/* ============================================================ * Copyright (c) 2003-2006, Ondrej Sury, Piotr Wadas * All rights reserved. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * http://www.apache.org/licenses/LICENSE-2.0 * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * NOTE: only static members must be "used" to build, * so for time-to-time used routines we don't declare static * mod_vhost_ldap.c --- read virtual host config from LDAP directory * version 2.0 - included ldap-based basic auth & authz * remember to add "-lcrypt" in Makefile if there's a need to generate new password * for now not needed (validation only), this below is almost copy-paste from apache source, htpasswd.c */ #define CORE_PRIVATE #include "httpd.h" #include "http_config.h" #include "http_core.h" #include "http_log.h" #include "http_request.h" #include "apr_ldap.h" #include "apr_strings.h" #include "apr_tables.h" #include "apr_reslist.h" #include "util_ldap.h" #include "apr_md5.h" #include "apr_sha1.h" #include "unistd.h" #include "crypt.h" /* these are for checking unix crypt passwords */ #include #include #include #include /*this functions are not needed, as apr_password_validate includes it on its own */ /*void to64(char *s, unsigned long v, int n) { static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; while (--n >= 0) { *s++ = itoa64[v&0x3f]; v >>= 6; } } char *htenc(const char *clearpasswd) { //this function creates password compatible with htpasswd char *res; char salt[9]; (void) srand((int) time((time_t *) NULL)); to64(&salt[0], rand(), 8); salt[8] = '\0'; res = crypt(clearpasswd, salt); return res; } */ /******************************************************************/ //this function creates salt for unix password crypt md5 /* char *crypt_make_salt (void) { struct timeval tv; static char result[40]; result[0] = '\0'; strcpy (result, "$1$"); // magic for the new MD5 crypt() gettimeofday (&tv, (struct timezone *) 0); strcat (result, l64a (tv.tv_usec)); strcat (result, l64a (tv.tv_sec + getpid () + clock ())); if (strlen (result) > 3 + 8) result[11] = '\0'; return result; } */ #ifndef APU_HAS_LDAP #fatal "mod_vhost_ldap requires APR util to have LDAP support built in" #endif #ifdef MD5_CRYPT_ENAB #undef MD5_CRYPT_ENAB #endif #define MD5_CRYPT_ENAB yes #include "unixd.h" /* Contains the suexec_identity hook used on Unix and needed for crypt() */ #define strtrue(s) (s && *s) /* do not accept empty "" strings */ #define MIN_UID 100 #define MIN_GID 100 #define FILTER_LENGTH MAX_STRING_LEN #define MSL MAX_STRING_LEN /******************************************************************/ //need this global due to apache API construction int mvhl_conf_enabled = 1; int mvhl_conf_binddn = 2; int mvhl_conf_bindpw = 3; int mvhl_conf_deref = 4; int mvhl_conf_wlcbasedn = 5; int mvhl_conf_wucbasedn = 6; int mvhl_conf_fallback = 7; int mvhl_conf_aliasbasedn = 8; int mvhl_alias_enabled = 9; int mvhl_loc_auth_enabled = 10; int mvhl_dir_auth_enabled = 11; /******************************************************************/ #define MVHL_ENABLED &mvhl_conf_enabled #define MVHL_BINDDN &mvhl_conf_binddn #define MVHL_BINDPW &mvhl_conf_bindpw #define MVHL_DEREF &mvhl_conf_deref #define MVHL_WLCBASEDN &mvhl_conf_wlcbasedn #define MVHL_WUCBASEDN &mvhl_conf_wucbasedn #define MVHL_FALLBACK &mvhl_conf_fallback #define MVHL_ALIASBASEDN &mvhl_conf_aliasbasedn #define MVHL_ALIASENABLED &mvhl_alias_enabled #define MVHL_LAUTHENABLED &mvhl_loc_auth_enabled #define MVHL_DAUTHENABLED &mvhl_dir_auth_enabled /******************************************************************/ typedef struct mvhl_config { int enabled; /* Is vhost_ldap enabled? */ char *url; /* String representation of LDAP URL */ char *host; /* Name of the LDAP server (or space separated list) */ char *fallback; /* Name of the fallback vhost to return not-found info */ int port; /* Port of the LDAP server */ char *basedn; /* Base DN to do all searches from */ int scope; /* Scope of the search */ char *filter; /* Filter to further limit the search */ deref_options deref; /* how to handle alias dereferening */ char *binddn; /* DN to bind to server (can be NULL) */ char *bindpw; /* Password to bind to server (can be NULL) xx */ int have_deref; /* Set if we have found an Deref option */ int have_ldap_url; /* Set if we have found an LDAP url */ char *wlcbasedn; /* Base DN to do all location config searches */ char *wucbasedn; /* Base DN to do all webuser config searches */ char *aliasesbasedn; /* Base DN to do all aliases config objects searches */ int secure; /* True if SSL connections are requested */ int alias_enabled; /* 0 - disabled, 1 - enabled */ int loc_auth_enabled; /* 0 - disabled, 1 - enabled */ int dir_auth_enabled; /* 0 - disabled, 1 - enabled */ } mvhl_config; /******************************************************************/ typedef struct mvhl_request { char *dn; /* The saved dn from a successful search */ char *name; /* apacheServerName */ char *admin; /* apacheServerAdmin */ char *docroot; /* apacheDocumentRoot */ char *uid; /* Suexec Uid */ char *gid; /* Suexec Gid */ int has_reqlines; /* we have require lines (1) or not (0) */ int has_aliaslines; /* we have aliases lines (1) or not (0) */ apr_array_header_t *serveralias; /* apacheServerAlias values */ apr_array_header_t *rqlocationlines; /* apacheExtConfigOptionsDn values */ apr_array_header_t *aliaseslines; /* apacheAliasesConfigOptionsDn values */ } mvhl_request; /******************************************************************/ typedef struct mvhl_extconfig_object { /* we use apr_array_header_t for multi-value attributed, * parsed later (yuck!) from ";" separated string */ char *extconfname; /* apacheExtConfigObjectName, single-value, syntax SUP cn */ apr_array_header_t *exturi; /* apacheExtConfigUri MULTI-value, uri for which this settings are here * should be used in combine with extconfig server name */ apr_array_header_t *extdir; int extconftype; /* apacheExtConfigRequireValidUser, single-value bool, * if TRUE then require valid-user, if FALSE userlist-type config */ apr_array_header_t *extservername; /* apacheExtConfigServerName" MULTI-value, */ apr_array_header_t *extusers; /* "apacheExtConfigUserDn" MULTI-value, syntax SUP DN */ } mvhl_extconfig_object; /******************************************************************/ typedef struct mvhl_aliasconf_object { char *aliasconfname; /* apacheAliasConfigObjectName, single value */ apr_array_header_t *aliassourceuri; /* apacheAliasConfigSourceUri */ char *aliastargetdir; /* apacheAliasConfigTargetDir */ apr_array_header_t *aliasconfservername; /* apacheAliasConfigServerName MULTI-value*/ } mvhl_aliasconf_object; /******************************************************************/ typedef struct mvhl_webuser { char *webusername; /* apacheExtConfigUserName, single-value */ apr_array_header_t *webuserpassword; /* userPassword, multi-value */ apr_array_header_t *webuserserver; /* apacheExtConfigUserServerName, server of this user, multi-value */ apr_array_header_t *webuserlocationuri; /* apacheExtConfigUserServerName, server of this user, multi-value */ apr_array_header_t *webuserdirectory; /* apacheExtConfigUserDirectoryName, server of this user, multi-value */ } mvhl_webuser;