andersk / mod-vhost-ldap.git / blame
| Commit | Line | Data |
|---|---|---|
| 7f9875bb OS |
1 | /* ============================================================ |
| 2 | * Copyright (c) 2003-2004, Ondrej Sury | |
| 3 | * All rights reserved. | |
| 4 | * | |
| 5 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 6 | * you may not use this file except in compliance with the License. | |
| 7 | * You may obtain a copy of the License at | |
| 8 | * | |
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 10 | * | |
| 11 | * Unless required by applicable law or agreed to in writing, software | |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 14 | * See the License for the specific language governing permissions and | |
| 15 | * limitations under the License. | |
| 16 | * | |
| 17 | */ | |
| 18 | ||
| 19 | /* | |
| 20 | * mod_vhost_ldap.c --- read virtual host config from LDAP directory | |
| 21 | */ | |
| 22 | ||
| 9ee2dda1 | 23 | #define CORE_PRIVATE |
| 9ee2dda1 | 24 | |
| 7f9875bb OS |
25 | #include <unistd.h> |
| 26 | ||
| 27 | #include "httpd.h" | |
| 28 | #include "http_config.h" | |
| 29 | #include "http_core.h" | |
| 30 | #include "http_log.h" | |
| 31 | #include "http_request.h" | |
| 32 | #include "apr_ldap.h" | |
| 33 | #include "apr_strings.h" | |
| 34 | #include "apr_reslist.h" | |
| 35 | #include "util_ldap.h" | |
| 36 | ||
| 37 | #ifndef APU_HAS_LDAP | |
| 38 | #error mod_vhost_ldap requires APR-util to have LDAP support built in | |
| 39 | #endif | |
| 40 | ||
| 41 | #if !defined(WIN32) && !defined(OS2) && !defined(BEOS) && !defined(NETWARE) | |
| 42 | #define HAVE_UNIX_SUEXEC | |
| 43 | #endif | |
| 44 | ||
| 45 | #ifdef HAVE_UNIX_SUEXEC | |
| 46 | #include "unixd.h" /* Contains the suexec_identity hook used on Unix */ | |
| 47 | #endif | |
| 48 | ||
| d129bb81 OS |
49 | #define MIN_UID 100 |
| 50 | #define MIN_GID 100 | |
| 7f9875bb OS |
51 | |
| 52 | module AP_MODULE_DECLARE_DATA vhost_ldap_module; | |
| 53 | ||
| 8196fae3 OS |
54 | typedef enum { |
| 55 | MVL_UNSET, MVL_DISABLED, MVL_ENABLED | |
| 56 | } mod_vhost_ldap_status_e; | |
| 57 | ||
| 7f9875bb | 58 | typedef struct mod_vhost_ldap_config_t { |
| 8196fae3 | 59 | mod_vhost_ldap_status_e enabled; /* Is vhost_ldap enabled? */ |
| 7f9875bb OS |
60 | |
| 61 | /* These parameters are all derived from the VhostLDAPURL directive */ | |
| 62 | char *url; /* String representation of LDAP URL */ | |
| 63 | ||
| 64 | char *host; /* Name of the LDAP server (or space separated list) */ | |
| 65 | int port; /* Port of the LDAP server */ | |
| 66 | char *basedn; /* Base DN to do all searches from */ | |
| 67 | int scope; /* Scope of the search */ | |
| 68 | char *filter; /* Filter to further limit the search */ | |
| 69 | deref_options deref; /* how to handle alias dereferening */ | |
| 70 | ||
| 71 | char *binddn; /* DN to bind to server (can be NULL) */ | |
| 72 | char *bindpw; /* Password to bind to server (can be NULL) */ | |
| 73 | ||
| 8196fae3 | 74 | int have_deref; /* Set if we have found an Deref option */ |
| 7f9875bb OS |
75 | int have_ldap_url; /* Set if we have found an LDAP url */ |
| 76 | ||
| 77 | int secure; /* True if SSL connections are requested */ | |
| 6056cddb OS |
78 | |
| 79 | char *fallback; /* Fallback virtual host */ | |
| 80 | ||
| 7f9875bb OS |
81 | } mod_vhost_ldap_config_t; |
| 82 | ||
