svn commit: lorikeet r57 - in trunk/mod_ntlm_winbind: .

abartlet at samba.org abartlet at samba.org
Tue Sep 14 02:22:31 GMT 2004


Author: abartlet
Date: 2004-09-14 02:22:30 +0000 (Tue, 14 Sep 2004)
New Revision: 57

WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/mod_ntlm_winbind&rev=57&nolog=1

Log:
Try to re-use the helper, when possible.  This avoids the load of a
fork()/exec() for every incoming authentication.

Andrew Bartlett

Modified:
   trunk/mod_ntlm_winbind/mod_ntlm_winbind.c


Changeset:
Modified: trunk/mod_ntlm_winbind/mod_ntlm_winbind.c
===================================================================
--- trunk/mod_ntlm_winbind/mod_ntlm_winbind.c	2004-09-09 10:44:16 UTC (rev 56)
+++ trunk/mod_ntlm_winbind/mod_ntlm_winbind.c	2004-09-14 02:22:30 UTC (rev 57)
@@ -101,15 +101,21 @@
 /* A structure to hold per-connection information about authentications
    that are in progress. */
 
-typedef struct ntlm_connection_struct {
+struct ntlm_connection {
     int sent_challenge;
     char *user;
     int auth_ok;
     int helper_pid;
     BUFF *out_to_helper, *in_from_helper;
     ap_pool *pool;
-} ntlm_connection_rec;
+};
 
+struct ntlm_authenticated {
+    char *user;
+    int auth_ok;
+    ap_pool *pool;
+}; 
+
 struct ntlm_child_stuff {
     request_rec *r;
     char *argv0;
@@ -129,8 +135,10 @@
    because we are only ever processing one authentication request per
    apache daemon. */
 
-static ntlm_connection_rec *ntlm_connection;
+static struct ntlm_connection *ntlm_connection;
 
+static struct ntlm_authenticated *ntlm_authenticated;
+
 /* Extra apache configuration directives defined for this module */
 
 static const command_rec ntlm_winbind_cmds[] = {
@@ -179,7 +187,7 @@
 /* Authorisation has failed - we set some headers so the client can
    get the hint and prompt for a password from the user. */
 
-static void 
+static int
 note_ntlm_auth_failure(request_rec * r)
 {
     ntlm_config_rec *crec
@@ -206,19 +214,37 @@
                       r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
                       line);
     }
+
+    if (ntlm_authenticated) {
+        ap_destroy_pool(ntlm_authenticated->pool);
+    }
+    return HTTP_UNAUTHORIZED;
 }
+    
 
 /* Dispose of a connection */
 
 static void 
 cleanup_ntlm_connection(void *ntlm_conn_v)
 {
-    ntlm_connection_rec **ntlm_conn = ntlm_conn_v;
+    struct ntlm_connection **ntlm_conn = ntlm_conn_v;
     ap_bclose((*ntlm_conn)->out_to_helper);
     ap_bclose((*ntlm_conn)->in_from_helper);
-    *ntlm_conn = NULL;
+
+    /* references the global */
+    ntlm_connection = NULL;
 }
 
+/* Dispose of a connected user */
+
+static void 
+cleanup_ntlm_authenticated(void *ntlm_conn_v)
+{
+    struct ntlm_authenticated **ntlm_auth = ntlm_conn_v;
+    /* references the global */
+    ntlm_authenticated = NULL;
+}
+
 const char *
 get_ntlm_header(request_rec * r, ntlm_config_rec * crec)
 {
@@ -394,12 +420,11 @@
     
     if (ntlm_connection == NULL) {
         struct ntlm_child_stuff cld;
-        ap_pool *pool = ap_make_sub_pool(r->connection->pool);
+        ap_pool *pool = ap_make_sub_pool(NULL);
         
         ntlm_connection = ap_pcalloc(pool,
-                                     sizeof(ntlm_connection_rec));
+                                     sizeof(struct ntlm_connection));
         ntlm_connection->pool = pool;
-        ntlm_connection->auth_ok = 0;
         ntlm_connection->helper_pid = 0;
   
         ap_register_cleanup(pool, &ntlm_connection, cleanup_ntlm_connection,
@@ -418,18 +443,21 @@
                           "couldn't spawn child ntlm helper process: %s", cld.argv0);
             return HTTP_INTERNAL_SERVER_ERROR;
         }
+    }
+
+    if (ntlm_authenticated == NULL) {
+        ap_pool *pool = ap_make_sub_pool(r->connection->pool);
         
