svn commit: lorikeet r72 - in trunk/mod_ntlm_winbind: .

abartlet at samba.org abartlet at samba.org
Sat Sep 25 01:58:27 GMT 2004 

Author: abartlet
Date: 2004-09-25 01:58:26 +0000 (Sat, 25 Sep 2004)
New Revision: 72

WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=lorikeet&path=/trunk/mod_ntlm_winbind&rev=72&nolog=1

Log:
Clean out the (unused) groups code from mod_ntlm_winbindd, and a few
fixes for 'Negotiate' support.

Andrew Bartlett

Modified:
   trunk/mod_ntlm_winbind/mod_ntlm_winbind.c


Changeset:
Modified: trunk/mod_ntlm_winbind/mod_ntlm_winbind.c
===================================================================
--- trunk/mod_ntlm_winbind/mod_ntlm_winbind.c	2004-09-25 01:01:46 UTC (rev 71)
+++ trunk/mod_ntlm_winbind/mod_ntlm_winbind.c	2004-09-25 01:58:26 UTC (rev 72)
@@ -94,9 +94,6 @@
     unsigned int ntlm_basic_on;
     char *ntlm_basic_realm;
     unsigned int authoritative;
-    char *ntlm_auth_dompwfile;
-    char *ntlm_auth_domgrfile;
-    char *ntlm_auth_localpwfile;
     char *ntlm_auth_helper;
     char *negotiate_ntlm_auth_helper;
 } ntlm_config_rec;
@@ -190,16 +187,6 @@
       (void *) XtOffsetOf(ntlm_config_rec, negotiate_ntlm_auth_helper), OR_AUTHCFG, 
       TAKE1, "location and arguments to the Samba ntlm_auth utility"},
 
-    /* Authorisation commands */
-
-    { "NTLMAuthDomUserFile", ap_set_string_slot,
-      (void *) XtOffsetOf(ntlm_config_rec, ntlm_auth_dompwfile), OR_AUTHCFG, 
-      TAKE1, "file containing list of authorised domain users"},
-
-    { "NTLMAuthDomGroupFile", ap_set_string_slot,
-      (void *) XtOffsetOf(ntlm_config_rec, ntlm_auth_domgrfile), OR_AUTHCFG, 
-      TAKE1, "file containing list of authorised domain groups"},
-
     /* Basic Authentcation transport for non-IE browsers */
 
     { "NTLMBasicAuth", ap_set_flag_slot,
@@ -317,72 +304,6 @@
 {
 }
 
-/* Return true if the user is in the list of authorised users */
-
-static int
-user_in_auth_users(request_rec *r, ntlm_config_rec *crec, char *user)
-{
-    configfile_t *f;
-    char line[MAX_STRING_LEN];
-    int result = 0;
-
-    if (!crec->ntlm_auth_dompwfile)
-        return 0;
-
-    if (!(f = ap_pcfg_openfile(r->pool, crec->ntlm_auth_dompwfile))) {
-	ap_log_rerror(APLOG_MARK, APLOG_ERR, r, "opening %s", 
-                      crec->ntlm_auth_dompwfile);
-	return 0;
-    }
-
-    while (!(ap_cfg_getline(line, MAX_STRING_LEN, f))) {
-	if ((line[0] == '#') || (!line[0]))
-	    continue;
-
-	if (strcmp(user, line) == 0) {
-            result = 1;
-            goto done;
-	}
-    }
-
- done:
-    ap_cfg_closefile(f);
-    return result;
-}
-
-/* Return true if a group is in the list of authorised groups */
-
-static int
-group_in_auth_groups(request_rec *r, ntlm_config_rec *crec, char *group)
-{
-    configfile_t *f;
-    char line[MAX_STRING_LEN];
-    int result = 0;
-
-    if (!crec->ntlm_auth_domgrfile)
-        return 0;
-
-    if (!(f = ap_pcfg_openfile(r->pool, crec->ntlm_auth_domgrfile))) {
-	ap_log_rerror(APLOG_MARK, APLOG_ERR, r, "opening %s", 
-                      crec->ntlm_auth_domgrfile);
-	return 0;
-    }
-
-    while (!(ap_cfg_getline(line, MAX_STRING_LEN, f))) {
-	if ((line[0] == '#') || (!line[0]))
-	    continue;
-
-	if (strcmp(group, line) == 0) {
-            result = 1;
-            goto done;
-	}
-    }
-
- done:
-    ap_cfg_closefile(f);
-    return result;
-}
-
 static int helper_child(void *child_stuff, child_info *pinfo)
 {
     struct ntlm_child_stuff *cld = (struct ntlm_child_stuff *) child_stuff;
@@ -720,16 +641,8 @@
     const char *auth_line = ap_table_get(r->headers_in,
                                          r->proxyreq ? "Proxy-Authorization"
                                          : "Authorization");
+    const char *auth_line2;
 
