svn commit: lorikeet r72 - in trunk/mod_ntlm_winbind: .
abartlet at samba.org
abartlet at samba.org
Sat Sep 25 01:58:27 GMT 2004
Author: abartlet
Date: 2004-09-25 01:58:26 +0000 (Sat, 25 Sep 2004)
New Revision: 72
WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/mod_ntlm_winbind&rev=72&nolog=1
Log:
Clean out the (unused) groups code from mod_ntlm_winbindd, and a few
fixes for 'Negotiate' support.
Andrew Bartlett
Modified:
trunk/mod_ntlm_winbind/mod_ntlm_winbind.c
Changeset:
Modified: trunk/mod_ntlm_winbind/mod_ntlm_winbind.c
===================================================================
--- trunk/mod_ntlm_winbind/mod_ntlm_winbind.c 2004-09-25 01:01:46 UTC (rev 71)
+++ trunk/mod_ntlm_winbind/mod_ntlm_winbind.c 2004-09-25 01:58:26 UTC (rev 72)
@@ -94,9 +94,6 @@
unsigned int ntlm_basic_on;
char *ntlm_basic_realm;
unsigned int authoritative;
- char *ntlm_auth_dompwfile;
- char *ntlm_auth_domgrfile;
- char *ntlm_auth_localpwfile;
char *ntlm_auth_helper;
char *negotiate_ntlm_auth_helper;
} ntlm_config_rec;
@@ -190,16 +187,6 @@
(void *) XtOffsetOf(ntlm_config_rec, negotiate_ntlm_auth_helper), OR_AUTHCFG,
TAKE1, "location and arguments to the Samba ntlm_auth utility"},
- /* Authorisation commands */
-
- { "NTLMAuthDomUserFile", ap_set_string_slot,
- (void *) XtOffsetOf(ntlm_config_rec, ntlm_auth_dompwfile), OR_AUTHCFG,
- TAKE1, "file containing list of authorised domain users"},
-
- { "NTLMAuthDomGroupFile", ap_set_string_slot,
- (void *) XtOffsetOf(ntlm_config_rec, ntlm_auth_domgrfile), OR_AUTHCFG,
- TAKE1, "file containing list of authorised domain groups"},
-
/* Basic Authentcation transport for non-IE browsers */
{ "NTLMBasicAuth", ap_set_flag_slot,
@@ -317,72 +304,6 @@
{
}
-/* Return true if the user is in the list of authorised users */
-
-static int
-user_in_auth_users(request_rec *r, ntlm_config_rec *crec, char *user)
-{
- configfile_t *f;
- char line[MAX_STRING_LEN];
- int result = 0;
-
- if (!crec->ntlm_auth_dompwfile)
- return 0;
-
- if (!(f = ap_pcfg_openfile(r->pool, crec->ntlm_auth_dompwfile))) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, r, "opening %s",
- crec->ntlm_auth_dompwfile);
- return 0;
- }
-
- while (!(ap_cfg_getline(line, MAX_STRING_LEN, f))) {
- if ((line[0] == '#') || (!line[0]))
- continue;
-
- if (strcmp(user, line) == 0) {
- result = 1;
- goto done;
- }
- }
-
- done:
- ap_cfg_closefile(f);
- return result;
-}
-
-/* Return true if a group is in the list of authorised groups */
-
-static int
-group_in_auth_groups(request_rec *r, ntlm_config_rec *crec, char *group)
-{
- configfile_t *f;
- char line[MAX_STRING_LEN];
- int result = 0;
-
- if (!crec->ntlm_auth_domgrfile)
- return 0;
-
- if (!(f = ap_pcfg_openfile(r->pool, crec->ntlm_auth_domgrfile))) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, r, "opening %s",
- crec->ntlm_auth_domgrfile);
- return 0;
- }
-
- while (!(ap_cfg_getline(line, MAX_STRING_LEN, f))) {
- if ((line[0] == '#') || (!line[0]))
- continue;
-
- if (strcmp(group, line) == 0) {
- result = 1;
- goto done;
- }
- }
-
- done:
- ap_cfg_closefile(f);
- return result;
-}
-
static int helper_child(void *child_stuff, child_info *pinfo)
{
struct ntlm_child_stuff *cld = (struct ntlm_child_stuff *) child_stuff;
@@ -720,16 +641,8 @@
const char *auth_line = ap_table_get(r->headers_in,
