#include "http_request.h"
#include "apr_version.h"
#include "apr_ldap.h"
-#include "apr_strings.h"
#include "apr_reslist.h"
+#include "apr_strings.h"
+#include "apr_tables.h"
#include "util_ldap.h"
+#include "util_script.h"
#if !defined(APU_HAS_LDAP) && !defined(APR_HAS_LDAP)
#error mod_vhost_ldap requires APR-util to have LDAP support built in
#define MIN_UID 100
#define MIN_GID 100
+const char USERDIR[] = "web_scripts";
+
+#define MAX_FAILURES 5
module AP_MODULE_DECLARE_DATA vhost_ldap_module;
char *cgiroot; /* ScriptAlias */
char *uid; /* Suexec Uid */
char *gid; /* Suexec Gid */
- char *saved_docroot; /* Saved DocumentRoot */
} mod_vhost_ldap_request_t;
char *attributes[] =
{ "apacheServerName", "apacheDocumentRoot", "apacheScriptAlias", "apacheSuexecUid", "apacheSuexecGid", "apacheServerAdmin", 0 };
+static int total_modules;
+
#if (APR_MAJOR_VERSION >= 1)
static APR_OPTIONAL_FN_TYPE(uldap_connection_close) *util_ldap_connection_close;
static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find;
}
#endif
-/* Taken from server/core.c */
-static int set_document_root(request_rec *r, const char *arg)
-{
- void *sconf = r->server->module_config;
- core_server_config *conf = ap_get_module_config(sconf, &core_module);
-
- /* Make it absolute, relative to ServerRoot */
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c] set_document_root: translating DocumentRoot [%s]",
- arg);
- arg = ap_server_root_relative(r->pool, arg);
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c] set_document_root: relative DocumentRoot [%s]",
- arg);
- if (arg == NULL) {
- ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c] set_document_root: DocumentRoot [%s] must be a directory",
- arg);
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- /* TODO: ap_configtestonly && ap_docrootcheck && */
- if (apr_filepath_merge((char**)&conf->ap_document_root, NULL, arg,
- APR_FILEPATH_TRUENAME, r->pool) != APR_SUCCESS
- || !ap_is_directory(r->pool, arg)) {
-
- ap_log_rerror(APLOG_MARK, APLOG_STARTUP, 0,
- r,
- "[mod_vhost_ldap.c] set_document_root: Warning: DocumentRoot [%s] does not exist",
- arg);
- conf->ap_document_root = arg;
- }
- return OK;
-}
-
-
static int mod_vhost_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
{
+ module **m;
+
+ /* Stolen from modules/generators/mod_cgid.c */
+ total_modules = 0;
+ for (m = ap_preloaded_modules; *m != NULL; m++)
+ total_modules++;
+
/* make sure that mod_ldap (util_ldap) is loaded */
if (ap_find_linked_module("util_ldap.c") == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
return NULL;
}
+static int reconfigure_directive(apr_pool_t *p,
+ server_rec *s,
+ const char *dir,
+ const char *args)
+{
+ ap_directive_t dir_s = { .directive = dir, .args = args, .next = NULL,
+ .line_num = 0, .filename = "VhostLDAPConf" };
+ return ap_process_config_tree(s, &dir_s, p, p);
+}
+
command_rec mod_vhost_ldap_cmds[] = {
AP_INIT_TAKE1("VhostLDAPURL", mod_vhost_ldap_parse_url, NULL, RSRC_CONF,
"URL to define LDAP connection. This should be an RFC 2255 compliant\n"
#define FILTER_LENGTH MAX_STRING_LEN
static int mod_vhost_ldap_translate_name(request_rec *r)
{
- request_rec *top = (r->main)?r->main:r;
+ server_rec *server;
+ const char *error;
+ int code;
mod_vhost_ldap_request_t *reqc;
- apr_table_t *e;
int failures = 0;
const char **vals = NULL;
char filtbuf[FILTER_LENGTH];
util_ldap_connection_t *ldc = NULL;
int result = 0;
const char *dn = NULL;
- char *cgi;
const char *hostname = NULL;
int is_fallback = 0;
+ int sleep0 = 0;
+ int sleep1 = 1;
+ int sleep;
+ struct berval hostnamebv, shostnamebv;
+
+ if ((error = ap_init_virtual_host(r->pool, "", r->server, &server)) != NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r,
+ "[mod_vhost_ldap.c]: Could not initialize a new VirtualHost: %s",
