[mod-vhost-ldap.git] / mod_vhost_ldap.c

/* ============================================================
 * Copyright (c) 2003-2004, Ondrej Sury
 * All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * 
 */

/*
 * mod_vhost_ldap.c --- read virtual host config from LDAP directory
 */

#define CORE_PRIVATE
#define MOD_VHOST_LDAP_VERSION "mod_vhost_ldap/0.2.2"

#include <unistd.h>

#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_request.h"
#include "apr_ldap.h"
#include "apr_strings.h"
#include "apr_reslist.h"
#include "util_ldap.h"

#ifndef APU_HAS_LDAP
#error mod_vhost_ldap requires APR-util to have LDAP support built in
#endif

#if !defined(WIN32) && !defined(OS2) && !defined(BEOS) && !defined(NETWARE)
#define HAVE_UNIX_SUEXEC
#endif

#ifdef HAVE_UNIX_SUEXEC
#include "unixd.h"              /* Contains the suexec_identity hook used on Unix */
#endif

#define MIN_UID 1000
#define MIN_GID 1000

module AP_MODULE_DECLARE_DATA vhost_ldap_module;

typedef struct mod_vhost_ldap_config_t {
    apr_pool_t *pool;			/* Pool that this config is allocated from */
#if APR_HAS_THREADS
    apr_thread_mutex_t *lock;           /* Lock for this config */
#endif
    int enabled;			/* Is vhost_ldap enabled? */

    /* These parameters are all derived from the VhostLDAPURL directive */
    char *url;				/* String representation of LDAP URL */

    char *host;				/* Name of the LDAP server (or space separated list) */
    int port;				/* Port of the LDAP server */
    char *basedn;			/* Base DN to do all searches from */
    int scope;				/* Scope of the search */
    char *filter;			/* Filter to further limit the search  */
    deref_options deref;		/* how to handle alias dereferening */

    char *binddn;			/* DN to bind to server (can be NULL) */
    char *bindpw;			/* Password to bind to server (can be NULL) */

    int have_ldap_url;			/* Set if we have found an LDAP url */

    int secure;				/* True if SSL connections are requested */
} mod_vhost_ldap_config_t;

typedef struct mod_vhost_ldap_request_t {
    char *dn;				/* The saved dn from a successful search */
    char *name;				/* ServerName */
    char *admin;			/* ServerAdmin */
    char *docroot;			/* DocumentRoot */
    char *cgiroot;			/* ScriptAlias */
    char *uid;				/* Suexec Uid */
    char *gid;				/* Suexec Gid */
} mod_vhost_ldap_request_t;

char *attributes[] =
  { "apacheServerName", "apacheServerAdmin", "apacheDocumentRoot", "apacheScriptAlias", "apacheSuexecUid", "apacheSuexecGid", 0 };

static int mod_vhost_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
{
    /* make sure that mod_ldap (util_ldap) is loaded */
    if (ap_find_linked_module("util_ldap.c") == NULL) {
        ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
                     "Module mod_ldap missing. Mod_ldap (aka. util_ldap) "
                     "must be loaded in order for mod_vhost_ldap to function properly");
        return HTTP_INTERNAL_SERVER_ERROR;

    }

    ap_add_version_component(p, MOD_VHOST_LDAP_VERSION);

    return OK;
}

static void *
mod_vhost_ldap_create_server_config (apr_pool_t *p, server_rec *s)
{
    mod_vhost_ldap_config_t *cfg =
	(mod_vhost_ldap_config_t *)apr_pcalloc(p, sizeof (mod_vhost_ldap_config_t));

    cfg->pool = p;

#if APR_HAS_THREADS
    apr_thread_mutex_create(&cfg->lock, APR_THREAD_MUTEX_DEFAULT, p);
#endif

    cfg->enabled = 0;
    cfg->have_ldap_url = 0;
    cfg->url = "";
    cfg->host = NULL;
    cfg->binddn = NULL;
    cfg->bindpw = NULL;
    cfg->deref = always;
    cfg->secure = 0;

    return cfg;
}

/* 
 * Use the ldap url parsing routines to break up the ldap url into
 * host and port.
 */
static const char *mod_vhost_ldap_parse_url(cmd_parms *cmd, 
					    void *dummy,
					    const char *url)
{
    int result;
    apr_ldap_url_desc_t *urld;

    mod_vhost_ldap_config_t *cfg =
	(mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config,
							&vhost_ldap_module);

    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
	         cmd->server, "[mod_vhost_ldap.c] url parse: `%s'", 
	         url);

    result = apr_ldap_url_parse(url, &(urld));
    if (result != LDAP_SUCCESS) {
        switch (result) {
        case LDAP_URL_ERR_NOTLDAP:
            return "LDAP URL does not begin with ldap://";
        case LDAP_URL_ERR_NODN:
            return "LDAP URL does not have a DN";
        case LDAP_URL_ERR_BADSCOPE:
            return "LDAP URL has an invalid scope";
        case LDAP_URL_ERR_MEM:
            return "Out of memory parsing LDAP URL";
        default:
            return "Could not parse LDAP URL";
        }
    }
    cfg->url = apr_pstrdup(cmd->pool, url);

    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
	         cmd->server, "[mod_vhost_ldap.c] url parse: Host: %s", urld->lud_host);
    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
	         cmd->server, "[mod_vhost_ldap.c] url parse: Port: %d", urld->lud_port);
    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
	         cmd->server, "[mod_vhost_ldap.c] url parse: DN: %s", urld->lud_dn);
    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
	         cmd->server, "[mod_vhost_ldap.c] url parse: attrib: %s", urld->lud_attrs? urld->lud_attrs[0] : "(null)");
    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
	         cmd->server, "[mod_vhost_ldap.c] url parse: scope: %s", 
	         (urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" : 
		 urld->lud_scope == LDAP_SCOPE_BASE? "base" : 
		 urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown"));
    ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
	         cmd->server, "[mod_vhost_ldap.c] url parse: filter: %s", urld->lud_filter);

    /* Set all the values, or at least some sane defaults */
    if (cfg->host) {
        char *p = apr_palloc(cmd->pool, strlen(cfg->host) + strlen(urld->lud_host) + 2);
        strcpy(p, urld->lud_host);
        strcat(p, " ");
        strcat(p, cfg->host);
        cfg->host = p;
    }
    else {
        cfg->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost";
    }
    cfg->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : "";

    cfg->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ?
        LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE;

    if (urld->lud_filter) {
        if (urld->lud_filter[0] == '(') {
            /* 
	     * Get rid of the surrounding parens; later on when generating the
	     * filter, they'll be put back.
             */
            cfg->filter = apr_pstrdup(cmd->pool, urld->lud_filter+1);
            cfg->filter[strlen(cfg->filter)-1] = '\0';
        }
        else {
            cfg->filter = apr_pstrdup(cmd->pool, urld->lud_filter);
        }
    }
    else {
        cfg->filter = "objectClass=apacheConfig";
    }

      /* "ldaps" indicates secure ldap connections desired
      */
    if (strncasecmp(url, "ldaps", 5) == 0)
    {
        cfg->secure = 1;
        cfg->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
        ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
                     "LDAP: vhost_ldap using SSL connections");
    }
    else
    {
        cfg->secure = 0;
        cfg->port = urld->lud_port? urld->lud_port : LDAP_PORT;
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, 
                     "LDAP: vhost_ldap not using SSL connections");
    }

    cfg->have_ldap_url = 1;
    apr_ldap_free_urldesc(urld);
    return NULL;
}

static const char *mod_vhost_ldap_set_enabled(cmd_parms *cmd, void *dummy, int enabled)
{
    mod_vhost_ldap_config_t *cfg =
	(mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config,
							 &vhost_ldap_module);

    cfg->enabled = enabled;
    return NULL;
}

static const char *mod_vhost_ldap_set_binddn(cmd_parms *cmd, void *dummy, const char *binddn)
{
    mod_vhost_ldap_config_t *cfg =
	(mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config,
							 &vhost_ldap_module);

    cfg->binddn = apr_pstrdup(cmd->pool, binddn);
    return NULL;
}

static const char *mod_vhost_ldap_set_bindpw(cmd_parms *cmd, void *dummy, const char *bindpw)
{
    mod_vhost_ldap_config_t *cfg =
	(mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config,
							 &vhost_ldap_module);

    cfg->bindpw = apr_pstrdup(cmd->pool, bindpw);
    return NULL;
}

static const char *mod_vhost_ldap_set_deref(cmd_parms *cmd, void *dummy, const char *deref)
{
    mod_vhost_ldap_config_t *cfg = 
	(mod_vhost_ldap_config_t *)ap_get_module_config (cmd->server->module_config,
							 &vhost_ldap_module);

    if (strcmp(deref, "never") == 0 || strcasecmp(deref, "off") == 0) {
        cfg->deref = never;
    }
    else if (strcmp(deref, "searching") == 0) {
        cfg->deref = searching;
    }
    else if (strcmp(deref, "finding") == 0) {
        cfg->deref = finding;
    }
    else if (strcmp(deref, "always") == 0 || strcasecmp(deref, "on") == 0) {
        cfg->deref = always;
    }
    else {
        return "Unrecognized value for VhostLDAPAliasDereference directive";
    }
    return NULL;
}

command_rec mod_vhost_ldap_cmds[] = {
    AP_INIT_TAKE1("VhostLDAPURL", mod_vhost_ldap_parse_url, NULL, RSRC_CONF,
                  "URL to define LDAP connection. This should be an RFC 2255 compliant\n"
                  "URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n"
                  "<ul>\n"
                  "<li>Host is the name of the LDAP server. Use a space separated list of hosts \n"
                  "to specify redundant servers.\n"
                  "<li>Port is optional, and specifies the port to connect to.\n"
                  "<li>basedn specifies the base DN to start searches from\n"
                  "</ul>\n"),