+        ntlm_authenticated = ap_pcalloc(pool,
+                                        sizeof(ntlm_authenticated));
+  
+        ap_register_cleanup(pool, &ntlm_authenticated, cleanup_ntlm_authenticated,
+                            ap_null_cleanup);
+
+        ntlm_authenticated->pool = pool;
+        ntlm_authenticated->auth_ok = 0;
+        ntlm_authenticated->user = NULL;
         message_type = "YR";
-    } else if (ntlm_connection->auth_ok && ntlm_connection->user) {
-        ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
-                      "silent reauthentication");            
-        
-        /* silently accept login with same credentials */
-        r->connection->user = ap_pstrdup(r->connection->pool,
-                                         ntlm_connection->user);
-        r->connection->ap_auth_type = ap_pstrdup(r->connection->pool,
-                                                 NTLM_AUTH_NAME);
-        return OK;
     } else {
         message_type = "KK";
     }
@@ -439,9 +467,7 @@
     if ((ntlmssp = get_ntlm_header(r, crec)) == NULL) {
         ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                       "client did not return NTLM authenticaiton header");            
-        note_ntlm_auth_failure(r);
-        ap_destroy_pool(ntlm_connection->pool);
-        return HTTP_UNAUTHORIZED;
+        return note_ntlm_auth_failure(r);
     }
     
     /* Pipe to helper */
@@ -452,7 +478,8 @@
         ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                       "failed to write NTLMSSP string to helper - wrote %d bytes", bytes_written);            
         ap_destroy_pool(ntlm_connection->pool);
-        return HTTP_UNAUTHORIZED;
+        ap_destroy_pool(ntlm_authenticated->pool);
+        return HTTP_INTERNAL_SERVER_ERROR;
     }
 
     ap_bflush(ntlm_connection->out_to_helper);
@@ -462,17 +489,20 @@
         ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                       "early EOF from helper");            
         ap_destroy_pool(ntlm_connection->pool);
-        return HTTP_UNAUTHORIZED;
+        ap_destroy_pool(ntlm_authenticated->pool);
+        return HTTP_INTERNAL_SERVER_ERROR;
     } else if (bytes_read == -1) {
         ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                       "helper dies!");            
         ap_destroy_pool(ntlm_connection->pool);
-        return HTTP_UNAUTHORIZED;
+        ap_destroy_pool(ntlm_authenticated->pool);
+        return HTTP_INTERNAL_SERVER_ERROR;
     } else if (bytes_read < 2) {
         ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                       "failed to read NTLMSSP string from helper - only got %d bytes", bytes_read);            
         ap_destroy_pool(ntlm_connection->pool);
-        return HTTP_UNAUTHORIZED;
+        ap_destroy_pool(ntlm_authenticated->pool);
+        return HTTP_INTERNAL_SERVER_ERROR;
     }
     
     newline = strchr(argsbuffer, '\n');
@@ -488,6 +518,7 @@
         ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                       "failed to parse response from helper");            
         ap_destroy_pool(ntlm_connection->pool);
+        ap_destroy_pool(ntlm_authenticated->pool);
         return HTTP_UNAUTHORIZED;
     }
     childarg++;
@@ -501,23 +532,17 @@
     /* if NA, not authenticated */
 
     if (strncmp(argsbuffer, "NA ", 3) == 0) {
-        note_ntlm_auth_failure(r);
         ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                       "user not authenticated: %s", childarg);            
-        ap_destroy_pool(ntlm_connection->pool);
-        return HTTP_UNAUTHORIZED;
+        return note_ntlm_auth_failure(r);
     }
     
     /* if AF, record username */
     if (strncmp(argsbuffer, "AF ", 3) == 0) {
-        ntlm_connection->auth_ok = 1;
-        
-        ntlm_connection->user = ap_pstrdup(ntlm_connection->pool,
-                                         childarg);
-        r->connection->user = ap_pstrdup(r->connection->pool,
-                                         childarg);
-        r->connection->ap_auth_type = ap_pstrdup(r->connection->pool,
-                                                 NTLM_AUTH_NAME);
+        ntlm_authenticated->user = ap_pstrdup(ntlm_authenticated->pool,
+                                              childarg);
+        r->connection->user = ntlm_authenticated->user;
+        r->connection->ap_auth_type = NTLM_AUTH_NAME;
         return OK;
     }
     
@@ -525,9 +550,9 @@
     
     ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                   "could not parse NTLM helper callback: %s", argsbuffer);            
-
     ap_destroy_pool(ntlm_connection->pool);
-    return HTTP_BAD_REQUEST;
+    ap_destroy_pool(ntlm_authenticated->pool);
+    return HTTP_INTERNAL_SERVER_ERROR;
 }
 
 /* Called to create a configuration structure for each <Directory> section
@@ -636,9 +661,10 @@
 
     /* Trust the authentication on an existing connection */
 
-    if (ntlm_connection && ntlm_connection->auth_ok) {
-        r->connection->user = ntlm_connection->user;
-        r->connection->ap_auth_type = "NTLM";
+    if (ntlm_authenticated && ntlm_authenticated->auth_ok) {
+        /* silently accept login with same credentials */
+        r->connection->user = ntlm_authenticated->user;
+        r->connection->ap_auth_type = NTLM_AUTH_NAME;
         return OK;
     }
 



More information about the samba-cvs mailing list