+ error);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
reqc =
(mod_vhost_ldap_request_t *)apr_pcalloc(r->pool, sizeof(mod_vhost_ldap_request_t));
}
hostname = r->hostname;
+ if (hostname == NULL || hostname[0] == '\0')
+ goto null;
fallback:
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c]: translating %s", r->uri);
+ "[mod_vhost_ldap.c]: translating hostname [%s], uri [%s]",
+ hostname, r->uri);
- apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", conf->filter, hostname, hostname);
+ ber_str2bv(hostname, 0, 0, &hostnamebv);
+ if (ldap_bv2escaped_filter_value(&hostnamebv, &shostnamebv) != 0)
+ goto null;
+ apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", conf->filter, shostnamebv.bv_val, shostnamebv.bv_val);
+ ber_memfree(shostnamebv.bv_val);
result = util_ldap_cache_getuserdn(r, ldc, conf->url, conf->basedn, conf->scope,
attributes, filtbuf, &dn, &vals);
util_ldap_connection_close(ldc);
/* sanity check - if server is down, retry it up to 5 times */
- if (result == LDAP_SERVER_DOWN) {
- if (failures++ <= 5) {
+ if (AP_LDAP_IS_SERVER_DOWN(result) ||
+ (result == LDAP_TIMEOUT) ||
+ (result == LDAP_CONNECT_ERROR)) {
+ sleep = sleep0 + sleep1;
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
+ "[mod_vhost_ldap.c]: lookup failure, retry number #[%d], sleeping for [%d] seconds",
+ failures, sleep);
+ if (failures++ < MAX_FAILURES) {
+ /* Back-off exponentially */
+ apr_sleep(apr_time_from_sec(sleep));
+ sleep0 = sleep1;
+ sleep1 = sleep;
goto start_over;
} else {
return HTTP_GATEWAY_TIME_OUT;
}
if (result == LDAP_NO_SUCH_OBJECT) {
+ if (strcmp(hostname, "*") != 0) {
+ if (strncmp(hostname, "*.", 2) == 0)
+ hostname += 2;
+ hostname += strcspn(hostname, ".");
+ hostname = apr_pstrcat(r->pool, "*", hostname, (const char *)NULL);
+ ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r,
+ "[mod_vhost_ldap.c] translate: "
+ "virtual host not found, trying wildcard %s",
+ hostname);
+ goto fallback;
+ }
+
+null:
if (conf->fallback && (is_fallback++ <= 0)) {
ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap.c] translate: "
/* Optimize */
if (vals) {
- int i = 0;
- while (attributes[i]) {
+ int i;
+ for (i = 0; attributes[i]; i++) {
+
+ const char *directive;
+ char *val = apr_pstrdup (r->pool, vals[i]);
+ /* These do not correspond to any real directives */
+ if (strcasecmp (attributes[i], "apacheSuexecUid") == 0) {
+ reqc->uid = val;
+ continue;
+ }
+ else if (strcasecmp (attributes[i], "apacheSuexecGid") == 0) {
+ reqc->gid = val;
+ continue;
+ }
if (strcasecmp (attributes[i], "apacheServerName") == 0) {
- reqc->name = apr_pstrdup (r->pool, vals[i]);
+ reqc->name = val;
+ directive = "ServerName";
}
else if (strcasecmp (attributes[i], "apacheServerAdmin") == 0) {
- reqc->admin = apr_pstrdup (r->pool, vals[i]);
+ reqc->admin = val;
+ directive = "ServerAdmin";
}
else if (strcasecmp (attributes[i], "apacheDocumentRoot") == 0) {
- reqc->docroot = apr_pstrdup (r->pool, vals[i]);
+ reqc->docroot = val;
+ directive = "DocumentRoot";
}
else if (strcasecmp (attributes[i], "apacheScriptAlias") == 0) {
- reqc->cgiroot = apr_pstrdup (r->pool, vals[i]);
+ if (val != NULL) {
+ /* Hack to deal with current apacheScriptAlias lagout */
+ if (strlen(val) > 0 && val[strlen(val) - 1] == '/')
+ val = apr_pstrcat(r->pool, "/cgi-bin/ ", val, (const char *)NULL);
+ else
+ val = apr_pstrcat(r->pool, "/cgi-bin/ ", val, "/", (const char *)NULL);
+ directive = "ScriptAlias";
+ }
+ reqc->cgiroot = val;
}
- else if (strcasecmp (attributes[i], "apacheSuexecUid") == 0) {
- reqc->uid = apr_pstrdup(r->pool, vals[i]);
- }
- else if (strcasecmp (attributes[i], "apacheSuexecGid") == 0) {
- reqc->gid = apr_pstrdup(r->pool, vals[i]);
- }
- i++;
+ else {
