64, KEY_PFX",
type);
}
else if ( APR_LDAP_CA_TYPE_CERT7_DB == cert_type ||
APR_LDAP_CA_TYPE_SECMOD == cert_type ||
APR_LDAP_CERT_TYPE_PFX == cert_type ||
APR_LDAP_CERT_TYPE_KEY3_DB == cert_type) {
else if ( AP_LDAP_CA_TYPE_CERT7_DB == cert_type ||
AP_LDAP_CA_TYPE_SECMOD == cert_type ||
AP_LDAP_CERT_TYPE_PFX == cert_type ||
AP_LDAP_CERT_TYPE_KEY3_DB == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
"only valid within a "
"LDAPTrustedGlobalCert directive. "
@ -2337,14 +2305,14 @@ static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,
file, type);
/* add the certificate to the client array */
cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(dc->client_certs);
cert = (ap_ldap_opt_tls_cert_t *)apr_array_push(dc->client_certs);
cert->type = cert_type;
cert->path = file;
cert->password = password;
/* if file is a file or path, fix the path */
if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
cert_type != APR_LDAP_CERT_TYPE_NICKNAME) {
if (cert_type != AP_LDAP_CA_TYPE_UNKNOWN &&
cert_type != AP_LDAP_CERT_TYPE_NICKNAME) {
cert->path = ap_server_root_relative(cmd->pool, file);
if (cert->path &&
@ -2384,14 +2352,14 @@ static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy,
mode);
if (0 == strcasecmp("NONE", mode)) {
st->secure = APR_LDAP_NONE;
st->secure = AP_LDAP_NONE;
}
else if (0 == strcasecmp("SSL", mode)) {
st->secure = APR_LDAP_SSL;
st->secure = AP_LDAP_SSL;
}
else if ( (0 == strcasecmp("TLS", mode))
|| (0 == strcasecmp("STARTTLS", mode))) {
st->secure = APR_LDAP_STARTTLS;
st->secure = AP_LDAP_STARTTLS;
}
else {
return "Invalid LDAPTrustedMode setting: must be one of NONE, "
@ -2515,7 +2483,7 @@ static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) {
(util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
/* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */
dc->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
dc->client_certs = apr_array_make(p, 10, sizeof(ap_ldap_opt_tls_cert_t));
dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
dc->ReferralHopLimit = AP_LDAP_HOPLIMIT_UNSET;
@ -2614,8 +2582,8 @@ static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
st->compare_cache_size = 1024;
st->connections = NULL;
st->ssl_supported = 0;
st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
st->secure = APR_LDAP_NONE;
st->global_certs = apr_array_make(p, 10, sizeof(ap_ldap_opt_tls_cert_t));
st->secure = AP_LDAP_NONE;
st->secure_set = 0;
st->connectionTimeout = 10;
st->opTimeout = apr_pcalloc(p, sizeof(struct timeval));
@ -2687,7 +2655,7 @@ static apr_status_t util_ldap_cleanup_module(void *data)
s->module_config, &ldap_module);
if (st->ssl_supported) {
apr_ldap_ssl_deinit();
ap_ldap_ssl_deinit();
}
return APR_SUCCESS;
@ -2719,7 +2687,7 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
ap_get_module_config(s->module_config,
&ldap_module);
apr_ldap_err_t *result_err = NULL;
ap_ldap_err_t *result_err = NULL;
int rc;
/* util_ldap_post_config() will be called twice. Don't bother
@ -2792,8 +2760,8 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
/* log the LDAP SDK used
*/
{
apr_ldap_err_t *result = NULL;
apr_ldap_info(p, &(result));
ap_ldap_err_t *result = NULL;
ap_ldap_info(p, &(result));
if (result != NULL) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "%s", result->reason);
}
@ -2808,12 +2776,12 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
* If SSL is not supported it is not necessarily an error, as the
* application may not want to use it.
*/
rc = apr_ldap_ssl_init(p,
rc = ap_ldap_ssl_init(p,
NULL,
0,
&(result_err));
if (APR_SUCCESS == rc) {
rc = apr_ldap_set_option(ptemp, NULL, APR_LDAP_OPT_TLS_CERT,
rc = ap_ldap_set_option(ptemp, NULL, AP_LDAP_OPT_TLS_CERT,
(void *)st->global_certs, &(result_err));
}
@ -2831,7 +2799,7 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
}
/* Initialize the rebind callback's cross reference list. */
apr_ldap_rebind_init (p);
ap_ldap_rebind_init (p);
#ifdef AP_LDAP_OPT_DEBUG
if (st->debug_level > 0) {