[mod_auth] ldap filter subst user for multiple '$' (fixes #1508)
ldap filter supports substitution of multiple '$', each with username x-ref: "auth.backend.ldap.filter: only one/first "$" replaced with Username" https://redmine.lighttpd.net/issues/1508
This commit is contained in:
parent
a401c9469a
commit
59c753bf9f
|
@ -18,9 +18,6 @@
|
|||
typedef struct {
|
||||
LDAP *ldap;
|
||||
|
||||
buffer *ldap_filter_pre;
|
||||
buffer *ldap_filter_post;
|
||||
|
||||
buffer *auth_ldap_hostname;
|
||||
buffer *auth_ldap_basedn;
|
||||
buffer *auth_ldap_binddn;
|
||||
|
@ -77,9 +74,6 @@ FREE_FUNC(mod_authn_ldap_free) {
|
|||
buffer_free(s->auth_ldap_filter);
|
||||
buffer_free(s->auth_ldap_cafile);
|
||||
|
||||
buffer_free(s->ldap_filter_pre);
|
||||
buffer_free(s->ldap_filter_post);
|
||||
|
||||
if (NULL != s->ldap) ldap_unbind_ext_s(s->ldap, NULL, NULL);
|
||||
free(s);
|
||||
}
|
||||
|
@ -121,8 +115,6 @@ config_values_t cv[] = {
|
|||
s->auth_ldap_filter = buffer_init();
|
||||
s->auth_ldap_cafile = buffer_init();
|
||||
s->auth_ldap_starttls = 0;
|
||||
s->ldap_filter_pre = buffer_init();
|
||||
s->ldap_filter_post = buffer_init();
|
||||
s->ldap = NULL;
|
||||
|
||||
cv[0].destination = s->auth_ldap_hostname;
|
||||
|
@ -141,18 +133,11 @@ config_values_t cv[] = {
|
|||
}
|
||||
|
||||
if (!buffer_string_is_empty(s->auth_ldap_filter)) {
|
||||
char *dollar;
|
||||
|
||||
/* parse filter */
|
||||
|
||||
if (NULL == (dollar = strchr(s->auth_ldap_filter->ptr, '$'))) {
|
||||
if (NULL == strchr(s->auth_ldap_filter->ptr, '$')) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.filter is missing a replace-operator '$'");
|
||||
|
||||
return HANDLER_ERROR;
|
||||
}
|
||||
|
||||
buffer_copy_string_len(s->ldap_filter_pre, s->auth_ldap_filter->ptr, dollar - s->auth_ldap_filter->ptr);
|
||||
buffer_copy_string(s->ldap_filter_post, dollar+1);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -174,8 +159,6 @@ static int mod_authn_ldap_patch_connection(server *srv, connection *con, plugin_
|
|||
PATCH(auth_ldap_starttls);
|
||||
PATCH(auth_ldap_allow_empty_pw);
|
||||
p->anon_conf = s;
|
||||
PATCH(ldap_filter_pre);
|
||||
PATCH(ldap_filter_post);
|
||||
|
||||
/* skip the first, the global context */
|
||||
for (i = 1; i < srv->config_context->used; i++) {
|
||||
|
@ -196,8 +179,6 @@ static int mod_authn_ldap_patch_connection(server *srv, connection *con, plugin_
|
|||
PATCH(auth_ldap_basedn);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.filter"))) {
|
||||
PATCH(auth_ldap_filter);
|
||||
PATCH(ldap_filter_pre);
|
||||
PATCH(ldap_filter_post);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.ca-file"))) {
|
||||
PATCH(auth_ldap_cafile);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
|
||||
|
@ -439,9 +420,18 @@ static handler_t mod_authn_ldap_basic(server *srv, connection *con, void *p_d, c
|
|||
}
|
||||
|
||||
/* build filter to get DN for uid = username */
|
||||
buffer_copy_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
|
||||
buffer_append_string_buffer(p->ldap_filter, username);
|
||||
buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);
|
||||
buffer_string_set_length(p->ldap_filter, 0);
|
||||
for (char *b = p->conf.auth_ldap_filter->ptr, *d; *b; b = d+1) {
|
||||
if (NULL != (d = strchr(b, '$'))) {
|
||||
buffer_append_string_len(p->ldap_filter, b, (size_t)(d - b));
|
||||
buffer_append_string_buffer(p->ldap_filter, username);
|
||||
} else {
|
||||
d = p->conf.auth_ldap_filter->ptr
|
||||
+ buffer_string_length(p->conf.auth_ldap_filter);
|
||||
buffer_append_string_len(p->ldap_filter, b, (size_t)(d - b));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* auth against LDAP server */
|
||||
/* for now we stay synchronous */
|
||||
|
|
Loading…
Reference in New Issue