1 | /* ============================================================ |
---|
2 | * Copyright (c) 2003-2004, Ondrej Sury |
---|
3 | * All rights reserved. |
---|
4 | * |
---|
5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
6 | * you may not use this file except in compliance with the License. |
---|
7 | * You may obtain a copy of the License at |
---|
8 | * |
---|
9 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
10 | * |
---|
11 | * Unless required by applicable law or agreed to in writing, software |
---|
12 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
14 | * See the License for the specific language governing permissions and |
---|
15 | * limitations under the License. |
---|
16 | * |
---|
17 | */ |
---|
18 | |
---|
19 | /* |
---|
20 | * mod_vhost_ldap.c --- read virtual host config from LDAP directory |
---|
21 | */ |
---|
22 | |
---|
23 | #define CORE_PRIVATE |
---|
24 | |
---|
25 | #include <unistd.h> |
---|
26 | |
---|
27 | #include "httpd.h" |
---|
28 | #include "http_config.h" |
---|
29 | #include "http_core.h" |
---|
30 | #include "http_log.h" |
---|
31 | #include "http_request.h" |
---|
32 | #include "apr_version.h" |
---|
33 | #include "apr_ldap.h" |
---|
34 | #include "apr_reslist.h" |
---|
35 | #include "apr_strings.h" |
---|
36 | #include "apr_tables.h" |
---|
37 | #include "util_ldap.h" |
---|
38 | #include "util_script.h" |
---|
39 | |
---|
40 | #if !defined(APU_HAS_LDAP) && !defined(APR_HAS_LDAP) |
---|
41 | #error mod_vhost_ldap requires APR-util to have LDAP support built in |
---|
42 | #endif |
---|
43 | |
---|
44 | #if !defined(WIN32) && !defined(OS2) && !defined(BEOS) && !defined(NETWARE) |
---|
45 | #define HAVE_UNIX_SUEXEC |
---|
46 | #endif |
---|
47 | |
---|
48 | #ifdef HAVE_UNIX_SUEXEC |
---|
49 | #include "unixd.h" /* Contains the suexec_identity hook used on Unix */ |
---|
50 | #endif |
---|
51 | |
---|
52 | #define MIN_UID 100 |
---|
53 | #define MIN_GID 100 |
---|
54 | const char USERDIR[] = "web_scripts"; |
---|
55 | |
---|
56 | #define MAX_FAILURES 5 |
---|
57 | |
---|
58 | module AP_MODULE_DECLARE_DATA vhost_ldap_module; |
---|
59 | |
---|
60 | typedef enum { |
---|
61 | MVL_UNSET, MVL_DISABLED, MVL_ENABLED |
---|
62 | } mod_vhost_ldap_status_e; |
---|
63 | |
---|
64 | typedef struct mod_vhost_ldap_config_t { |
---|
65 | mod_vhost_ldap_status_e enabled; /* Is vhost_ldap enabled? */ |
---|
66 | |
---|
67 | /* These parameters are all derived from the VhostLDAPURL directive */ |
---|
68 | char *url; /* String representation of LDAP URL */ |
---|
69 | |
---|
70 | char *host; /* Name of the LDAP server (or space separated list) */ |
---|
71 | int port; /* Port of the LDAP server */ |
---|
72 | char *basedn; /* Base DN to do all searches from */ |
---|
73 | int scope; /* Scope of the search */ |
---|
74 | char *filter; /* Filter to further limit the search */ |
---|
75 | deref_options deref; /* how to handle alias dereferening */ |
---|
76 | |
---|
77 | char *binddn; /* DN to bind to server (can be NULL) */ |
---|
78 | char *bindpw; /* Password to bind to server (can be NULL) */ |
---|
79 | |
---|
80 | int have_deref; /* Set if we have found an Deref option */ |
---|
81 | int have_ldap_url; /* Set if we have found an LDAP url */ |
---|
82 | |
---|
83 | int secure; /* True if SSL connections are requested */ |
---|
84 | |
---|
85 | char *fallback; /* Fallback virtual host */ |
---|
86 | |
---|
87 | } mod_vhost_ldap_config_t; |
---|
88 | |
---|
89 | typedef struct mod_vhost_ldap_request_t { |
---|
90 | char *dn; /* The saved dn from a successful search */ |
---|
91 | char *name; /* ServerName */ |
---|
92 | char *admin; /* ServerAdmin */ |
---|
93 | char *docroot; /* DocumentRoot */ |
---|
94 | char *cgiroot; /* ScriptAlias */ |
---|
95 | char *uid; /* Suexec Uid */ |
---|
96 | char *gid; /* Suexec Gid */ |
---|
97 | } mod_vhost_ldap_request_t; |
---|
98 | |
---|
99 | char *attributes[] = |
---|