| 83 | typedef struct mod_vhost_ldap_request_t { | |
| 84 | char *dn; /* The saved dn from a successful search */ | |
| 85 | char *name; /* ServerName */ | |
| 86 | char *admin; /* ServerAdmin */ | |
| 87 | char *docroot; /* DocumentRoot */ | |
| 9ee2dda1 | 88 | char *cgiroot; /* ScriptAlias */ |
| 7f9875bb OS |
89 | char *uid; /* Suexec Uid */ |
| 90 | char *gid; /* Suexec Gid */ | |
| 91 | } mod_vhost_ldap_request_t; | |
| 92 | ||
| 93 | char *attributes[] = | |
| 6f705808 | 94 | { "apacheServerName", "apacheDocumentRoot", "apacheScriptAlias", "apacheSuexecUid", "apacheSuexecGid", "apacheServerAdmin", 0 }; |
| 7f9875bb OS |
95 | |
| 96 | static int mod_vhost_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) | |
| 97 | { | |
| 98 | /* make sure that mod_ldap (util_ldap) is loaded */ | |
| 99 | if (ap_find_linked_module("util_ldap.c") == NULL) { | |
| 100 | ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, | |
| 101 | "Module mod_ldap missing. Mod_ldap (aka. util_ldap) " | |
| 102 | "must be loaded in order for mod_vhost_ldap to function properly"); | |
| 103 | return HTTP_INTERNAL_SERVER_ERROR; | |
| 104 | ||
| 105 | } | |
| 106 | ||
| 9ee2dda1 | 107 | ap_add_version_component(p, MOD_VHOST_LDAP_VERSION); |
| 7f9875bb OS |
108 | |
| 109 | return OK; | |
| 110 | } | |
| 111 | ||
| 112 | static void * | |
| 113 | mod_vhost_ldap_create_server_config (apr_pool_t *p, server_rec *s) | |
| 114 | { | |
| 8196fae3 | 115 | mod_vhost_ldap_config_t *conf = |
| 7f9875bb OS |
116 | (mod_vhost_ldap_config_t *)apr_pcalloc(p, sizeof (mod_vhost_ldap_config_t)); |
| 117 | ||
| 8196fae3 OS |
118 | conf->enabled = MVL_UNSET; |
| 119 | conf->have_ldap_url = 0; | |
| 120 | conf->have_deref = 0; | |
| 121 | conf->binddn = NULL; | |
| 122 | conf->bindpw = NULL; | |
| 123 | conf->deref = always; | |
| 6056cddb | 124 | conf->fallback = NULL; |
| 8196fae3 OS |
125 | |
| 126 | return conf; | |
| 127 | } | |
| 128 | ||
| 129 | static void * | |
| 130 | mod_vhost_ldap_merge_server_config(apr_pool_t *p, void *parentv, void *childv) | |
| 131 | { | |
| 132 | mod_vhost_ldap_config_t *parent = (mod_vhost_ldap_config_t *) parentv; | |
| 133 | mod_vhost_ldap_config_t *child = (mod_vhost_ldap_config_t *) childv; | |
| 134 | mod_vhost_ldap_config_t *conf = | |
| 135 | (mod_vhost_ldap_config_t *)apr_pcalloc(p, sizeof(mod_vhost_ldap_config_t)); | |
| 7f9875bb | 136 | |
| 8196fae3 OS |
137 | if (child->enabled == MVL_UNSET) { |
| 138 | conf->enabled = parent->enabled; | |
| 139 | } else { | |
| 140 | conf->enabled = child->enabled; | |
| 141 | } | |
| 7f9875bb | 142 | |
| 8196fae3 OS |
143 | if (child->have_ldap_url) { |
| 144 | conf->have_ldap_url = child->have_ldap_url; | |
| 145 | conf->url = child->url; | |
| 146 | conf->host = child->host; | |
| 147 | conf->port = child->port; | |
| 148 | conf->basedn = child->basedn; | |
| 149 | conf->scope = child->scope; | |
| 150 | conf->filter = child->filter; | |
| 151 | conf->secure = child->secure; | |
| 152 | } else { | |
| 153 | conf->have_ldap_url = parent->have_ldap_url; | |
| 154 | conf->url = parent->url; | |
| 155 | conf->host = parent->host; | |
| 156 | conf->port = parent->port; | |
| 157 | conf->basedn = parent->basedn; | |
| 158 | conf->scope = parent->scope; | |
| 159 | conf->filter = parent->filter; | |
| 160 | conf->secure = parent->secure; | |
| 161 | } | |
| 162 | if (child->have_deref) { | |
| 163 | conf->have_deref = child->have_deref; | |
| 164 | conf->deref = child->deref; | |
| 165 | } else { | |
| 166 | conf->have_deref = parent->have_deref; | |
| 167 | conf->deref = parent->deref; | |
| 168 | } | |
| 169 | ||
| 170 | conf->binddn = (child->binddn ? child->binddn : parent->binddn); | |
| 171 | conf->bindpw = (child->bindpw ? child->bindpw : parent->bindpw); | |
| 172 | ||
| 6056cddb OS |
173 | conf->fallback = (child->fallback ? child->fallback : parent->fallback); |
| 174 | ||
| 8196fae3 | 175 | return conf; |
| 7f9875bb OS |
176 | } |
| 177 | ||
| 178 | /* | |
| 179 | * Use the ldap url parsing routines to break up the ldap url into | |
| 180 | * host and port. | |
| 181 | */ | |
| 182 | static const char *mod_vhost_ldap_parse_url(cmd_parms *cmd, | |
| 183 | void *dummy, | |
| 184 | const char *url) | |
| 185 | { | |
| 186 | int result; | |
| 187 | apr_ldap_url_desc_t *urld; | |
| 188 | ||
| 8196fae3 | 189 | mod_vhost_ldap_config_t *conf = |
| 7f9875bb OS |
190 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
| 191 | &vhost_ldap_module); | |
| 192 | ||
| 193 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, | |
| 194 | cmd->server, "[mod_vhost_ldap.c] url parse: `%s'", | |
| 195 | url); | |
| 196 | ||
| 197 | result = apr_ldap_url_parse(url, &(urld)); | |
| 198 | if (result != LDAP_SUCCESS) { | |
| 199 | switch (result) { | |
| 200 | case LDAP_URL_ERR_NOTLDAP: | |
| 201 | return "LDAP URL does not begin with ldap://"; | |
| 202 | case LDAP_URL_ERR_NODN: | |
| 203 | return "LDAP URL does not have a DN"; | |
| 204 | case LDAP_URL_ERR_BADSCOPE: | |
| 205 | return "LDAP URL has an invalid scope"; | |
| 206 | case LDAP_URL_ERR_MEM: | |
| 207 | return "Out of memory parsing LDAP URL"; | |
| 208 | default: | |
| 209 | return "Could not parse LDAP URL"; | |
| 210 | } | |
| 211 | } | |
| 8196fae3 | 212 | conf->url = apr_pstrdup(cmd->pool, url); |
| 7f9875bb OS |
213 | |
| 214 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, | |
| 215 | cmd->server, "[mod_vhost_ldap.c] url parse: Host: %s", urld->lud_host); | |
| 216 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, | |
| 217 | cmd->server, "[mod_vhost_ldap.c] url parse: Port: %d", urld->lud_port); | |
| 218 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, | |
| 219 | cmd->server, "[mod_vhost_ldap.c] url parse: DN: %s", urld->lud_dn); | |
| 220 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, | |
| 221 | cmd->server, "[mod_vhost_ldap.c] url parse: attrib: %s", urld->lud_attrs? urld->lud_attrs[0] : "(null)"); | |
| 222 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, | |
| 223 | cmd->server, "[mod_vhost_ldap.c] url parse: scope: %s", | |
| 224 | (urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" : | |
| 225 | urld->lud_scope == LDAP_SCOPE_BASE? "base" : | |
| 226 | urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown")); | |
| 227 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, | |
| 228 | cmd->server, "[mod_vhost_ldap.c] url parse: filter: %s", urld->lud_filter); | |
| 229 | ||
| 230 | /* Set all the values, or at least some sane defaults */ | |
| 8196fae3 OS |
231 | if (conf->host) { |
| 232 | char *p = apr_palloc(cmd->pool, strlen(conf->host) + strlen(urld->lud_host) + 2); | |
| 7f9875bb OS |