    AP_INIT_TAKE1 ("VhostLDAPBindDN", mod_vhost_ldap_set_binddn, NULL, RSRC_CONF,
		   "DN to use to bind to LDAP server. If not provided, will do an anonymous bind."),
    
    AP_INIT_TAKE1("VhostLDAPBindPassword", mod_vhost_ldap_set_bindpw, NULL, RSRC_CONF,
                  "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),

    AP_INIT_FLAG("VhostLDAPEnabled", mod_vhost_ldap_set_enabled, NULL, RSRC_CONF,
                 "Set to off to disable vhost_ldap, even if it's been enabled in a higher tree"),

    AP_INIT_TAKE1("VhostLDAPDereferenceAliases", mod_vhost_ldap_set_deref, NULL, RSRC_CONF,
                  "Determines how aliases are handled during a search. Can be one of the"
                  "values \"never\", \"searching\", \"finding\", or \"always\". "
                  "Defaults to always."),

    {NULL}
};

#define FILTER_LENGTH MAX_STRING_LEN
static int
mod_vhost_ldap_translate_name (request_rec * r)
{
    apr_table_t *e;
    int failures = 0;
    const char **vals = NULL;
    char filtbuf[FILTER_LENGTH];
    mod_vhost_ldap_config_t *cfg =
	(mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config, &vhost_ldap_module);
    core_server_config * core =
	(core_server_config *) ap_get_module_config(r->server->module_config, &core_module);
    util_ldap_connection_t *ldc = NULL;
    int result = 0;
    const char *dn = NULL;
    char *cgi;

    mod_vhost_ldap_request_t *req =
	(mod_vhost_ldap_request_t *)apr_pcalloc(r->pool, sizeof(mod_vhost_ldap_request_t));
    ap_set_module_config(r->request_config, &vhost_ldap_module, req);

    if (!cfg->enabled) {
	return DECLINED;
    }

    if (!cfg->have_ldap_url) {
	return DECLINED;
    }

start_over:

    if (cfg->host) {
        ldc = util_ldap_connection_find(r, cfg->host, cfg->port,
					cfg->binddn, cfg->bindpw, cfg->deref,
					cfg->secure);
    }
    else {
        ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, 
                      "[mod_vhost_ldap.c] translate: no sec->host - weird...?");
        return DECLINED;
    }

    ap_log_rerror (APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
		   "[mod_vhost_ldap.c]: translating %s", r->parsed_uri.path);

    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", cfg->filter, r->hostname, r->hostname);

    result = util_ldap_cache_getuserdn(r, ldc, cfg->url, cfg->basedn, cfg->scope,
				       attributes, filtbuf, &dn, &vals);

    util_ldap_connection_close(ldc);

    /* sanity check - if server is down, retry it up to 5 times */
    if (result == LDAP_SERVER_DOWN) {
        if (failures++ <= 5) {
            goto start_over;
        }
    }

    /* handle bind failure */
    if (result != LDAP_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, 
                      "[mod_vhost_ldap.c] translate: "
                      "translate failed; URI %s [%s][%s]",
		      r->parsed_uri.path, ldc->reason, ldap_err2string(result));
	return DECLINED;
    }

    /* mark the user and DN */
    req->dn = apr_pstrdup(r->pool, dn);

    /* Optimize */
    if (vals) {
	int i = 0;
	while (attributes[i]) {

	    if (strcasecmp (attributes[i], "apacheServerName") == 0) {
		req->name = apr_pstrdup (r->pool, vals[i]);
	    }
	    else if (strcasecmp (attributes[i], "apacheServerAdmin") == 0) {
		req->admin = apr_pstrdup (r->pool, vals[i]);
	    }
	    else if (strcasecmp (attributes[i], "apacheDocumentRoot") == 0) {
		req->docroot = apr_pstrdup (r->pool, vals[i]);
	    }
	    else if (strcasecmp (attributes[i], "apacheScriptAlias") == 0) {
		req->cgiroot = apr_pstrdup (r->pool, vals[i]);
	    }
	    else if (strcasecmp (attributes[i], "apacheSuexecUid") == 0) {
		req->uid = apr_pstrdup(r->pool, vals[i]);
	    }
	    else if (strcasecmp (attributes[i], "apacheSuexecGid") == 0) {
		req->gid = apr_pstrdup(r->pool, vals[i]);
	    }
	    i++;
	}
    }

    if ((req->name == NULL)||(req->docroot == NULL)) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, 
                      "[mod_vhost_ldap.c] translate: "
                      "translate failed; ServerName or DocumentRoot not defined");
	return DECLINED;
    }

    cgi = NULL;
  
    if (req->cgiroot) {
	cgi = strstr(r->parsed_uri.path, "cgi-bin/");
	if (cgi && (cgi != r->uri + strspn(r->parsed_uri.path, "/"))) {
	    cgi = NULL;
	}
    }

    if (cgi) {
	r->filename =
	    apr_pstrcat (r->pool, req->cgiroot, cgi + strlen("cgi-bin"), NULL);
	r->handler = "cgi-script";
	apr_table_setn(r->notes, "alias-forced-type", r->handler);
    } else {
	r->filename =
	    apr_pstrcat (r->pool, req->docroot, r->parsed_uri.path, NULL);
    }

    r->server->server_hostname = apr_pstrdup (r->pool, req->name);

    if (req->admin) {
	r->server->server_admin = apr_pstrdup (r->pool, req->admin);
    }