100 | { "apacheServerName", "apacheDocumentRoot", "apacheScriptAlias", "apacheSuexecUid", "apacheSuexecGid", "apacheServerAdmin", 0 }; |
---|
101 | |
---|
102 | static int total_modules; |
---|
103 | |
---|
104 | #if (APR_MAJOR_VERSION >= 1) |
---|
105 | static APR_OPTIONAL_FN_TYPE(uldap_connection_close) *util_ldap_connection_close; |
---|
106 | static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find; |
---|
107 | static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn; |
---|
108 | static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare; |
---|
109 | static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid; |
---|
110 | static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn; |
---|
111 | static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported; |
---|
112 | |
---|
113 | static void ImportULDAPOptFn(void) |
---|
114 | { |
---|
115 | util_ldap_connection_close = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_close); |
---|
116 | util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find); |
---|
117 | util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn); |
---|
118 | util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare); |
---|
119 | util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid); |
---|
120 | util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn); |
---|
121 | util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported); |
---|
122 | } |
---|
123 | #endif |
---|
124 | |
---|
125 | static int mod_vhost_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) |
---|
126 | { |
---|
127 | module **m; |
---|
128 | |
---|
129 | /* Stolen from modules/generators/mod_cgid.c */ |
---|
130 | total_modules = 0; |
---|
131 | for (m = ap_preloaded_modules; *m != NULL; m++) |
---|
132 | total_modules++; |
---|
133 | |
---|
134 | /* make sure that mod_ldap (util_ldap) is loaded */ |
---|
135 | if (ap_find_linked_module("util_ldap.c") == NULL) { |
---|
136 | ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, |
---|
137 | "Module mod_ldap missing. Mod_ldap (aka. util_ldap) " |
---|
138 | "must be loaded in order for mod_vhost_ldap to function properly"); |
---|
139 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
140 | |
---|
141 | } |
---|
142 | |
---|
143 | ap_add_version_component(p, MOD_VHOST_LDAP_VERSION); |
---|
144 | |
---|
145 | return OK; |
---|
146 | } |
---|
147 | |
---|
148 | static void * |
---|
149 | mod_vhost_ldap_create_server_config (apr_pool_t *p, server_rec *s) |
---|
150 | { |
---|
151 | mod_vhost_ldap_config_t *conf = |
---|
152 | (mod_vhost_ldap_config_t *)apr_pcalloc(p, sizeof (mod_vhost_ldap_config_t)); |
---|
153 | |
---|
154 | conf->enabled = MVL_UNSET; |
---|
155 | conf->have_ldap_url = 0; |
---|
156 | conf->have_deref = 0; |
---|
157 | conf->binddn = NULL; |
---|
158 | conf->bindpw = NULL; |
---|
159 | conf->deref = always; |
---|
160 | conf->fallback = NULL; |
---|
161 | |
---|
162 | return conf; |
---|
163 | } |
---|
164 | |
---|
165 | static void * |
---|
166 | mod_vhost_ldap_merge_server_config(apr_pool_t *p, void *parentv, void *childv) |
---|
167 | { |
---|
168 | mod_vhost_ldap_config_t *parent = (mod_vhost_ldap_config_t *) parentv; |
---|
169 | mod_vhost_ldap_config_t *child = (mod_vhost_ldap_config_t *) childv; |
---|
170 | mod_vhost_ldap_config_t *conf = |
---|
171 | (mod_vhost_ldap_config_t *)apr_pcalloc(p, sizeof(mod_vhost_ldap_config_t)); |
---|
172 | |
---|
173 | if (child->enabled == MVL_UNSET) { |
---|
174 | conf->enabled = parent->enabled; |
---|
175 | } else { |
---|
176 | conf->enabled = child->enabled; |
---|
177 | } |
---|
178 | |
---|
179 | if (child->have_ldap_url) { |
---|
180 | conf->have_ldap_url = child->have_ldap_url; |
---|
181 | conf->url = child->url; |
---|
182 | conf->host = child->host; |
---|
183 | conf->port = child->port; |
---|
184 | conf->basedn = child->basedn; |
---|
185 | conf->scope = child->scope; |
---|
