[mod_auth] ldap filter subst user for multiple '$' (fixes #1508)

ldap filter supports substitution of multiple '$', each with username

x-ref:
  "auth.backend.ldap.filter: only one/first "$" replaced with Username"
  https://redmine.lighttpd.net/issues/1508
personal/stbuehler/mod-csrf
Glenn Strauss 6 years ago
parent a401c9469a
commit 59c753bf9f
  1. 36
      src/mod_authn_ldap.c

@ -18,9 +18,6 @@
typedef struct {
LDAP *ldap;
buffer *ldap_filter_pre;
buffer *ldap_filter_post;
buffer *auth_ldap_hostname;
buffer *auth_ldap_basedn;
buffer *auth_ldap_binddn;
@ -77,9 +74,6 @@ FREE_FUNC(mod_authn_ldap_free) {
buffer_free(s->auth_ldap_filter);
buffer_free(s->auth_ldap_cafile);
buffer_free(s->ldap_filter_pre);
buffer_free(s->ldap_filter_post);
if (NULL != s->ldap) ldap_unbind_ext_s(s->ldap, NULL, NULL);
free(s);
}
@ -121,8 +115,6 @@ config_values_t cv[] = {
s->auth_ldap_filter = buffer_init();
s->auth_ldap_cafile = buffer_init();
s->auth_ldap_starttls = 0;
s->ldap_filter_pre = buffer_init();
s->ldap_filter_post = buffer_init();
s->ldap = NULL;
cv[0].destination = s->auth_ldap_hostname;
@ -141,18 +133,11 @@ config_values_t cv[] = {
}
if (!buffer_string_is_empty(s->auth_ldap_filter)) {
char *dollar;
/* parse filter */
if (NULL == (dollar = strchr(s->auth_ldap_filter->ptr, '$'))) {
if (NULL == strchr(s->auth_ldap_filter->ptr, '$')) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.filter is missing a replace-operator '$'");
return HANDLER_ERROR;
}
buffer_copy_string_len(s->ldap_filter_pre, s->auth_ldap_filter->ptr, dollar - s->auth_ldap_filter->ptr);
buffer_copy_string(s->ldap_filter_post, dollar+1);
}
}
@ -174,8 +159,6 @@ static int mod_authn_ldap_patch_connection(server *srv, connection *con, plugin_
PATCH(auth_ldap_starttls);
PATCH(auth_ldap_allow_empty_pw);
p->anon_conf = s;
PATCH(ldap_filter_pre);
PATCH(ldap_filter_post);
/* skip the first, the global context */
for (i = 1; i < srv->config_context->used; i++) {
@ -196,8 +179,6 @@ static int mod_authn_ldap_patch_connection(server *srv, connection *con, plugin_
PATCH(auth_ldap_basedn);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.filter"))) {
PATCH(auth_ldap_filter);
PATCH(ldap_filter_pre);
PATCH(ldap_filter_post);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.ca-file"))) {
PATCH(auth_ldap_cafile);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
@ -439,9 +420,18 @@ static handler_t mod_authn_ldap_basic(server *srv, connection *con, void *p_d, c
}
/* build filter to get DN for uid = username */
buffer_copy_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
buffer_append_string_buffer(p->ldap_filter, username);
buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);
buffer_string_set_length(p->ldap_filter, 0);
for (char *b = p->conf.auth_ldap_filter->ptr, *d; *b; b = d+1) {
if (NULL != (d = strchr(b, '$'))) {
buffer_append_string_len(p->ldap_filter, b, (size_t)(d - b));
buffer_append_string_buffer(p->ldap_filter, username);
} else {
d = p->conf.auth_ldap_filter->ptr
+ buffer_string_length(p->conf.auth_ldap_filter);
buffer_append_string_len(p->ldap_filter, b, (size_t)(d - b));
break;
}
}
/* auth against LDAP server */
/* for now we stay synchronous */

Loading…
Cancel
Save