    // set environment variables
    e = r->subprocess_env;
    apr_table_addn (e, "SERVER_ROOT", req->docroot);

    core->ap_document_root = apr_pstrdup(r->pool, req->docroot);

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
		  "[mod_vhost_ldap.c]: translated to %s", r->filename);

    return OK;
}

#ifdef HAVE_UNIX_SUEXEC
static ap_unix_identity_t *mod_vhost_ldap_get_suexec_id_doer(const request_rec * r)
{
  ap_unix_identity_t *ugid = NULL;
  mod_vhost_ldap_config_t *cfg = 
      (mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config,
						      &vhost_ldap_module);
  mod_vhost_ldap_request_t *req =
      (mod_vhost_ldap_request_t *)ap_get_module_config(r->request_config,
						       &vhost_ldap_module);

  uid_t uid = -1;
  gid_t gid = -1;

  // mod_vhost_ldap is disabled
  if (!cfg->enabled) {
      return NULL;
  }

  if ((req == NULL)||(req->uid == NULL)||(req->gid == NULL)) {
      return NULL;
  }

  if ((ugid = apr_palloc(r->pool, sizeof(ap_unix_identity_t))) == NULL) {
      return NULL;
  }

  uid = (uid_t)atoll(req->uid);
  gid = (gid_t)atoll(req->gid);

  if ((uid < MIN_UID)||(gid < MIN_GID)) {
      return NULL;
  }

  ugid->uid = uid;
  ugid->gid = gid;
  ugid->userdir = 0;
  
  return ugid;
}
#endif

static void
mod_vhost_ldap_register_hooks (apr_pool_t * p)
{
    ap_hook_post_config(mod_vhost_ldap_post_config, NULL, NULL, APR_HOOK_MIDDLE);
    ap_hook_translate_name(mod_vhost_ldap_translate_name, NULL, NULL, APR_HOOK_MIDDLE);
#ifdef HAVE_UNIX_SUEXEC
    ap_hook_get_suexec_identity(mod_vhost_ldap_get_suexec_id_doer, NULL, NULL, APR_HOOK_MIDDLE);
#endif
}