r->proxyreq ? "Proxy-Authorization"
: "Authorization");
+ const char *auth_line2;
- /* Don't authenticate if not enabled. Return declined so another
- apache authentication module can give it a go. */
-
- if (!crec->ntlm_on) {
- ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r,
- "NTLM authentication is not enabled");
- return DECLINED;
- }
-
/* Trust the authentication on an existing connection */
if (connected_user_authenticated && connected_user_authenticated->user) {
@@ -750,13 +663,27 @@
/* If basic authentication is requested and enabled, try to
authenticate the user with basic */
+ auth_line2 = auth_line;
if (crec->ntlm_basic_on
- && strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Basic") == 0)
+ && strcasecmp(ap_getword(r->pool, &auth_line2, ' '), "Basic") == 0)
return authenticate_basic_user(r, crec, auth_line);
+ /* Process a 'Negotiate' SPNEGO over http message */
+ auth_line2 = auth_line;
+ if (strcasecmp(ap_getword(r->pool, &auth_line2, ' '), NEGOTIATE_AUTH_NAME) == 0) {
+ if (!crec->negotiate_on) {
+ ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r,
+ "Negotiate authentication is not enabled");
+ return DECLINED;
+ } else {
+ return process_msg(r, crec, NEGOTIATE_AUTH_NAME);
+ }
+ }
+
/* Process a NTLM over http message */
- if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), NTLM_AUTH_NAME) == 0) {
+ auth_line2 = auth_line;
+ if (strcasecmp(ap_getword(r->pool, &auth_line2, ' '), NTLM_AUTH_NAME) == 0) {
if (!crec->ntlm_on) {
ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r,
"NTLM authentication is not enabled");
@@ -764,46 +691,13 @@
} else {
return process_msg(r, crec, NTLM_AUTH_NAME);
}
- } else if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), NEGOTIATE_AUTH_NAME) == 0) {
- if (!crec->negotiate_on) {
- ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r,
- "NTLM authentication is not enabled");
- return DECLINED;
- } else {
- return process_msg(r, crec, NEGOTIATE_AUTH_NAME);
- }
- } else {
- return note_auth_failure(r, NULL);
}
-}
-/* Check user authorised for a particular location. */
-
-static int
-auth_checker(request_rec * r)
-{
- ntlm_config_rec *crec =
- (ntlm_config_rec *) ap_get_module_config(r->per_dir_config,
- &ntlm_winbind_module);
- const char *auth_line = ap_table_get(r->headers_in,
- r->proxyreq ? "Proxy-Authorization"
- : "Authorization");
-
- /* Short cuts */
-
- if (!crec->ntlm_on)
- return DECLINED;
-
- if (!auth_line) {
- note_auth_failure(r, NULL);
- return AUTH_REQUIRED;
+ if (connected_user_authenticated) {
+ ap_destroy_pool(connected_user_authenticated->pool);
}
- /* TODO: What we should really do here is perform the authorisation
- check here against 'require user' and 'require group' instead of
- performing the check in the authentication section. */
-
- return OK;
+ return DECLINED;
}
/* Dispatch list for API hooks */
@@ -819,7 +713,7 @@
NULL, /* [#8] MIME-typed-dispatched handlers */
NULL, /* [#1] URI to filename translation */
check_user_id, /* [#4] validate user id from request */
- auth_checker, /* [#5] check if the user is ok _here_ */
+ NULL, /* [#5] check if the user is ok _here_ */
NULL, /* [#3] check access by host address */
NULL, /* [#6] determine MIME type */
NULL, /* [#7] pre-run fixups */
More information about the samba-cvs
mailing list