186 | conf->filter = child->filter; |
---|
187 | conf->secure = child->secure; |
---|
188 | } else { |
---|
189 | conf->have_ldap_url = parent->have_ldap_url; |
---|
190 | conf->url = parent->url; |
---|
191 | conf->host = parent->host; |
---|
192 | conf->port = parent->port; |
---|
193 | conf->basedn = parent->basedn; |
---|
194 | conf->scope = parent->scope; |
---|
195 | conf->filter = parent->filter; |
---|
196 | conf->secure = parent->secure; |
---|
197 | } |
---|
198 | if (child->have_deref) { |
---|
199 | conf->have_deref = child->have_deref; |
---|
200 | conf->deref = child->deref; |
---|
201 | } else { |
---|
202 | conf->have_deref = parent->have_deref; |
---|
203 | conf->deref = parent->deref; |
---|
204 | } |
---|
205 | |
---|
206 | conf->binddn = (child->binddn ? child->binddn : parent->binddn); |
---|
207 | conf->bindpw = (child->bindpw ? child->bindpw : parent->bindpw); |
---|
208 | |
---|
209 | conf->fallback = (child->fallback ? child->fallback : parent->fallback); |
---|
210 | |
---|
211 | return conf; |
---|
212 | } |
---|
213 | |
---|
214 | /* |
---|
215 | * Use the ldap url parsing routines to break up the ldap url into |
---|
216 | * host and port. |
---|
217 | */ |
---|
218 | static const char *mod_vhost_ldap_parse_url(cmd_parms *cmd, |
---|
219 | void *dummy, |
---|
220 | const char *url) |
---|
221 | { |
---|
222 | int result; |
---|
223 | apr_ldap_url_desc_t *urld; |
---|
224 | #if (APR_MAJOR_VERSION >= 1) |
---|
225 | apr_ldap_err_t *result_err; |
---|
226 | #endif |
---|
227 | |
---|
228 | mod_vhost_ldap_config_t *conf = |
---|
229 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
---|
230 | &vhost_ldap_module); |
---|
231 | |
---|
232 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, |
---|
233 | cmd->server, "[mod_vhost_ldap.c] url parse: `%s'", |
---|
234 | url); |
---|
235 | |
---|
236 | #if (APR_MAJOR_VERSION >= 1) /* for apache >= 2.2 */ |
---|
237 | result = apr_ldap_url_parse(cmd->pool, url, &(urld), &(result_err)); |
---|
238 | if (result != LDAP_SUCCESS) { |
---|
239 | return result_err->reason; |
---|
240 | } |
---|
241 | #else |
---|
242 | result = apr_ldap_url_parse(url, &(urld)); |
---|
243 | if (result != LDAP_SUCCESS) { |
---|
244 | switch (result) { |
---|
245 | case LDAP_URL_ERR_NOTLDAP: |
---|
246 | return "LDAP URL does not begin with ldap://"; |
---|
247 | case LDAP_URL_ERR_NODN: |
---|
248 | return "LDAP URL does not have a DN"; |
---|
249 | case LDAP_URL_ERR_BADSCOPE: |
---|
250 | return "LDAP URL has an invalid scope"; |
---|
251 | case LDAP_URL_ERR_MEM: |
---|
252 | return "Out of memory parsing LDAP URL"; |
---|
253 | default: |
---|
254 | return "Could not parse LDAP URL"; |
---|
255 | } |
---|
256 | } |
---|
257 | #endif |
---|
258 | conf->url = apr_pstrdup(cmd->pool, url); |
---|
259 | |
---|
260 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, |
---|
261 | cmd->server, "[mod_vhost_ldap.c] url parse: Host: %s", urld->lud_host); |
---|
262 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, |
---|
263 | cmd->server, "[mod_vhost_ldap.c] url parse: Port: %d", urld->lud_port); |
---|
264 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, |
---|
265 | cmd->server, "[mod_vhost_ldap.c] url parse: DN: %s", urld->lud_dn); |
---|
266 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, |
---|
267 | cmd->server, "[mod_vhost_ldap.c] url parse: attrib: %s", urld->lud_attrs? urld->lud_attrs[0] : "(null)"); |
---|
268 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, |
---|
269 | cmd->server, "[mod_vhost_ldap.c] url parse: scope: %s", |
---|
270 | (urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" : |
---|
271 | urld->lud_scope == LDAP_SCOPE_BASE? "base" : |
---|
272 | urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown")); |
---|
273 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, |
---|
274 | cmd->server, "[mod_vhost_ldap.c] url parse: filter: %s", urld->lud_filter); |
---|
275 | |
