• Your recent searches
Apache-AuthzLDAP
1 match

 view release on metacpan or  search on metacpan

AuthzLDAP.pm  view on Meta::CPAN 

	$r->log->debug("check_group: Setting quoted $member");
      } elsif ($member =~ /^[^=]+=([^,]+),/) {
	$member = $1;
	$r->log->debug("check_group: Examining escaped $member");
	$member =~ s/\\(.)/$1/g;
	$r->log->debug("check_group: Setting escaped $member");
      }

      $r->log->debug("check_group: Member now $member");
      my ($result, $child_group) = check_group($r, $ld, $basedn, $groupattrtype,
					       $memberattrtype, $userinfo,
					       "\"$member\"", $nestedattrtype,
					       $nested_groups, $requirement,
					       $recursion_depth + 1);
      if ($recursion_depth != 1 && $result == OK) {
	$r->log->debug("Recursion of $recursion_depth; returning OK");
	return (OK, $group);
      } elsif ($result == OK) {
	if ($requirement == 1) {
	  $r->log->debug("Requirement inAGroup; returning");
	  return (OK, "\"$group\"");
	} elsif ($foundgroups eq '') {
	  $r->log->debug("Requirement inManyGroups or inAllGroups; appending");
	  $foundgroups = "\"$group\"";
	} else {
	  $r->log->debug("Requirement inManyGroups or inAllGroups; appending");
	  $foundgroups .= " \"$group\"";
	}
	next;
      }
    }
    $r->log->debug("Requirement inAllGroups failed; returning"),
      return AUTH_REQUIRED if $requirement == 3 &&
	!($entry->exists($nestedattrtype));
  }

  # This case happens when inManyGroups is required
  $r->log->debug("inManyGroups success"),
    return(OK, $foundgroups) if $foundgroups ne '';

  # We've fallen through without finding the user in the group
  $r->log_reason("Could not find $userinfo in $groups", $r->uri);
  return AUTH_REQUIRED;
}


###############################################################################
###############################################################################
# handler: hook into Apache/mod_perl API
###############################################################################
###############################################################################
sub handler {
  my $r = shift;
  return OK unless $r->is_initial_req; # only the first internal request
  my $requires = $r->requires;
  return OK unless $requires;

  my $username = $r->connection->user;

  # The required patch was not introduced in 1.26. It is no longer
  # promised to be included in any timeframe. Commenting out.
  # if ($mod_perl::VERSION < 1.26) {
    # I shouldn't need to use the below lines as this module
    # should never be called if there was a cache hit.  Since
    # set_handlers() doesn't work properly until 1.26 (according
    # to Doug MacEachern) I have to work around it by cobbling
    # together cheat sheets for the previous and subsequent
    # handlers in this phase. I get the willies about the
    # security implications in a general environment where you
    # might be using someone else's handlers upstream or
    # downstream...
  my $group_sent = $r->subprocess_env("REMOTE_GROUP") ||
    $r->headers_in->{'REMOTE_GROUP'};
  my $cache_result = $r->notes('AuthzCache');
  if ($group_sent && $cache_result eq 'hit') {
    $r->log->debug("handler: upstream cache hit for ",
		   "user=$username, group=$group_sent");
    return OK;
  # }
  }

  # Clear for paranoid security precautions
  $r->subprocess_env(REMOTE_GROUP => undef);
  undef($r->headers_in->{'REMOTE_GROUP'});

  my $basedn = $r->dir_config('AuthzBaseDN');
  my $groupattrtype = $r->dir_config('AuthzGroupAttrType') || 'cn';
  my $authzldapserver = $r->dir_config('AuthzLDAPServer') || "localhost";
  my $authzldapport = $r->dir_config('AuthzLDAPPort') || 389;
  my $authenldapserver = $r->dir_config('AuthenLDAPServer') ||
    $r->dir_config('AuthzLDAPServer') || "localhost";
  my $authenldapport = $r->dir_config('AuthenLDAPPort') ||
    $r->dir_config('AuthzLDAPPort') || 389;
  my $memberattrtype = $r->dir_config('AuthzMemberAttrType') || 'member';
  my $memberattrvalue = $r->dir_config('AuthzMemberAttrValue') || 'cn';
  my $nestedattrtype = $r->dir_config('AuthzNestedAttrType') || 'member';
  my $nested_groups = $r->dir_config('AuthzNestedGroups');
  my $requirement = $r->dir_config('AuthzRequire') || 'inAGroup';
  my $uidattrtype = $r->dir_config('AuthzUidAttrType') || 'uid';
  my $userbasedn = $r->dir_config('AuthenBaseDN');

  $requirement = REQUIRE_OPTS->{lc($requirement)} || 1;
  $r->log->debug(join ", ", "AuthzBaseDN=$basedn",
		 "GroupAttrType=$groupattrtype",
		 "LDAPServer=$authzldapserver",
		 "MemberAttrType=$memberattrtype",
		 "MemberAttrValue=$memberattrvalue",
		 "NestedAttrType=$nestedattrtype",
		 "NestedGroups=$nested_groups",
		 "Requirement=$requirement",
		 "UserBaseDN=$userbasedn");

  for my $req (@$requires) {
    my ($require, $rest) = split /\s+/, $req->{requirement}, 2;

    if ($require eq "user") { return OK
				if grep $username eq $_, split /\s+/, $rest}
    elsif ($require eq "valid-user") { return OK }
    elsif ($require eq 'group') {
      my $ld = undef;
      # Connect to the server



( run in 1.800 second using v1.01-cache-2.11-cpan-df04353d9ac )