Changeset 253
- Timestamp:
- 04/05/2005 10:41:05 AM (3 years ago)
- Location:
- trunk
- Files:
-
- 4 modified
-
doc/authentification.txt (modified) (6 diffs)
-
src/http_auth.c (modified) (1 diff)
-
src/http_auth.h (modified) (1 diff)
-
src/mod_auth.c (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/doc/authentification.txt
r226 r253 40 40 41 41 The Digest method only transfers a hashed value over the 42 network which is performes a lot of work to harden the42 network which performs a lot of work to harden the 43 43 authentification process in insecure networks. 44 44 … … 113 113 ```` 114 114 115 the ldap backend is basic ly performing the following steps115 the ldap backend is basically performing the following steps 116 116 to authenticate a user 117 117 … … 121 121 4. disconnect 122 122 123 if step 4 is performswithout any error the user is123 if all 4 steps are performed without any error the user is 124 124 authenticated 125 125 … … 153 153 auth.backend.ldap.base-dn = "dc=my-domain,dc=com" 154 154 auth.backend.ldap.filter = "(uid=$)" 155 # if enabled, startTLS needs a valid (base64-encoded) CA 156 # certificate 157 auth.backend.ldap.starttls = "enable" 158 auth.backend.ldap.cafile = "/etc/CAcertificate.pem" 155 159 156 160 ## restrictions … … 163 167 # ) 164 168 # 165 # <realm> is a string t hat is should bedisplay in the dialog169 # <realm> is a string to display in the dialog 166 170 # presented to the user and is also used for the 167 171 # digest-algorithm and has to match the realm in the … … 183 187 ) 184 188 185 Limit iations189 Limitations 186 190 ============ 187 191 188 192 - The implementation of digest method is currently not 189 completely co nforming to the standard as it is still allowing193 completely compliant with the standard as it still allows 190 194 a replay attack. 191 195 -
trunk/src/http_auth.c
r169 r253 570 570 } 571 571 572 if (p->conf.auth_ldap_starttls == 1) { 573 if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(ldap, NULL, NULL))) { 574 log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret)); 575 576 ldap_unbind_s(ldap); 577 578 return -1; 579 } 580 } 581 572 582 573 583 if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(ldap, dn, pw))) { -
trunk/src/http_auth.h
r1 r253 29 29 buffer *auth_ldap_basedn; 30 30 buffer *auth_ldap_filter; 31 buffer *auth_ldap_cafile; 32 unsigned short auth_ldap_starttls; 31 33 32 34 unsigned short auth_debug; -
trunk/src/mod_auth.c
r247 r253 71 71 buffer_free(s->auth_ldap_basedn); 72 72 buffer_free(s->auth_ldap_filter); 73 buffer_free(s->auth_ldap_cafile); 73 74 74 75 #ifdef USE_LDAP … … 134 135 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.filter"))) { 135 136 PATCH(auth_ldap_filter); 137 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.ca-file"))) { 138 PATCH(auth_ldap_cafile); 139 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) { 140 PATCH(auth_ldap_starttls); 136 141 } 137 142 } … … 156 161 PATCH(auth_ldap_basedn); 157 162 PATCH(auth_ldap_filter); 163 PATCH(auth_ldap_cafile); 164 PATCH(auth_ldap_starttls); 158 165 #ifdef USE_LDAP 159 166 PATCH(ldap); … … 300 307 { "auth.backend.ldap.base-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, 301 308 { "auth.backend.ldap.filter", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, 309 { "auth.backend.ldap.ca-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, 310 { "auth.backend.ldap.starttls", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, 302 311 { "auth.backend.htdigest.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, 303 312 { "auth.backend.htpasswd.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, 304 { "auth.debug", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 9*/313 { "auth.debug", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 11 */ 305 314 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } 306 315 }; … … 324 333 s->auth_ldap_basedn = buffer_init(); 325 334 s->auth_ldap_filter = buffer_init(); 335 s->auth_ldap_cafile = buffer_init(); 336 s->auth_ldap_starttls = 0; 326 337 s->auth_debug = 0; 327 338 … … 341 352 cv[5].destination = s->auth_ldap_basedn; 342 353 cv[6].destination = s->auth_ldap_filter; 343 cv[7].destination = s->auth_htdigest_userfile; 344 cv[8].destination = s->auth_htpasswd_userfile; 345 cv[9].destination = &(s->auth_debug); 354 cv[7].destination = s->auth_ldap_cafile; 355 cv[8].destination = &(s->auth_ldap_starttls); 356 cv[9].destination = s->auth_htdigest_userfile; 357 cv[10].destination = s->auth_htpasswd_userfile; 358 cv[11].destination = &(s->auth_debug); 346 359 347 360 p->config_storage[i] = s; … … 535 548 if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(s->ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) { 536 549 log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret)); 537 538 return HANDLER_ERROR; 550 551 return HANDLER_ERROR; 552 } 553 554 if (s->auth_ldap_starttls && !buffer_is_empty(s->auth_ldap_cafile) ) { 555 if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, s->auth_ldap_cafile->ptr))) { 556 log_error_write(srv, __FILE__, __LINE__, "ss", "Loading CA certificate failed:", ldap_err2string(ret)); 557 558 return HANDLER_ERROR; 559 } 560 561 if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(s->ldap, NULL, NULL))) { 562 log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret)); 563 564 return HANDLER_ERROR; 565 } 539 566 } 540 567