233 | strcpy(p, urld->lud_host); |
| 234 | strcat(p, " "); | |
| 8196fae3 OS |
235 | strcat(p, conf->host); |
| 236 | conf->host = p; | |
| 7f9875bb OS |
237 | } |
| 238 | else { | |
| 8196fae3 | 239 | conf->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost"; |
| 7f9875bb | 240 | } |
| 8196fae3 | 241 | conf->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : ""; |
| 7f9875bb | 242 | |
| 8196fae3 | 243 | conf->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ? |
| 7f9875bb OS |
244 | LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE; |
| 245 | ||
| 246 | if (urld->lud_filter) { | |
| 247 | if (urld->lud_filter[0] == '(') { | |
| 248 | /* | |
| 249 | * Get rid of the surrounding parens; later on when generating the | |
| 250 | * filter, they'll be put back. | |
| 251 | */ | |
| 8196fae3 OS |
252 | conf->filter = apr_pstrdup(cmd->pool, urld->lud_filter+1); |
| 253 | conf->filter[strlen(conf->filter)-1] = '\0'; | |
| 7f9875bb OS |
254 | } |
| 255 | else { | |
| 8196fae3 | 256 | conf->filter = apr_pstrdup(cmd->pool, urld->lud_filter); |
| 7f9875bb OS |
257 | } |
| 258 | } | |
| 259 | else { | |
| 8196fae3 | 260 | conf->filter = "objectClass=apacheConfig"; |
| 7f9875bb OS |
261 | } |
| 262 | ||
| 263 | /* "ldaps" indicates secure ldap connections desired | |
| 264 | */ | |
| 265 | if (strncasecmp(url, "ldaps", 5) == 0) | |
| 266 | { | |
| 8196fae3 OS |
267 | conf->secure = 1; |
| 268 | conf->port = urld->lud_port? urld->lud_port : LDAPS_PORT; | |
| 7f9875bb OS |
269 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
| 270 | "LDAP: vhost_ldap using SSL connections"); | |
| 271 | } | |
| 272 | else | |
| 273 | { | |
| 8196fae3 OS |
274 | conf->secure = 0; |
| 275 | conf->port = urld->lud_port? urld->lud_port : LDAP_PORT; | |
| fb323462 | 276 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
| 7f9875bb OS |
277 | "LDAP: vhost_ldap not using SSL connections"); |
| 278 | } | |
| 279 | ||
| 8196fae3 | 280 | conf->have_ldap_url = 1; |
| 7f9875bb OS |
281 | apr_ldap_free_urldesc(urld); |
| 282 | return NULL; | |
| 283 | } | |
| 284 | ||
| 285 | static const char *mod_vhost_ldap_set_enabled(cmd_parms *cmd, void *dummy, int enabled) | |
| 286 | { | |
| 8196fae3 | 287 | mod_vhost_ldap_config_t *conf = |
| 7f9875bb | 288 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
| 6056cddb | 289 | &vhost_ldap_module); |
| 7f9875bb | 290 | |
| 8196fae3 OS |
291 | conf->enabled = (enabled) ? MVL_ENABLED : MVL_DISABLED; |
| 292 | ||
| 7f9875bb OS |
293 | return NULL; |
| 294 | } | |
| 295 | ||
| 296 | static const char *mod_vhost_ldap_set_binddn(cmd_parms *cmd, void *dummy, const char *binddn) | |
| 297 | { | |
| 8196fae3 | 298 | mod_vhost_ldap_config_t *conf = |
| 7f9875bb | 299 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
| 6056cddb | 300 | &vhost_ldap_module); |
| 7f9875bb | 301 | |
| 8196fae3 | 302 | conf->binddn = apr_pstrdup(cmd->pool, binddn); |
| 7f9875bb OS |
303 | return NULL; |
| 304 | } | |
| 305 | ||
| 306 | static const char *mod_vhost_ldap_set_bindpw(cmd_parms *cmd, void *dummy, const char *bindpw) | |
| 307 | { | |
| 8196fae3 | 308 | mod_vhost_ldap_config_t *conf = |
| 7f9875bb | 309 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
| 6056cddb | 310 | &vhost_ldap_module); |
| 7f9875bb | 311 | |
| 8196fae3 | 312 | conf->bindpw = apr_pstrdup(cmd->pool, bindpw); |