module AP_MODULE_DECLARE_DATA vhost_ldap_module = {
  STANDARD20_MODULE_STUFF,
  NULL,
  NULL,
  mod_vhost_ldap_create_server_config,
  NULL,
  mod_vhost_ldap_cmds,
  mod_vhost_ldap_register_hooks,
};
Commit	Line	Data
7f9875bb OS	1	/* ============================================================
	2	* Copyright (c) 2003-2004, Ondrej Sury
	3	* All rights reserved.
	4	*
	5	* Licensed under the Apache License, Version 2.0 (the "License");
	6	* you may not use this file except in compliance with the License.
	7	* You may obtain a copy of the License at
	8	*
	9	* http://www.apache.org/licenses/LICENSE-2.0
	10	*
	11	* Unless required by applicable law or agreed to in writing, software
	12	* distributed under the License is distributed on an "AS IS" BASIS,
	13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	* See the License for the specific language governing permissions and
	15	* limitations under the License.
	16	*
	17	*/
	18
	19	/*
	20	* mod_vhost_ldap.c --- read virtual host config from LDAP directory
	21	*/
	22
9ee2dda1	23	#define CORE_PRIVATE
53a6ea83	24	#define MOD_VHOST_LDAP_VERSION "mod_vhost_ldap/0.2.2"
9ee2dda1	25
7f9875bb OS	26	#include <unistd.h>
	27
	28	#include "httpd.h"
	29	#include "http_config.h"
	30	#include "http_core.h"
	31	#include "http_log.h"
	32	#include "http_request.h"
	33	#include "apr_ldap.h"
	34	#include "apr_strings.h"
	35	#include "apr_reslist.h"
	36	#include "util_ldap.h"
	37
	38	#ifndef APU_HAS_LDAP
	39	#error mod_vhost_ldap requires APR-util to have LDAP support built in
	40	#endif
	41
	42	#if !defined(WIN32) && !defined(OS2) && !defined(BEOS) && !defined(NETWARE)
	43	#define HAVE_UNIX_SUEXEC
	44	#endif
	45
	46	#ifdef HAVE_UNIX_SUEXEC
	47	#include "unixd.h" /* Contains the suexec_identity hook used on Unix */
	48	#endif
	49
	50	#define MIN_UID 1000
	51	#define MIN_GID 1000
	52
	53	module AP_MODULE_DECLARE_DATA vhost_ldap_module;
	54
	55	typedef struct mod_vhost_ldap_config_t {
	56	apr_pool_t pool; / Pool that this config is allocated from */
	57	#if APR_HAS_THREADS
	58	apr_thread_mutex_t lock; / Lock for this config */
	59	#endif
	60	int enabled; /* Is vhost_ldap enabled? */
	61
	62	/* These parameters are all derived from the VhostLDAPURL directive */
	63	char url; / String representation of LDAP URL */
	64
	65	char host; / Name of the LDAP server (or space separated list) */
	66	int port; /* Port of the LDAP server */
	67	char basedn; / Base DN to do all searches from */
	68	int scope; /* Scope of the search */
	69	char filter; / Filter to further limit the search */
	70	deref_options deref; /* how to handle alias dereferening */
	71
	72	char binddn; / DN to bind to server (can be NULL) */
	73	char bindpw; / Password to bind to server (can be NULL) */
	74
	75	int have_ldap_url; /* Set if we have found an LDAP url */
	76
	77	int secure; /* True if SSL connections are requested */
	78	} mod_vhost_ldap_config_t;
	79
	80	typedef struct mod_vhost_ldap_request_t {
	81	char dn; / The saved dn from a successful search */
	82	char name; / ServerName */
	83	char admin; / ServerAdmin */
	84	char docroot; / DocumentRoot */
9ee2dda1	85	char cgiroot; / ScriptAlias */
7f9875bb OS	86	char uid; / Suexec Uid */
	87	char gid; / Suexec Gid */
	88	} mod_vhost_ldap_request_t;
	89
	90	char *attributes[] =
	91	{ "apacheServerName", "apacheServerAdmin", "apacheDocumentRoot", "apacheScriptAlias", "apacheSuexecUid", "apacheSuexecGid", 0 };
	92
	93	static int mod_vhost_ldap_post_config(apr_pool_t p, apr_pool_t plog, apr_pool_t ptemp, server_rec s)
	94	{
	95	/* make sure that mod_ldap (util_ldap) is loaded */
	96	if (ap_find_linked_module("util_ldap.c") == NULL) {
	97	ap_log_error(APLOG_MARK, APLOG_ERR\|APLOG_NOERRNO, 0, s,
	98	"Module mod_ldap missing. Mod_ldap (aka. util_ldap) "
	99	"must be loaded in order for mod_vhost_ldap to function properly");
	100	return HTTP_INTERNAL_SERVER_ERROR;
	101
	102	}
	103
9ee2dda1	104	ap_add_version_component(p, MOD_VHOST_LDAP_VERSION);
7f9875bb OS	105
	106	return OK;
	107	}
	108
	109	static void *
	110	mod_vhost_ldap_create_server_config (apr_pool_t p, server_rec s)
	111	{
	112	mod_vhost_ldap_config_t *cfg =
	113	(mod_vhost_ldap_config_t *)apr_pcalloc(p, sizeof (mod_vhost_ldap_config_t));
	114
	115	cfg->pool = p;
	116
	117	#if APR_HAS_THREADS
	118	apr_thread_mutex_create(&cfg->lock, APR_THREAD_MUTEX_DEFAULT, p);
	119	#endif
	120
	121	cfg->enabled = 0;
	122	cfg->have_ldap_url = 0;