---|
276 | /* Set all the values, or at least some sane defaults */ |
---|
277 | if (conf->host) { |
---|
278 | char *p = apr_palloc(cmd->pool, strlen(conf->host) + strlen(urld->lud_host) + 2); |
---|
279 | strcpy(p, urld->lud_host); |
---|
280 | strcat(p, " "); |
---|
281 | strcat(p, conf->host); |
---|
282 | conf->host = p; |
---|
283 | } |
---|
284 | else { |
---|
285 | conf->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost"; |
---|
286 | } |
---|
287 | conf->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : ""; |
---|
288 | |
---|
289 | conf->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ? |
---|
290 | LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE; |
---|
291 | |
---|
292 | if (urld->lud_filter) { |
---|
293 | if (urld->lud_filter[0] == '(') { |
---|
294 | /* |
---|
295 | * Get rid of the surrounding parens; later on when generating the |
---|
296 | * filter, they'll be put back. |
---|
297 | */ |
---|
298 | conf->filter = apr_pstrdup(cmd->pool, urld->lud_filter+1); |
---|
299 | conf->filter[strlen(conf->filter)-1] = '\0'; |
---|
300 | } |
---|
301 | else { |
---|
302 | conf->filter = apr_pstrdup(cmd->pool, urld->lud_filter); |
---|
303 | } |
---|
304 | } |
---|
305 | else { |
---|
306 | conf->filter = "objectClass=apacheConfig"; |
---|
307 | } |
---|
308 | |
---|
309 | /* "ldaps" indicates secure ldap connections desired |
---|
310 | */ |
---|
311 | if (strncasecmp(url, "ldaps", 5) == 0) |
---|
312 | { |
---|
313 | conf->secure = 1; |
---|
314 | conf->port = urld->lud_port? urld->lud_port : LDAPS_PORT; |
---|
315 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
---|
316 | "LDAP: vhost_ldap using SSL connections"); |
---|
317 | } |
---|
318 | else |
---|
319 | { |
---|
320 | conf->secure = 0; |
---|
321 | conf->port = urld->lud_port? urld->lud_port : LDAP_PORT; |
---|
322 | ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
---|
323 | "LDAP: vhost_ldap not using SSL connections"); |
---|
324 | } |
---|
325 | |
---|
326 | conf->have_ldap_url = 1; |
---|
327 | #if (APR_MAJOR_VERSION < 1) /* free only required for older apr */ |
---|
328 | apr_ldap_free_urldesc(urld); |
---|
329 | #endif |
---|
330 | return NULL; |
---|
331 | } |
---|
332 | |
---|
333 | static const char *mod_vhost_ldap_set_enabled(cmd_parms *cmd, void *dummy, int enabled) |
---|
334 | { |
---|
335 | mod_vhost_ldap_config_t *conf = |
---|
336 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
---|
337 | &vhost_ldap_module); |
---|
338 | |
---|
339 | conf->enabled = (enabled) ? MVL_ENABLED : MVL_DISABLED; |
---|
340 | |
---|
341 | return NULL; |
---|
342 | } |
---|
343 | |
---|
344 | static const char *mod_vhost_ldap_set_binddn(cmd_parms *cmd, void *dummy, const char *binddn) |
---|
345 | { |
---|
346 | mod_vhost_ldap_config_t *conf = |
---|
347 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
---|
348 | &vhost_ldap_module); |
---|
349 | |
---|
350 | conf->binddn = apr_pstrdup(cmd->pool, binddn); |
---|
351 | return NULL; |
---|
352 | } |
---|
353 | |
---|
354 | static const char *mod_vhost_ldap_set_bindpw(cmd_parms *cmd, void *dummy, const char *bindpw) |
---|
355 | { |
---|
356 | mod_vhost_ldap_config_t *conf = |
---|
357 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
---|
358 | &vhost_ldap_module); |
---|
359 | |
---|
360 | conf->bindpw = apr_pstrdup(cmd->pool, bindpw); |
---|
361 | return NULL; |
---|
362 | } |
---|
363 | |
---|
364 | static const char *mod_vhost_ldap_set_deref(cmd_parms *cmd, void *dummy, const char *deref) |
---|
365 | { |
---|
366 | mod_vhost_ldap_config_t *conf = |
---|
367 | (mod_vhost_ldap_config_t *)ap_get_module_config (cmd->server->module_config, |
---|
368 | &vhost_ldap_module); |
---|
369 | |
---|
370 | if (strcmp(deref, "never") == 0 || strcasecmp(deref, "off") == 0) { |
---|
371 | conf->deref = never; |
---|
372 | conf->have_deref = 1; |
---|
373 | } |
---|
374 | else if (strcmp(deref, "searching") == 0) { |