| 7f9875bb OS |
313 | return NULL; |
| 314 | } | |
| 315 | ||
| 316 | static const char *mod_vhost_ldap_set_deref(cmd_parms *cmd, void *dummy, const char *deref) | |
| 317 | { | |
| 8196fae3 | 318 | mod_vhost_ldap_config_t *conf = |
| 7f9875bb OS |
319 | (mod_vhost_ldap_config_t *)ap_get_module_config (cmd->server->module_config, |
| 320 | &vhost_ldap_module); | |
| 321 | ||
| 322 | if (strcmp(deref, "never") == 0 || strcasecmp(deref, "off") == 0) { | |
| 8196fae3 OS |
323 | conf->deref = never; |
| 324 | conf->have_deref = 1; | |
| 7f9875bb OS |
325 | } |
| 326 | else if (strcmp(deref, "searching") == 0) { | |
| 8196fae3 OS |
327 | conf->deref = searching; |
| 328 | conf->have_deref = 1; | |
| 7f9875bb OS |
329 | } |
| 330 | else if (strcmp(deref, "finding") == 0) { | |
| 8196fae3 OS |
331 | conf->deref = finding; |
| 332 | conf->have_deref = 1; | |
| 7f9875bb OS |
333 | } |
| 334 | else if (strcmp(deref, "always") == 0 || strcasecmp(deref, "on") == 0) { | |
| 8196fae3 OS |
335 | conf->deref = always; |
| 336 | conf->have_deref = 1; | |
| 7f9875bb OS |
337 | } |
| 338 | else { | |
| 339 | return "Unrecognized value for VhostLDAPAliasDereference directive"; | |
| 340 | } | |
| 341 | return NULL; | |
| 342 | } | |
| 343 | ||
| 6056cddb OS |
344 | static const char *mod_vhost_ldap_set_fallback(cmd_parms *cmd, void *dummy, const char *fallback) |
| 345 | { | |
| 346 | mod_vhost_ldap_config_t *conf = | |
| 347 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, | |
| 348 | &vhost_ldap_module); | |
| 349 | ||
| 350 | conf->fallback = apr_pstrdup(cmd->pool, fallback); | |
| 351 | return NULL; | |
| 352 | } | |
| 353 | ||
| 7f9875bb OS |
354 | command_rec mod_vhost_ldap_cmds[] = { |
| 355 | AP_INIT_TAKE1("VhostLDAPURL", mod_vhost_ldap_parse_url, NULL, RSRC_CONF, | |
| a940f969 | 356 | "URL to define LDAP connection. This should be an RFC 2255 compliant\n" |
| 7f9875bb OS |
357 | "URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n" |
| 358 | "<ul>\n" | |
| 359 | "<li>Host is the name of the LDAP server. Use a space separated list of hosts \n" | |
| 360 | "to specify redundant servers.\n" | |
| 361 | "<li>Port is optional, and specifies the port to connect to.\n" | |
| 362 | "<li>basedn specifies the base DN to start searches from\n" | |
| 363 | "</ul>\n"), | |
| 364 | ||
| 365 | AP_INIT_TAKE1 ("VhostLDAPBindDN", mod_vhost_ldap_set_binddn, NULL, RSRC_CONF, | |
| 366 | "DN to use to bind to LDAP server. If not provided, will do an anonymous bind."), | |
| 367 | ||
| 368 | AP_INIT_TAKE1("VhostLDAPBindPassword", mod_vhost_ldap_set_bindpw, NULL, RSRC_CONF, | |
| 369 | "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."), | |
| 370 | ||
| 371 | AP_INIT_FLAG("VhostLDAPEnabled", mod_vhost_ldap_set_enabled, NULL, RSRC_CONF, | |
| 372 | "Set to off to disable vhost_ldap, even if it's been enabled in a higher tree"), | |
| 373 | ||
| 374 | AP_INIT_TAKE1("VhostLDAPDereferenceAliases", mod_vhost_ldap_set_deref, NULL, RSRC_CONF, | |
| a940f969 | 375 | "Determines how aliases are handled during a search. Can be one of the" |
| 7f9875bb OS |
376 | "values \"never\", \"searching\", \"finding\", or \"always\". " |
| 377 | "Defaults to always."), | |
| 378 | ||
| 6056cddb OS |
379 | AP_INIT_TAKE1("VhostLDAPFallback", mod_vhost_ldap_set_fallback, NULL, RSRC_CONF, |