	123	cfg->url = "";
	124	cfg->host = NULL;
	125	cfg->binddn = NULL;
	126	cfg->bindpw = NULL;
	127	cfg->deref = always;
	128	cfg->secure = 0;
	129
	130	return cfg;
	131	}
	132
	133	/*
	134	* Use the ldap url parsing routines to break up the ldap url into
	135	* host and port.
	136	*/
	137	static const char mod_vhost_ldap_parse_url(cmd_parms cmd,
	138	void *dummy,
	139	const char *url)
	140	{
	141	int result;
	142	apr_ldap_url_desc_t *urld;
	143
	144	mod_vhost_ldap_config_t *cfg =
	145	(mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config,
	146	&vhost_ldap_module);
	147
	148	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0,
	149	cmd->server, "[mod_vhost_ldap.c] url parse: `%s'",
	150	url);
	151
	152	result = apr_ldap_url_parse(url, &(urld));
	153	if (result != LDAP_SUCCESS) {
	154	switch (result) {
	155	case LDAP_URL_ERR_NOTLDAP:
	156	return "LDAP URL does not begin with ldap://";
	157	case LDAP_URL_ERR_NODN:
	158	return "LDAP URL does not have a DN";
	159	case LDAP_URL_ERR_BADSCOPE:
	160	return "LDAP URL has an invalid scope";
	161	case LDAP_URL_ERR_MEM:
	162	return "Out of memory parsing LDAP URL";
	163	default:
	164	return "Could not parse LDAP URL";
	165	}
	166	}
	167	cfg->url = apr_pstrdup(cmd->pool, url);
	168
169	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0,
170	cmd->server, "[mod_vhost_ldap.c] url parse: Host: %s", urld->lud_host);
171	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0,
172	cmd->server, "[mod_vhost_ldap.c] url parse: Port: %d", urld->lud_port);
173	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0,
174	cmd->server, "[mod_vhost_ldap.c] url parse: DN: %s", urld->lud_dn);
175	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0,
176	cmd->server, "[mod_vhost_ldap.c] url parse: attrib: %s", urld->lud_attrs? urld->lud_attrs[0] : "(null)");
177	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0,
178	cmd->server, "[mod_vhost_ldap.c] url parse: scope: %s",
179	(urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" :
180	urld->lud_scope == LDAP_SCOPE_BASE? "base" :
181	urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown"));
182	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0,
183	cmd->server, "[mod_vhost_ldap.c] url parse: filter: %s", urld->lud_filter);
184
185	/* Set all the values, or at least some sane defaults */
186	if (cfg->host) {
187	char *p = apr_palloc(cmd->pool, strlen(cfg->host) + strlen(urld->lud_host) + 2);
188	strcpy(p, urld->lud_host);
189	strcat(p, " ");
190	strcat(p, cfg->host);
191	cfg->host = p;
192	}
193	else {
194	cfg->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost";
195	}
196	cfg->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : "";
197
198	cfg->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ?
199	LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE;
200
201	if (urld->lud_filter) {
202	if (urld->lud_filter[0] == '(') {
203	/*
204	* Get rid of the surrounding parens; later on when generating the
205	* filter, they'll be put back.
206	*/
207	cfg->filter = apr_pstrdup(cmd->pool, urld->lud_filter+1);
208	cfg->filter[strlen(cfg->filter)-1] = '\0';
209	}
210	else {
211	cfg->filter = apr_pstrdup(cmd->pool, urld->lud_filter);
212	}
213	}
214	else {
215	cfg->filter = "objectClass=apacheConfig";
216	}
217
218	/* "ldaps" indicates secure ldap connections desired
219	*/
220	if (strncasecmp(url, "ldaps", 5) == 0)
221	{
222	cfg->secure = 1;
223	cfg->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
224	ap_log_error(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, cmd->server,
225	"LDAP: vhost_ldap using SSL connections");
226	}
227	else
228	{
229	cfg->secure = 0;
230	cfg->port = urld->lud_port? urld->lud_port : LDAP_PORT;
231	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
232	"LDAP: vhost_ldap not using SSL connections");
233	}
234
235	cfg->have_ldap_url = 1;
236	apr_ldap_free_urldesc(urld);
237	return NULL;
238	}
239
240	static const char mod_vhost_ldap_set_enabled(cmd_parms cmd, void *dummy, int enabled)
241	{
242	mod_vhost_ldap_config_t *cfg =
243	(mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config,
244	&vhost_ldap_module);
245
246	cfg->enabled = enabled;
247	return NULL;
248	}
249
250	static const char mod_vhost_ldap_set_binddn(cmd_parms cmd, void dummy, const char binddn)
251	{
252	mod_vhost_ldap_config_t *cfg =
253	(mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config,
254	&vhost_ldap_module);
255
256	cfg->binddn = apr_pstrdup(cmd->pool, binddn);
257	return NULL;
258	}
259
260	static const char mod_vhost_ldap_set_bindpw(cmd_parms cmd, void dummy, const char bindpw)
261	{
262	mod_vhost_ldap_config_t *cfg =
263	(mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config,
264	&vhost_ldap_module);
265
266	cfg->bindpw = apr_pstrdup(cmd->pool, bindpw);
267	return NULL;
268	}
269
270	static const char mod_vhost_ldap_set_deref(cmd_parms cmd, void dummy, const char deref)
271	{
272	mod_vhost_ldap_config_t *cfg =
273	(mod_vhost_ldap_config_t *)ap_get_module_config (cmd->server->module_config,
274	&vhost_ldap_module);
275
276	if (strcmp(deref, "never") == 0 \|\| strcasecmp(deref, "off") == 0) {
277	cfg->deref = never;
278	}
279	else if (strcmp(deref, "searching") == 0) {
280	cfg->deref = searching;
281	}
282	else if (strcmp(deref, "finding") == 0) {
283	cfg->deref = finding;
284	}
285	else if (strcmp(deref, "always") == 0 \|\| strcasecmp(deref, "on") == 0) {
286	cfg->deref = always;
287	}
288	else {
289	return "Unrecognized value for VhostLDAPAliasDereference directive";
290	}
291	return NULL;
292	}
293
294	command_rec mod_vhost_ldap_cmds[] = {
295	AP_INIT_TAKE1("VhostLDAPURL", mod_vhost_ldap_parse_url, NULL, RSRC_CONF,
a940f969	296	"URL to define LDAP connection. This should be an RFC 2255 compliant\n"
7f9875bb OS	297	"URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n"
	298	"<ul>\n"
	299	"<li>Host is the name of the LDAP server. Use a space separated list of hosts \n"
	300	"to specify redundant servers.\n"
	301	"<li>Port is optional, and specifies the port to connect to.\n"
	302	"<li>basedn specifies the base DN to start searches from\n"
	303	"</ul>\n"),
	304
	305	AP_INIT_TAKE1 ("VhostLDAPBindDN", mod_vhost_ldap_set_binddn, NULL, RSRC_CONF,
	306	"DN to use to bind to LDAP server. If not provided, will do an anonymous bind."),
	307
	308	AP_INIT_TAKE1("VhostLDAPBindPassword", mod_vhost_ldap_set_bindpw, NULL, RSRC_CONF,
	309	"Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
	310
	311	AP_INIT_FLAG("VhostLDAPEnabled", mod_vhost_ldap_set_enabled, NULL, RSRC_CONF,
	312	"Set to off to disable vhost_ldap, even if it's been enabled in a higher tree"),
	313
	314	AP_INIT_TAKE1("VhostLDAPDereferenceAliases", mod_vhost_ldap_set_deref, NULL, RSRC_CONF,
a940f969	315	"Determines how aliases are handled during a search. Can be one of the"
7f9875bb OS	316	"values \"never\", \"searching\", \"finding\", or \"always\". "
	317	"Defaults to always."),
	318
	319	{NULL}
	320	};
	321
	322	#define FILTER_LENGTH MAX_STRING_LEN
	323	static int
	324	mod_vhost_ldap_translate_name (request_rec * r)
	325	{
	326	apr_table_t *e;
	327	int failures = 0;
	328	const char **vals = NULL;
	329	char filtbuf[FILTER_LENGTH];
	330	mod_vhost_ldap_config_t *cfg =
	331	(mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config, &vhost_ldap_module);
9ee2dda1 OS	332	core_server_config * core =
9ee2dda1 OS	333	(core_server_config *) ap_get_module_config(r->server->module_config, &core_module);
7f9875bb OS	334	util_ldap_connection_t *ldc = NULL;
	335	int result = 0;
	336	const char *dn = NULL;
	337	char *cgi;
	338
	339	mod_vhost_ldap_request_t *req =
	340	(mod_vhost_ldap_request_t *)apr_pcalloc(r->pool, sizeof(mod_vhost_ldap_request_t));
	341	ap_set_module_config(r->request_config, &vhost_ldap_module, req);
	342
	343	if (!cfg->enabled) {
	344	return DECLINED;
	345	}
	346
	347	if (!cfg->have_ldap_url) {
	348	return DECLINED;
	349	}
	350
	351	start_over:
	352
	353	if (cfg->host) {
	354	ldc = util_ldap_connection_find(r, cfg->host, cfg->port,
	355	cfg->binddn, cfg->bindpw, cfg->deref,
	356	cfg->secure);
	357	}
	358	else {
	359	ap_log_rerror(APLOG_MARK, APLOG_WARNING\|APLOG_NOERRNO, 0, r,
	360	"[mod_vhost_ldap.c] translate: no sec->host - weird...?");
	361	return DECLINED;
	362	}
	363
	364	ap_log_rerror (APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, r,
	365	"[mod_vhost_ldap.c]: translating %s", r->parsed_uri.path);
	366
	367	apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(\|(apacheServerName=%s)(apacheServerAlias=%s)))", cfg->filter, r->hostname, r->hostname);
	368
	369	result = util_ldap_cache_getuserdn(r, ldc, cfg->url, cfg->basedn, cfg->scope,
	370	attributes, filtbuf, &dn, &vals);
	371
	372	util_ldap_connection_close(ldc);
	373
	374	/* sanity check - if server is down, retry it up to 5 times */