---|
375 | conf->deref = searching; |
---|
376 | conf->have_deref = 1; |
---|
377 | } |
---|
378 | else if (strcmp(deref, "finding") == 0) { |
---|
379 | conf->deref = finding; |
---|
380 | conf->have_deref = 1; |
---|
381 | } |
---|
382 | else if (strcmp(deref, "always") == 0 || strcasecmp(deref, "on") == 0) { |
---|
383 | conf->deref = always; |
---|
384 | conf->have_deref = 1; |
---|
385 | } |
---|
386 | else { |
---|
387 | return "Unrecognized value for VhostLDAPAliasDereference directive"; |
---|
388 | } |
---|
389 | return NULL; |
---|
390 | } |
---|
391 | |
---|
392 | static const char *mod_vhost_ldap_set_fallback(cmd_parms *cmd, void *dummy, const char *fallback) |
---|
393 | { |
---|
394 | mod_vhost_ldap_config_t *conf = |
---|
395 | (mod_vhost_ldap_config_t *)ap_get_module_config(cmd->server->module_config, |
---|
396 | &vhost_ldap_module); |
---|
397 | |
---|
398 | conf->fallback = apr_pstrdup(cmd->pool, fallback); |
---|
399 | return NULL; |
---|
400 | } |
---|
401 | |
---|
402 | static int reconfigure_directive(apr_pool_t *p, |
---|
403 | server_rec *s, |
---|
404 | const char *dir, |
---|
405 | const char *args) |
---|
406 | { |
---|
407 | ap_directive_t dir_s = { .directive = dir, .args = args, .next = NULL, |
---|
408 | .line_num = 0, .filename = "VhostLDAPConf" }; |
---|
409 | return ap_process_config_tree(s, &dir_s, p, p); |
---|
410 | } |
---|
411 | |
---|
412 | command_rec mod_vhost_ldap_cmds[] = { |
---|
413 | AP_INIT_TAKE1("VhostLDAPURL", mod_vhost_ldap_parse_url, NULL, RSRC_CONF, |
---|
414 | "URL to define LDAP connection. This should be an RFC 2255 compliant\n" |
---|
415 | "URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n" |
---|
416 | "<ul>\n" |
---|
417 | "<li>Host is the name of the LDAP server. Use a space separated list of hosts \n" |
---|
418 | "to specify redundant servers.\n" |
---|
419 | "<li>Port is optional, and specifies the port to connect to.\n" |
---|
420 | "<li>basedn specifies the base DN to start searches from\n" |
---|
421 | "</ul>\n"), |
---|
422 | |
---|
423 | AP_INIT_TAKE1 ("VhostLDAPBindDN", mod_vhost_ldap_set_binddn, NULL, RSRC_CONF, |
---|
424 | "DN to use to bind to LDAP server. If not provided, will do an anonymous bind."), |
---|
425 | |
---|
426 | AP_INIT_TAKE1("VhostLDAPBindPassword", mod_vhost_ldap_set_bindpw, NULL, RSRC_CONF, |
---|
427 | "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."), |
---|
428 | |
---|
429 | AP_INIT_FLAG("VhostLDAPEnabled", mod_vhost_ldap_set_enabled, NULL, RSRC_CONF, |
---|
430 | "Set to off to disable vhost_ldap, even if it's been enabled in a higher tree"), |
---|
431 | |
---|
432 | AP_INIT_TAKE1("VhostLDAPDereferenceAliases", mod_vhost_ldap_set_deref, NULL, RSRC_CONF, |
---|
433 | "Determines how aliases are handled during a search. Can be one of the" |
---|
434 | "values \"never\", \"searching\", \"finding\", or \"always\". " |
---|
435 | "Defaults to always."), |
---|
436 | |
---|
437 | AP_INIT_TAKE1("VhostLDAPFallback", mod_vhost_ldap_set_fallback, NULL, RSRC_CONF, |
---|
438 | "Set default virtual host which will be used when requested hostname" |
---|
439 | "is not found in LDAP database. This option can be used to display" |
---|
440 | "\"virtual host not found\" type of page."), |
---|
441 | |
---|
442 | {NULL} |
---|
443 | }; |
---|
444 | |
---|
445 | #define FILTER_LENGTH MAX_STRING_LEN |
---|
446 | static int mod_vhost_ldap_translate_name(request_rec *r) |
---|
447 | { |
---|
448 | server_rec *server; |
---|
449 | const char *error; |
---|
450 | int code; |
---|
451 | mod_vhost_ldap_request_t *reqc; |
---|
452 | int failures = 0; |
---|
453 | const char **vals = NULL; |
---|
454 | char filtbuf[FILTER_LENGTH]; |
---|
455 | mod_vhost_ldap_config_t *conf = |
---|
456 | (mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config, &vhost_ldap_module); |
---|
457 | util_ldap_connection_t *ldc = NULL; |
---|
458 | int result = 0; |
---|
459 | const char *dn = NULL; |
---|
460 | const char *hostname = NULL; |
---|
461 | int is_fallback = 0; |
---|
462 | int sleep0 = 0; |
---|
463 | int sleep1 = 1; |
---|
464 | int sleep; |
---|
465 | struct berval hostnamebv, shostnamebv; |
---|
466 | |
---|
467 | if ((error = ap_init_virtual_host(r->pool, "", r->server, &server)) != NULL) { |
---|
468 | ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, |
---|
469 | "[mod_vhost_ldap.c]: Could not initialize a new VirtualHost: %s", |
---|
470 | error); |
---|
471 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
472 | } |
---|
473 | |
---|
474 | reqc = |
---|
475 | (mod_vhost_ldap_request_t *)apr_pcalloc(r->pool, sizeof(mod_vhost_ldap_request_t)); |
---|
476 | memset(reqc, 0, sizeof(mod_vhost_ldap_request_t)); |
---|
477 | |
---|
478 | ap_set_module_config(r->request_config, &vhost_ldap_module, reqc); |
---|
479 | |
---|
480 | // mod_vhost_ldap is disabled or we don't have LDAP Url |
---|
481 | if ((conf->enabled != MVL_ENABLED)||(!conf->have_ldap_url)) { |
---|
482 | return DECLINED; |
---|
483 | } |
---|
484 | |
---|
485 | start_over: |
---|
486 | |
---|
487 | if (conf->host) { |
---|
488 | ldc = util_ldap_connection_find(r, conf->host, conf->port, |
---|
489 | conf->binddn, conf->bindpw, conf->deref, |
---|
490 | conf->secure); |
---|
491 | } |
---|
492 | else { |
---|
493 | ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, |
---|
494 | "[mod_vhost_ldap.c] translate: no conf->host - weird...?"); |
---|
495 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
496 | } |
---|
497 | |
---|
498 | hostname = r->hostname; |
---|
499 | if (hostname == NULL || hostname[0] == '\0') |
---|
500 | goto null; |
---|
501 | |
---|
502 | fallback: |
---|
503 | |
---|
504 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, |
---|
505 | "[mod_vhost_ldap.c]: translating hostname [%s], uri [%s]", |
---|
506 | hostname, r->uri); |
---|
507 | |
---|
508 | ber_str2bv(hostname, 0, 0, &hostnamebv); |
---|
509 | if (ldap_bv2escaped_filter_value(&hostnamebv, &shostnamebv) != 0) |
---|
510 | goto null; |
---|
511 | apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))", conf->filter, shostnamebv.bv_val, shostnamebv.bv_val); |
---|
512 | ber_memfree(shostnamebv.bv_val); |
---|
513 | |
---|
514 | result = util_ldap_cache_getuserdn(r, ldc, conf->url, conf->basedn, conf->scope, |
---|
515 | attributes, filtbuf, &dn, &vals); |
---|
516 | |
---|
517 | util_ldap_connection_close(ldc); |
---|
518 | |
---|
519 | /* sanity check - if server is down, retry it up to 5 times */ |
---|
520 | if (AP_LDAP_IS_SERVER_DOWN(result) || |
---|
521 | (result == LDAP_TIMEOUT) || |
---|
522 | (result == LDAP_CONNECT_ERROR)) { |
---|
523 | sleep = sleep0 + sleep1; |
---|
524 | ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, |
---|
525 | "[mod_vhost_ldap.c]: lookup failure, retry number #[%d], sleeping for [%d] seconds", |
---|
526 | failures, sleep); |
---|
527 | if (failures++ < MAX_FAILURES) { |
---|
528 | /* Back-off exponentially */ |
---|
529 | apr_sleep(apr_time_from_sec(sleep)); |
---|
530 | sleep0 = sleep1; |
---|
531 | sleep1 = sleep; |
---|
532 | goto start_over; |
---|
533 | } else { |
---|
534 | return HTTP_GATEWAY_TIME_OUT; |
---|
535 | } |
---|
536 | } |
---|
537 | |
---|
538 | if (result == LDAP_NO_SUCH_OBJECT) { |
---|
539 | if (strcmp(hostname, "*") != 0) { |
---|
540 | if (strncmp(hostname, "*.", 2) == 0) |
---|
541 | hostname += 2; |
---|
542 | hostname += strcspn(hostname, "."); |
---|
543 | hostname = apr_pstrcat(r->pool, "*", hostname, (const char *)NULL); |
---|
544 | ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r, |
---|
545 | "[mod_vhost_ldap.c] translate: " |
---|
546 | "virtual host not found, trying wildcard %s", |
---|
547 | hostname); |
---|
548 | goto fallback; |
---|
549 | } |
---|
550 | |
---|
551 | null: |
---|
552 | if (conf->fallback && (is_fallback++ <= 0)) { |
---|