| 380 | "Set default virtual host which will be used when requested hostname" | |
| 381 | "is not found in LDAP database. This option can be used to display" | |
| 382 | "\"virtual host not found\" type of page."), | |
| 383 | ||
| 7f9875bb OS |
384 | {NULL} |
| 385 | }; | |
| 386 | ||
| 387 | #define FILTER_LENGTH MAX_STRING_LEN | |
| b5043ccb | 388 | static int mod_vhost_ldap_translate_name(request_rec *r) |
| 7f9875bb | 389 | { |
| b5043ccb OS |
390 | request_rec *top = (r->main)?r->main:r; |
| 391 | mod_vhost_ldap_request_t *reqc; | |
| 7f9875bb OS |
392 | apr_table_t *e; |
| 393 | int failures = 0; | |
| 394 | const char **vals = NULL; | |
| 395 | char filtbuf[FILTER_LENGTH]; | |
| 8196fae3 | 396 | mod_vhost_ldap_config_t *conf = |
| 7f9875bb | 397 | (mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config, &vhost_ldap_module); |
| 9ee2dda1 OS |
398 | core_server_config * core = |
| 399 | (core_server_config *) ap_get_module_config(r->server->module_config, &core_module); | |
| 7f9875bb OS |
400 | util_ldap_connection_t *ldc = NULL; |
| 401 | int result = 0; | |
| 402 | const char *dn = NULL; | |
| 403 | char *cgi; | |
| 6056cddb OS |
404 | const char *hostname = NULL; |
| 405 | int is_fallback = 0; | |
| 7f9875bb | 406 | |
| b5043ccb | 407 | reqc = |
| 7f9875bb | 408 | (mod_vhost_ldap_request_t *)apr_pcalloc(r->pool, sizeof(mod_vhost_ldap_request_t)); |
| b5043ccb OS |
409 | |
| 410 | ap_set_module_config(r->request_config, &vhost_ldap_module, reqc); | |
| 7f9875bb | 411 | |
| 8196fae3 OS |
412 | // mod_vhost_ldap is disabled or we don't have LDAP Url |
| 413 | if ((conf->enabled != MVL_ENABLED)||(!conf->have_ldap_url)) { | |
| 7f9875bb OS |
414 | return DECLINED; |
| 415 | } | |
| 416 | ||
| 417 | start_over: | |
| 418 | ||
| 8196fae3 OS |
419 | if (conf->host) { |
| 420 | ldc = util_ldap_connection_find(r, conf->host, conf->port, | |
| 421 | conf->binddn, conf->bindpw, conf->deref, | |
| 422 | conf->secure); | |
| 7f9875bb OS |
423 | } |
| 424 | else { | |
| 425 | ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, | |
| fb323462 | 426 | "[mod_vhost_ldap.c] translate: no conf->host - weird...?"); |
| 7f9875bb OS |
427 | return DECLINED; |
| 428 | } | |
| 429 | ||
| 6056cddb OS |
430 | hostname = r->hostname; |
| 431 | ||
| 432 | fallback: | |
| 433 | ||
| fb323462 | 434 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, |
| 6f705808 | 435 | "[mod_vhost_ldap.c]: translating %s", r->uri); |
| 7f9875bb | 436 | |
| 6056cddb | 437 | apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", conf->filter, hostname, hostname); |
| 7f9875bb | 438 | |
| 8196fae3 | 439 | result = util_ldap_cache_getuserdn(r, ldc, conf->url, conf->basedn, conf->scope, |
| 7f9875bb OS |
440 | attributes, filtbuf, &dn, &vals); |
| 441 | ||
| 442 | util_ldap_connection_close(ldc); | |
| 443 | ||
| 444 | /* sanity check - if server is down, retry it up to 5 times */ | |
| 445 | if (result == LDAP_SERVER_DOWN) { | |
| 446 | if (failures++ <= 5) { | |
| 447 | goto start_over; | |
| 448 | } | |
| 449 | } | |
| 450 | ||
| 6056cddb OS |
451 | if ((result == LDAP_NO_SUCH_OBJECT)) { |
| 452 | if (conf->fallback && (is_fallback++ <= 0)) { | |
| 453 | ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r, | |
| 454 | "[mod_vhost_ldap.c] translate: " | |
| 455 | "virtual host %s not found, trying fallback %s", | |