	375	if (result == LDAP_SERVER_DOWN) {
	376	if (failures++ <= 5) {
	377	goto start_over;
	378	}
	379	}
	380
	381	/* handle bind failure */
	382	if (result != LDAP_SUCCESS) {
	383	ap_log_rerror(APLOG_MARK, APLOG_WARNING\|APLOG_NOERRNO, 0, r,
	384	"[mod_vhost_ldap.c] translate: "
	385	"translate failed; URI %s [%s][%s]",
	386	r->parsed_uri.path, ldc->reason, ldap_err2string(result));
	387	return DECLINED;
	388	}
	389
	390	/* mark the user and DN */
	391	req->dn = apr_pstrdup(r->pool, dn);
	392
	393	/* Optimize */
	394	if (vals) {
	395	int i = 0;
	396	while (attributes[i]) {
	397
398	if (strcasecmp (attributes[i], "apacheServerName") == 0) {
399	req->name = apr_pstrdup (r->pool, vals[i]);
400	}
401	else if (strcasecmp (attributes[i], "apacheServerAdmin") == 0) {
402	req->admin = apr_pstrdup (r->pool, vals[i]);
403	}
404	else if (strcasecmp (attributes[i], "apacheDocumentRoot") == 0) {
405	req->docroot = apr_pstrdup (r->pool, vals[i]);
406	}
407	else if (strcasecmp (attributes[i], "apacheScriptAlias") == 0) {
408	req->cgiroot = apr_pstrdup (r->pool, vals[i]);
409	}
410	else if (strcasecmp (attributes[i], "apacheSuexecUid") == 0) {
411	req->uid = apr_pstrdup(r->pool, vals[i]);
412	}
413	else if (strcasecmp (attributes[i], "apacheSuexecGid") == 0) {
414	req->gid = apr_pstrdup(r->pool, vals[i]);
415	}
416	i++;
417	}
418	}
419
420	if ((req->name == NULL)\|\|(req->docroot == NULL)) {
421	ap_log_rerror(APLOG_MARK, APLOG_ERR\|APLOG_NOERRNO, 0, r,
422	"[mod_vhost_ldap.c] translate: "
423	"translate failed; ServerName or DocumentRoot not defined");
424	return DECLINED;
425	}
426
427	cgi = NULL;
428
429	if (req->cgiroot) {
430	cgi = strstr(r->parsed_uri.path, "cgi-bin/");
431	if (cgi && (cgi != r->uri + strspn(r->parsed_uri.path, "/"))) {
432	cgi = NULL;
433	}
9ee2dda1 OS	434	}
	435
	436	if (cgi) {
	437	r->filename =
	438	apr_pstrcat (r->pool, req->cgiroot, cgi + strlen("cgi-bin"), NULL);
	439	r->handler = "cgi-script";
	440	apr_table_setn(r->notes, "alias-forced-type", r->handler);
	441	} else {
	442	r->filename =
	443	apr_pstrcat (r->pool, req->docroot, r->parsed_uri.path, NULL);
7f9875bb OS	444	}
	445
	446	r->server->server_hostname = apr_pstrdup (r->pool, req->name);
	447
	448	if (req->admin) {
	449	r->server->server_admin = apr_pstrdup (r->pool, req->admin);
	450	}
	451
	452	// set environment variables
	453	e = r->subprocess_env;
	454	apr_table_addn (e, "SERVER_ROOT", req->docroot);
	455
9ee2dda1 OS	456	core->ap_document_root = apr_pstrdup(r->pool, req->docroot);
9ee2dda1 OS	457
7f9875bb OS	458	ap_log_rerror(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, 0, r,
	459	"[mod_vhost_ldap.c]: translated to %s", r->filename);
	460
	461	return OK;
	462	}
	463
	464	#ifdef HAVE_UNIX_SUEXEC
	465	static ap_unix_identity_t mod_vhost_ldap_get_suexec_id_doer(const request_rec r)
	466	{
	467	ap_unix_identity_t *ugid = NULL;
	468	mod_vhost_ldap_config_t *cfg =
	469	(mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config,
	470	&vhost_ldap_module);
	471	mod_vhost_ldap_request_t *req =
	472	(mod_vhost_ldap_request_t *)ap_get_module_config(r->request_config,
	473	&vhost_ldap_module);
	474
	475	uid_t uid = -1;
	476	gid_t gid = -1;
	477
	478	// mod_vhost_ldap is disabled
	479	if (!cfg->enabled) {
	480	return NULL;
	481	}
	482
	483	if ((req == NULL)\|\|(req->uid == NULL)\|\|(req->gid == NULL)) {
	484	return NULL;
	485	}
	486
	487	if ((ugid = apr_palloc(r->pool, sizeof(ap_unix_identity_t))) == NULL) {
	488	return NULL;
	489	}
	490
	491	uid = (uid_t)atoll(req->uid);
	492	gid = (gid_t)atoll(req->gid);
	493
eea38f6d	494	if ((uid < MIN_UID)\|\|(gid < MIN_GID)) {
7f9875bb OS	495	return NULL;
	496	}
	497
	498	ugid->uid = uid;
	499	ugid->gid = gid;
	500	ugid->userdir = 0;
	501
	502	return ugid;
	503	}
	504	#endif
	505
	506	static void
	507	mod_vhost_ldap_register_hooks (apr_pool_t * p)
	508	{
	509	ap_hook_post_config(mod_vhost_ldap_post_config, NULL, NULL, APR_HOOK_MIDDLE);
	510	ap_hook_translate_name(mod_vhost_ldap_translate_name, NULL, NULL, APR_HOOK_MIDDLE);
	511	#ifdef HAVE_UNIX_SUEXEC
	512	ap_hook_get_suexec_identity(mod_vhost_ldap_get_suexec_id_doer, NULL, NULL, APR_HOOK_MIDDLE);
	513	#endif
	514	}
	515
	516	module AP_MODULE_DECLARE_DATA vhost_ldap_module = {
	517	STANDARD20_MODULE_STUFF,
	518	NULL,
	519	NULL,
	520	mod_vhost_ldap_create_server_config,
	521	NULL,
	522	mod_vhost_ldap_cmds,
	523	mod_vhost_ldap_register_hooks,
	524	};