-    /* Don't authenticate if not enabled.  Return declined so another
-       apache authentication module can give it a go. */
-
-    if (!crec->ntlm_on) {
-        ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
-                      "NTLM authentication is not enabled");
-        return DECLINED;
-    }
-
     /* Trust the authentication on an existing connection */
 
     if (connected_user_authenticated && connected_user_authenticated->user) {
@@ -750,13 +663,27 @@
     /* If basic authentication is requested and enabled, try to
        authenticate the user with basic */
 
+    auth_line2 = auth_line;
     if (crec->ntlm_basic_on
-        && strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Basic") == 0)
+        && strcasecmp(ap_getword(r->pool, &auth_line2, ' '), "Basic") == 0)
         return authenticate_basic_user(r, crec, auth_line);
 
+    /* Process a 'Negotiate' SPNEGO over http message */
+    auth_line2 = auth_line;
+    if (strcasecmp(ap_getword(r->pool, &auth_line2, ' '), NEGOTIATE_AUTH_NAME) == 0) {
+        if (!crec->negotiate_on) {
+            ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
+                          "Negotiate authentication is not enabled");
+            return DECLINED;
+        } else {
+            return process_msg(r, crec, NEGOTIATE_AUTH_NAME);
+        }
+    }
+
     /* Process a NTLM over http message */
 
-    if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), NTLM_AUTH_NAME) == 0) {
+    auth_line2 = auth_line;
+    if (strcasecmp(ap_getword(r->pool, &auth_line2, ' '), NTLM_AUTH_NAME) == 0) {
         if (!crec->ntlm_on) {
             ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
                           "NTLM authentication is not enabled");
@@ -764,46 +691,13 @@
         } else {
             return process_msg(r, crec, NTLM_AUTH_NAME);
         }
-    } else if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), NEGOTIATE_AUTH_NAME) == 0) {
-        if (!crec->negotiate_on) {
-            ap_log_rerror(APLOG_MARK, NTLM_DEBUG, r, 
-                          "NTLM authentication is not enabled");
-            return DECLINED;
-        } else {
-            return process_msg(r, crec, NEGOTIATE_AUTH_NAME);
-        }
-    } else {
-        return note_auth_failure(r, NULL);
     }
-}
 
-/* Check user authorised for a particular location. */
-
-static int 
-auth_checker(request_rec * r)
-{
-    ntlm_config_rec *crec =
-    (ntlm_config_rec *) ap_get_module_config(r->per_dir_config,
-                                             &ntlm_winbind_module);
-    const char *auth_line = ap_table_get(r->headers_in,
-                                         r->proxyreq ? "Proxy-Authorization"
-                                         : "Authorization");
-
-    /* Short cuts */
-
-    if (!crec->ntlm_on)
-        return DECLINED;
-
-    if (!auth_line) {
-        note_auth_failure(r, NULL);
-        return AUTH_REQUIRED;
+    if (connected_user_authenticated) {
+        ap_destroy_pool(connected_user_authenticated->pool);
     }
 
-    /* TODO: What we should really do here is perform the authorisation
-       check here against 'require user' and 'require group' instead of
-       performing the check in the authentication section. */
-
-    return OK;
+    return DECLINED;
 }
 
 /* Dispatch list for API hooks */
@@ -819,7 +713,7 @@
     NULL,                    /* [#8] MIME-typed-dispatched handlers */
     NULL,                    /* [#1] URI to filename translation    */
     check_user_id,           /* [#4] validate user id from request  */
-    auth_checker,            /* [#5] check if the user is ok _here_ */
+    NULL,                    /* [#5] check if the user is ok _here_ */
     NULL,                    /* [#3] check access by host address   */
     NULL,                    /* [#6] determine MIME type            */
     NULL,                    /* [#7] pre-run fixups                 */

More information about the samba-cvs mailing list