| 456 | hostname, conf->fallback); | |
| 457 | hostname = conf->fallback; | |
| 458 | goto fallback; | |
| 459 | } | |
| 460 | ||
| 461 | ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, | |
| 462 | "[mod_vhost_ldap.c] translate: " | |
| 463 | "virtual host %s not found", | |
| 464 | hostname); | |
| 465 | ||
| 466 | return DECLINED; | |
| 467 | } | |
| 468 | ||
| 7f9875bb OS |
469 | /* handle bind failure */ |
| 470 | if (result != LDAP_SUCCESS) { | |
| cbd5c5f5 | 471 | ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, |
| 7f9875bb | 472 | "[mod_vhost_ldap.c] translate: " |
| 6056cddb OS |
473 | "translate failed; virtual host %s; URI %s [%s]", |
| 474 | hostname, r->uri, ldap_err2string(result)); | |
| 7f9875bb OS |
475 | return DECLINED; |
| 476 | } | |
| 477 | ||
| 478 | /* mark the user and DN */ | |
| b5043ccb | 479 | reqc->dn = apr_pstrdup(r->pool, dn); |
| 7f9875bb OS |
480 | |
| 481 | /* Optimize */ | |
| 482 | if (vals) { | |
| 483 | int i = 0; | |
| 484 | while (attributes[i]) { | |
| 485 | ||
| 486 | if (strcasecmp (attributes[i], "apacheServerName") == 0) { | |
| b5043ccb | 487 | reqc->name = apr_pstrdup (r->pool, vals[i]); |
| 7f9875bb OS |
488 | } |
| 489 | else if (strcasecmp (attributes[i], "apacheServerAdmin") == 0) { | |
| b5043ccb | 490 | reqc->admin = apr_pstrdup (r->pool, vals[i]); |
| 7f9875bb OS |
491 | } |
| 492 | else if (strcasecmp (attributes[i], "apacheDocumentRoot") == 0) { | |
| b5043ccb | 493 | reqc->docroot = apr_pstrdup (r->pool, vals[i]); |
| 7f9875bb OS |
494 | } |
| 495 | else if (strcasecmp (attributes[i], "apacheScriptAlias") == 0) { | |
| b5043ccb | 496 | reqc->cgiroot = apr_pstrdup (r->pool, vals[i]); |
| 7f9875bb OS |
497 | } |
| 498 | else if (strcasecmp (attributes[i], "apacheSuexecUid") == 0) { | |
| b5043ccb | 499 | reqc->uid = apr_pstrdup(r->pool, vals[i]); |
| 7f9875bb OS |
500 | } |
| 501 | else if (strcasecmp (attributes[i], "apacheSuexecGid") == 0) { | |
| b5043ccb | 502 | reqc->gid = apr_pstrdup(r->pool, vals[i]); |
| 7f9875bb OS |
503 | } |
| 504 | i++; | |
| 505 | } | |
| 506 | } | |
| 507 | ||
| 6f705808 OS |
508 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, |
| 509 | "[mod_vhost_ldap.c]: loaded from ldap: " | |
| 510 | "apacheServerName: %s, " | |
| 511 | "apacheServerAdmin: %s, " | |
| 512 | "apacheDocumentRoot: %s, " | |
| 513 | "apacheScriptAlias: %s, " | |
| 514 | "apacheSuexecUid: %s, " | |
| b5043ccb OS |
515 | "apacheSuexecGid: %s", |
| 516 | reqc->name, reqc->admin, reqc->docroot, reqc->cgiroot, reqc->uid, reqc->gid); | |
| 6f705808 | 517 | |
| b5043ccb | 518 | if ((reqc->name == NULL)||(reqc->docroot == NULL)) { |
| 7f9875bb OS |
519 | ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, |
| 520 | "[mod_vhost_ldap.c] translate: " | |
| 521 | "translate failed; ServerName or DocumentRoot not defined"); | |
| 522 | return DECLINED; | |
| 523 | } | |
| 524 | ||
| 525 | cgi = NULL; | |
| 526 | ||
| b5043ccb | 527 | if (reqc->cgiroot) { |
| 6f705808 OS |
528 | cgi = strstr(r->uri, "cgi-bin/"); |
| 529 | if (cgi && (cgi != r->uri + strspn(r->uri, "/"))) { | |
| 7f9875bb OS |
530 | cgi = NULL; |
| 531 | } | |
| 9ee2dda1 | 532 | } |
| 9ee2dda1 | 533 | if (cgi) { |
| b5043ccb | 534 | r->filename = apr_pstrcat (r->pool, reqc->cgiroot, cgi + strlen("cgi-bin"), NULL); |
| 9ee2dda1 OS |
535 | r->handler = "cgi-script"; |
| 536 | apr_table_setn(r->notes, "alias-forced-type", r->handler); | |
| 6f705808 | 537 | } else if (r->uri[0] == '/') { |
| b5043ccb | 538 | r->filename = apr_pstrcat (r->pool, reqc->docroot, r->uri, NULL); |
| 9ee2dda1 | 539 | } else { |
| 6f705808 | 540 | return DECLINED; |
| 7f9875bb OS |
541 | } |
| 542 | ||
| b5043ccb | 543 | r->server->server_hostname = apr_pstrdup (top->pool, reqc->name); |
| 7f9875bb | 544 | |
| b5043ccb OS |
545 | if (reqc->admin) { |
| 546 | r->server->server_admin = apr_pstrdup (top->pool, reqc->admin); | |
| 7f9875bb OS |
547 | } |
| 548 | ||
| 549 | // set environment variables | |
| b5043ccb OS |
550 | e = top->subprocess_env; |
| 551 | apr_table_addn (e, "SERVER_ROOT", reqc->docroot); | |
| 7f9875bb | 552 | |
| b5043ccb | 553 | core->ap_document_root = apr_pstrdup(top->pool, reqc->docroot); |
| 9ee2dda1 | 554 | |
| 7f9875bb OS |
555 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, |
| 556 | "[mod_vhost_ldap.c]: translated to %s", r->filename); | |
| 557 | ||
| 558 | return OK; | |
| 559 | } | |
| 560 | ||
| 561 | #ifdef HAVE_UNIX_SUEXEC | |
| 562 | static ap_unix_identity_t *mod_vhost_ldap_get_suexec_id_doer(const request_rec * r) | |
| 563 | { | |
| 564 | ap_unix_identity_t *ugid = NULL; | |
| 8196fae3 | 565 | mod_vhost_ldap_config_t *conf = |
| 7f9875bb OS |
566 | (mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config, |
| 567 | &vhost_ldap_module); | |
| 568 | mod_vhost_ldap_request_t *req = | |
| 569 | (mod_vhost_ldap_request_t *)ap_get_module_config(r->request_config, | |
| 570 | &vhost_ldap_module); | |
| 571 | ||
| 572 | uid_t uid = -1; | |
| 573 | gid_t gid = -1; | |
| 574 | ||
| 8196fae3 OS |
575 | // mod_vhost_ldap is disabled or we don't have LDAP Url |
| 576 | if ((conf->enabled != MVL_ENABLED)||(!conf->have_ldap_url)) { | |
| 7f9875bb OS |
577 | return NULL; |
| 578 | } | |
| 579 | ||
| 580 | if ((req == NULL)||(req->uid == NULL)||(req->gid == NULL)) { | |
| 581 | return NULL; | |
| 582 | } | |
| 583 | ||
| 584 | if ((ugid = apr_palloc(r->pool, sizeof(ap_unix_identity_t))) == NULL) { | |
| 585 | return NULL; | |
| 586 | } | |
| 587 | ||
| 588 | uid = (uid_t)atoll(req->uid); | |
| 589 | gid = (gid_t)atoll(req->gid); | |
| 590 | ||
| eea38f6d | 591 | if ((uid < MIN_UID)||(gid < MIN_GID)) { |
| 7f9875bb OS |
592 | return NULL; |
| 593 | } | |
| 594 | ||
| 595 | ugid->uid = uid; | |
| 596 | ugid->gid = gid; | |
| 597 | ugid->userdir = 0; | |
| 598 | ||
| 599 | return ugid; | |
| 600 | } | |
| 601 | #endif | |
| 602 | ||
| 603 | static void | |
| 604 | mod_vhost_ldap_register_hooks (apr_pool_t * p) | |
| 605 | { | |
| 606 | ap_hook_post_config(mod_vhost_ldap_post_config, NULL, NULL, APR_HOOK_MIDDLE); | |
| 607 | ap_hook_translate_name(mod_vhost_ldap_translate_name, NULL, NULL, APR_HOOK_MIDDLE); | |
| 608 | #ifdef HAVE_UNIX_SUEXEC | |
| 609 | ap_hook_get_suexec_identity(mod_vhost_ldap_get_suexec_id_doer, NULL, NULL, APR_HOOK_MIDDLE); | |
| 610 | #endif | |
| 611 | } | |
| 612 | ||
| 613 | module AP_MODULE_DECLARE_DATA vhost_ldap_module = { | |
| 614 | STANDARD20_MODULE_STUFF, | |
| 615 | NULL, | |
| 616 | NULL, | |
| 617 | mod_vhost_ldap_create_server_config, | |
| 8196fae3 | 618 | mod_vhost_ldap_merge_server_config, |
| 7f9875bb OS |
619 | mod_vhost_ldap_cmds, |
| 620 | mod_vhost_ldap_register_hooks, | |
| 621 | }; |