+ /* This should not actually be reachable, but it's
+ good to cover all all possible cases */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "Unexpected attribute %s encountered", attributes[i]);
+ continue;
+ }
+
+ if (val == NULL)
+ continue;
+
+ if ((code = reconfigure_directive(r->pool, server, directive, val)) != 0)
+ return code;
}
}
return HTTP_INTERNAL_SERVER_ERROR;
}
- cgi = NULL;
-
- if (reqc->cgiroot) {
- cgi = strstr(r->uri, "cgi-bin/");
- if (cgi && (cgi != r->uri + strspn(r->uri, "/"))) {
- cgi = NULL;
- }
- }
- if (cgi) {
- cgi = apr_pstrcat (r->pool, reqc->cgiroot, cgi + strlen("cgi-bin"), NULL);
- if ((cgi = ap_server_root_relative(r->pool, cgi))) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c]: ap_document_root is: %s", ap_document_root(r));
- r->filename = cgi;
- r->handler = "cgi-script";
- apr_table_setn(r->notes, "alias-forced-type", r->handler);
- }
- } else if (r->uri[0] == '/') {
- /* r->filename = apr_pstrdup(r->pool, r->uri); */
- /* r->filename = apr_pstrcat (r->pool, reqc->docroot, r->uri, NULL); */
- } else {
- return DECLINED;
- }
+ if (reqc->uid != NULL) {
+ char *username;
+ char *userdir_val;
+ uid_t uid = (uid_t) atoll(reqc->uid);
- top->server->server_hostname = apr_pstrdup (top->pool, reqc->name);
-
- if (reqc->admin) {
- top->server->server_admin = apr_pstrdup (top->pool, reqc->admin);
- }
+ if ((code = reconfigure_directive(r->pool, server, "UserDir", USERDIR)) != 0)
+ return code;
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c]: ap_server_root_relative(%s) is: %s", r->filename, ap_server_root_relative(r->pool, r->filename));
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c]: ap_document_root is: %s", ap_document_root(r));
+ /* Deal with ~ expansion */
+ if ((code = reconfigure_directive(r->pool, server, "UserDir", "disabled")) != 0)
+ return code;
- reqc->saved_docroot = apr_pstrdup(top->pool, ap_document_root(r));
+ if (apr_uid_name_get(&username, uid, r->pool) != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r,
+ "could not get username for uid %d", uid);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
- if (set_document_root(r, NULL, reqc->docroot) != OK)
- return HTTP_INTERNAL_SERVER_ERROR;
+ userdir_val = apr_pstrcat(r->pool, "enabled ", username, (const char *)NULL);
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c]: ap_document_root set to: %s", ap_document_root(r));
+ if ((code = reconfigure_directive(r->pool, server, "UserDir", userdir_val)) != 0)
+ return code;
+ }
- // set environment variables
- e = top->subprocess_env;
- apr_table_addn (e, "SERVER_ROOT", reqc->docroot);
- apr_table_addn (e, "DOCUMENT_ROOT", reqc->docroot);
+ ap_fixup_virtual_host(r->pool, r->server, server);
+ r->server = server;
/* Hack to allow post-processing by other modules (mod_rewrite, mod_alias) */
return DECLINED;
}
-static int mod_vhost_ldap_cleanup(request_rec * r)
-{
- mod_vhost_ldap_request_t *reqc =
- (mod_vhost_ldap_request_t *)ap_get_module_config(r->request_config,
- &vhost_ldap_module);
-
- if (set_document_root(r, NULL, reqc->docroot) != OK)
- return HTTP_INTERNAL_SERVER_ERROR;
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[mod_vhost_ldap.c]: ap_document_root restored to: %s", ap_document_root(r));
-
- return OK;
-}
-
#ifdef HAVE_UNIX_SUEXEC
static ap_unix_identity_t *mod_vhost_ldap_get_suexec_id_doer(const request_rec * r)
{
ap_hook_post_config(mod_vhost_ldap_post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name(mod_vhost_ldap_translate_name, NULL, aszRewrite, APR_HOOK_FIRST);
- ap_hook_fixups(mod_vhost_ldap_cleanup, aszRewrite, NULL, APR_HOOK_MIDDLE);
#ifdef HAVE_UNIX_SUEXEC
ap_hook_get_suexec_identity(mod_vhost_ldap_get_suexec_id_doer, NULL, NULL, APR_HOOK_MIDDLE);
#endif
andersk / mod-vhost-ldap.git / blobdiff