553 | ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r, |
---|
554 | "[mod_vhost_ldap.c] translate: " |
---|
555 | "virtual host %s not found, trying fallback %s", |
---|
556 | hostname, conf->fallback); |
---|
557 | hostname = conf->fallback; |
---|
558 | goto fallback; |
---|
559 | } |
---|
560 | |
---|
561 | ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, |
---|
562 | "[mod_vhost_ldap.c] translate: " |
---|
563 | "virtual host %s not found", |
---|
564 | hostname); |
---|
565 | |
---|
566 | return HTTP_BAD_REQUEST; |
---|
567 | } |
---|
568 | |
---|
569 | /* handle bind failure */ |
---|
570 | if (result != LDAP_SUCCESS) { |
---|
571 | ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, |
---|
572 | "[mod_vhost_ldap.c] translate: " |
---|
573 | "translate failed; virtual host %s; URI %s [%s]", |
---|
574 | hostname, r->uri, ldap_err2string(result)); |
---|
575 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
576 | } |
---|
577 | |
---|
578 | /* mark the user and DN */ |
---|
579 | reqc->dn = apr_pstrdup(r->pool, dn); |
---|
580 | |
---|
581 | /* Optimize */ |
---|
582 | if (vals) { |
---|
583 | int i; |
---|
584 | for (i = 0; attributes[i]; i++) { |
---|
585 | |
---|
586 | const char *directive; |
---|
587 | char *val = apr_pstrdup (r->pool, vals[i]); |
---|
588 | /* These do not correspond to any real directives */ |
---|
589 | if (strcasecmp (attributes[i], "apacheSuexecUid") == 0) { |
---|
590 | reqc->uid = val; |
---|
591 | continue; |
---|
592 | } |
---|
593 | else if (strcasecmp (attributes[i], "apacheSuexecGid") == 0) { |
---|
594 | reqc->gid = val; |
---|
595 | continue; |
---|
596 | } |
---|
597 | |
---|
598 | if (strcasecmp (attributes[i], "apacheServerName") == 0) { |
---|
599 | reqc->name = val; |
---|
600 | directive = "ServerName"; |
---|
601 | } |
---|
602 | else if (strcasecmp (attributes[i], "apacheServerAdmin") == 0) { |
---|
603 | reqc->admin = val; |
---|
604 | directive = "ServerAdmin"; |
---|
605 | } |
---|
606 | else if (strcasecmp (attributes[i], "apacheDocumentRoot") == 0) { |
---|
607 | reqc->docroot = val; |
---|
608 | directive = "DocumentRoot"; |
---|
609 | } |
---|
610 | else if (strcasecmp (attributes[i], "apacheScriptAlias") == 0) { |
---|
611 | if (val != NULL) { |
---|
612 | /* Hack to deal with current apacheScriptAlias lagout */ |
---|
613 | if (strlen(val) > 0 && val[strlen(val) - 1] == '/') |
---|
614 | val = apr_pstrcat(r->pool, "/cgi-bin/ ", val, (const char *)NULL); |
---|
615 | else |
---|
616 | val = apr_pstrcat(r->pool, "/cgi-bin/ ", val, "/", (const char *)NULL); |
---|
617 | directive = "ScriptAlias"; |
---|
618 | } |
---|
619 | reqc->cgiroot = val; |
---|
620 | } |
---|
621 | else { |
---|
622 | /* This should not actually be reachable, but it's |
---|
623 | good to cover all all possible cases */ |
---|
624 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, |
---|
625 | "Unexpected attribute %s encountered", attributes[i]); |
---|
626 | continue; |
---|
627 | } |
---|
628 | |
---|
629 | if (val == NULL) |
---|
630 | continue; |
---|
631 | |
---|
632 | if ((code = reconfigure_directive(r->pool, server, directive, val)) != 0) |
---|
633 | return code; |
---|
634 | } |
---|
635 | } |
---|
636 | |
---|
637 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, |
---|
638 | "[mod_vhost_ldap.c]: loaded from ldap: " |
---|
639 | "apacheServerName: %s, " |
---|
640 | "apacheServerAdmin: %s, " |
---|
641 | "apacheDocumentRoot: %s, " |
---|
642 | "apacheScriptAlias: %s, " |
---|
643 | "apacheSuexecUid: %s, " |
---|
644 | "apacheSuexecGid: %s", |
---|
645 | reqc->name, reqc->admin, reqc->docroot, reqc->cgiroot, reqc->uid, reqc->gid); |
---|
646 | |
---|
647 | if ((reqc->name == NULL)||(reqc->docroot == NULL)) { |
---|
648 | ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, |
---|
649 | "[mod_vhost_ldap.c] translate: " |
---|
650 | "translate failed; ServerName or DocumentRoot not defined"); |
---|
651 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
652 | } |
---|
653 | |
---|
654 | if (reqc->uid != NULL) { |
---|
655 | char *username; |
---|
656 | char *userdir_val; |
---|
657 | uid_t uid = (uid_t) atoll(reqc->uid); |
---|
658 | |
---|
659 | if ((code = reconfigure_directive(r->pool, server, "UserDir", USERDIR)) != 0) |
---|
660 | return code; |
---|
661 | |
---|
662 | /* Deal with ~ expansion */ |
---|
663 | if ((code = reconfigure_directive(r->pool, server, "UserDir", "disabled")) != 0) |
---|
664 | return code; |
---|
665 | |
---|
666 | if (apr_uid_name_get(&username, uid, r->pool) != APR_SUCCESS) { |
---|
667 | ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r, |
---|
668 | "could not get username for uid %d", uid); |
---|
669 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
670 | } |
---|
671 | |
---|
672 | userdir_val = apr_pstrcat(r->pool, "enabled ", username, (const char *)NULL); |
---|
673 | |
---|
674 | if ((code = reconfigure_directive(r->pool, server, "UserDir", userdir_val)) != 0) |
---|
675 | return code; |
---|
676 | } |
---|
677 | |
---|
678 | ap_fixup_virtual_host(r->pool, r->server, server); |
---|
679 | r->server = server; |
---|
680 | |
---|
681 | /* Hack to allow post-processing by other modules (mod_rewrite, mod_alias) */ |
---|
682 | return DECLINED; |
---|
683 | } |
---|
684 | |
---|
685 | #ifdef HAVE_UNIX_SUEXEC |
---|
686 | static ap_unix_identity_t *mod_vhost_ldap_get_suexec_id_doer(const request_rec * r) |
---|
687 | { |
---|
688 | ap_unix_identity_t *ugid = NULL; |
---|
689 | mod_vhost_ldap_config_t *conf = |
---|
690 | (mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config, |
---|
691 | &vhost_ldap_module); |
---|
692 | mod_vhost_ldap_request_t *req = |
---|
693 | (mod_vhost_ldap_request_t *)ap_get_module_config(r->request_config, |
---|
694 | &vhost_ldap_module); |
---|
695 | |
---|
696 | uid_t uid = -1; |
---|
697 | gid_t gid = -1; |
---|
698 | |
---|
699 | // mod_vhost_ldap is disabled or we don't have LDAP Url |
---|
700 | if ((conf->enabled != MVL_ENABLED)||(!conf->have_ldap_url)) { |
---|
701 | return NULL; |
---|
702 | } |
---|
703 | |
---|
704 | if ((req == NULL)||(req->uid == NULL)||(req->gid == NULL)) { |
---|
705 | return NULL; |
---|
706 | } |
---|
707 | |
---|
708 | if ((ugid = apr_palloc(r->pool, sizeof(ap_unix_identity_t))) == NULL) { |
---|
709 | return NULL; |
---|
710 | } |
---|
711 | |
---|
712 | uid = (uid_t)atoll(req->uid); |
---|
713 | gid = (gid_t)atoll(req->gid); |
---|
714 | |
---|
715 | if ((uid < MIN_UID)||(gid < MIN_GID)) { |
---|
716 | return NULL; |
---|
717 | } |
---|
718 | |
---|
719 | ugid->uid = uid; |
---|
720 | ugid->gid = gid; |
---|
721 | ugid->userdir = 0; |
---|
722 | |
---|
723 | return ugid; |
---|
724 | } |
---|
725 | #endif |
---|
726 | |
---|
727 | static void |
---|
728 | mod_vhost_ldap_register_hooks (apr_pool_t * p) |
---|
729 | { |
---|
730 | |
---|
731 | /* |
---|
732 | * Run before mod_rewrite |
---|
733 | */ |
---|
734 | static const char * const aszRewrite[]={ "mod_rewrite.c", NULL }; |
---|
735 | |
---|
736 | ap_hook_post_config(mod_vhost_ldap_post_config, NULL, NULL, APR_HOOK_MIDDLE); |
---|
737 | ap_hook_translate_name(mod_vhost_ldap_translate_name, NULL, aszRewrite, APR_HOOK_FIRST); |
---|
738 | #ifdef HAVE_UNIX_SUEXEC |
---|
739 | ap_hook_get_suexec_identity(mod_vhost_ldap_get_suexec_id_doer, NULL, NULL, APR_HOOK_MIDDLE); |
---|
740 | #endif |
---|
741 | #if (APR_MAJOR_VERSION >= 1) |
---|
742 | ap_hook_optional_fn_retrieve(ImportULDAPOptFn,NULL,NULL,APR_HOOK_MIDDLE); |
---|
743 | #endif |
---|
744 | } |
---|
745 | |
---|
746 | module AP_MODULE_DECLARE_DATA vhost_ldap_module = { |
---|
747 | STANDARD20_MODULE_STUFF, |
---|
748 | NULL, |
---|
749 | NULL, |
---|
750 | mod_vhost_ldap_create_server_config, |
---|
751 | mod_vhost_ldap_merge_server_config, |
---|
752 | mod_vhost_ldap_cmds, |
---|
753 | mod_vhost_ldap_register_hooks, |
---|
754 | }; |
---|