Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1530

Timestamp:

01/27/2007 02:31:14 PM (21 months ago)

Author:

jan

Message:

added support for client-certs to auth against the ldap-server (taken
from #761)

Location:

trunk

Files:

: 3 modified

doc/authentication.txt (modified) (1 diff)
src/http_auth.h (modified) (1 diff)
src/mod_auth.c (modified) (7 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/doc/authentication.txt

r1349	r1530
169	169	auth.backend.ldap.starttls = "enable"
170	170	auth.backend.ldap.ca-file = "/etc/CAcertificate.pem"
	171	# if server performs client certificates validation we can
	172	# connect using user defined client certificates
	173	auth.backend.ldap.cert = "/etc/cert.pem"
	174	auth.backend.ldap.key = "/etc/req.pem"
171	175
172	176	## restrictions

trunk/src/http_auth.h

r1517	r1530
36	36	buffer *auth_ldap_filter;
37	37	buffer *auth_ldap_cafile;
	38	buffer *auth_ldap_cert;
	39	buffer *auth_ldap_key;
38	40	unsigned short auth_ldap_starttls;
39	41	unsigned short auth_ldap_allow_empty_pw;

trunk/src/mod_auth.c

r1526	r1530
80	80	buffer_free(s->auth_ldap_filter);
81	81	buffer_free(s->auth_ldap_cafile);
	82	buffer_free(s->auth_ldap_cert);
	83	buffer_free(s->auth_ldap_key);
82	84
83	85	#ifdef USE_LDAP
…	…
115	117	PATCH_OPTION(auth_ldap_filter);
116	118	PATCH_OPTION(auth_ldap_cafile);
	119	PATCH_OPTION(auth_ldap_cert);
	120	PATCH_OPTION(auth_ldap_key);
117	121	PATCH_OPTION(auth_ldap_starttls);
118	122	PATCH_OPTION(auth_ldap_allow_empty_pw);
…	…
162	166	} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.ca-file"))) {
163	167	PATCH_OPTION(auth_ldap_cafile);
	168	} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.cert"))) {
	169	PATCH_OPTION(auth_ldap_cert);
	170	} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.key"))) {
	171	PATCH_OPTION(auth_ldap_key);
164	172	} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
165	173	PATCH_OPTION(auth_ldap_starttls);
…	…
307	315	config_values_t cv[] = {
308	316	{ "auth.backend", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
309		{ "auth.backend.plain.groupfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
310		{ "auth.backend.plain.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
311		{ "auth.require", NULL, T_CONFIG_LOCAL, T_CONFIG_SCOPE_CONNECTION },
312		{ "auth.backend.ldap.hostname", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
313		{ "auth.backend.ldap.base-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
314		{ "auth.backend.ldap.filter", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
315		{ "auth.backend.ldap.ca-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
316		{ "auth.backend.ldap.starttls", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },
317		{ "auth.backend.ldap.bind-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
318		{ "auth.backend.ldap.bind-pw", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 10 */
319		{ "auth.backend.ldap.allow-empty-pw", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },
320		{ "auth.backend.htdigest.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
321		{ "auth.backend.htpasswd.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
322		{ "auth.debug", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 13 */
	317	{ "auth.backend.plain.groupfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
	318	{ "auth.backend.plain.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
	319	{ "auth.require", NULL, T_CONFIG_LOCAL, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
	320	{ "auth.backend.ldap.hostname", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
	321	{ "auth.backend.ldap.base-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 5 */
	322	{ "auth.backend.ldap.filter", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 6 */
	323	{ "auth.backend.ldap.ca-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 7 */
	324	{ "auth.backend.ldap.cert", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 8 */
	325	{ "auth.backend.ldap.key", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 9 */
	326	{ "auth.backend.ldap.starttls", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 10 */
	327	{ "auth.backend.ldap.bind-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 11 */
	328	{ "auth.backend.ldap.bind-pw", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 12 */
	329	{ "auth.backend.ldap.allow-empty-pw", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 13 */
	330	{ "auth.backend.htdigest.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 14 */
	331	{ "auth.backend.htpasswd.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 15 */
	332	{ "auth.debug", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 16 */
323	333	{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
324	334	};
…	…
345	355	s->auth_ldap_filter = buffer_init();
346	356	s->auth_ldap_cafile = buffer_init();
	357	s->auth_ldap_cert = buffer_init();
	358	s->auth_ldap_key = buffer_init();
347	359	s->auth_ldap_starttls = 0;
348	360	s->auth_debug = 0;
…	…
364	376	cv[6].destination = s->auth_ldap_filter;
365	377	cv[7].destination = s->auth_ldap_cafile;
366		cv[8].destination = &(s->auth_ldap_starttls);
367		cv[9].destination = s->auth_ldap_binddn;
368		cv[10].destination = s->auth_ldap_bindpw;
369		cv[11].destination = &(s->auth_ldap_allow_empty_pw);
370		cv[12].destination = s->auth_htdigest_userfile;
371		cv[13].destination = s->auth_htpasswd_userfile;
372		cv[14].destination = &(s->auth_debug);
	378	cv[8].destination = s->auth_ldap_cert;
	379	cv[9].destination = s->auth_ldap_key;
	380	cv[10].destination = &(s->auth_ldap_starttls);
	381	cv[11].destination = s->auth_ldap_binddn;
	382	cv[12].destination = s->auth_ldap_bindpw;
	383	cv[13].destination = &(s->auth_ldap_allow_empty_pw);
	384	cv[14].destination = s->auth_htdigest_userfile;
	385	cv[15].destination = s->auth_htpasswd_userfile;
	386	cv[16].destination = &(s->auth_debug);
373	387
374	388	p->config_storage[i] = s;
…	…
613	627	}
614	628
	629	if (!buffer_is_empty(s->auth_ldap_cert)) {
	630	if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
	631	s->auth_ldap_cert->ptr))) {
	632	log_error_write(srv, __FILE__, __LINE__, "ss",
	633	"Loading TLS certificate failed:", ldap_err2string(ret));
	634
	635	return HANDLER_ERROR;
	636	}
	637	}
	638
	639	if (!buffer_is_empty(s->auth_ldap_key)) {
	640	if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
	641	s->auth_ldap_key->ptr))) {
	642	log_error_write(srv, __FILE__, __LINE__, "ss",
	643	"Loading TLS key certificate failed:", ldap_err2string(ret));
	644
	645	return HANDLER_ERROR;
	646	}
	647	}
	648
615	649	if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(s->ldap, NULL, NULL))) {
616	650	log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));

Context Navigation

Changeset 1530

Legend:

trunk/doc/authentication.txt

trunk/src/http_auth.h

trunk/src/mod_auth.c

Download in other formats: