17 handler_t
auth_ldap_init(server
*srv
, mod_auth_plugin_config
*s
);
21 * the basic and digest auth framework
32 INIT_FUNC(mod_auth_init
) {
33 mod_auth_plugin_data
*p
;
35 p
= calloc(1, sizeof(*p
));
37 p
->tmp_buf
= buffer_init();
39 p
->auth_user
= buffer_init();
41 p
->ldap_filter
= buffer_init();
47 FREE_FUNC(mod_auth_free
) {
48 mod_auth_plugin_data
*p
= p_d
;
52 if (!p
) return HANDLER_GO_ON
;
54 buffer_free(p
->tmp_buf
);
55 buffer_free(p
->auth_user
);
57 buffer_free(p
->ldap_filter
);
60 if (p
->config_storage
) {
62 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
63 mod_auth_plugin_config
*s
= p
->config_storage
[i
];
65 if (NULL
== s
) continue;
67 array_free(s
->auth_require
);
68 buffer_free(s
->auth_plain_groupfile
);
69 buffer_free(s
->auth_plain_userfile
);
70 buffer_free(s
->auth_htdigest_userfile
);
71 buffer_free(s
->auth_htpasswd_userfile
);
72 buffer_free(s
->auth_backend_conf
);
74 buffer_free(s
->auth_ldap_hostname
);
75 buffer_free(s
->auth_ldap_basedn
);
76 buffer_free(s
->auth_ldap_binddn
);
77 buffer_free(s
->auth_ldap_bindpw
);
78 buffer_free(s
->auth_ldap_filter
);
79 buffer_free(s
->auth_ldap_cafile
);
82 buffer_free(s
->ldap_filter_pre
);
83 buffer_free(s
->ldap_filter_post
);
85 if (s
->ldap
) ldap_unbind_s(s
->ldap
);
90 free(p
->config_storage
);
100 static int mod_auth_patch_connection(server
*srv
, connection
*con
, mod_auth_plugin_data
*p
) {
102 mod_auth_plugin_config
*s
= p
->config_storage
[0];
105 PATCH(auth_plain_groupfile
);
106 PATCH(auth_plain_userfile
);
107 PATCH(auth_htdigest_userfile
);
108 PATCH(auth_htpasswd_userfile
);
111 PATCH(auth_ldap_hostname
);
112 PATCH(auth_ldap_basedn
);
113 PATCH(auth_ldap_binddn
);
114 PATCH(auth_ldap_bindpw
);
115 PATCH(auth_ldap_filter
);
116 PATCH(auth_ldap_cafile
);
117 PATCH(auth_ldap_starttls
);
118 PATCH(auth_ldap_allow_empty_pw
);
121 PATCH(ldap_filter_pre
);
122 PATCH(ldap_filter_post
);
125 /* skip the first, the global context */
126 for (i
= 1; i
< srv
->config_context
->used
; i
++) {
127 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
128 s
= p
->config_storage
[i
];
130 /* condition didn't match */
131 if (!config_check_cond(srv
, con
, dc
)) continue;
134 for (j
= 0; j
< dc
->value
->used
; j
++) {
135 data_unset
*du
= dc
->value
->data
[j
];
137 if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend"))) {
139 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.plain.groupfile"))) {
140 PATCH(auth_plain_groupfile
);
141 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.plain.userfile"))) {
142 PATCH(auth_plain_userfile
);
143 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.htdigest.userfile"))) {
144 PATCH(auth_htdigest_userfile
);
145 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.htpasswd.userfile"))) {
146 PATCH(auth_htpasswd_userfile
);
147 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.require"))) {
149 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.debug"))) {
151 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.hostname"))) {
152 PATCH(auth_ldap_hostname
);
156 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.base-dn"))) {
157 PATCH(auth_ldap_basedn
);
158 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.filter"))) {
159 PATCH(auth_ldap_filter
);
161 PATCH(ldap_filter_pre
);
162 PATCH(ldap_filter_post
);
164 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.ca-file"))) {
165 PATCH(auth_ldap_cafile
);
166 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
167 PATCH(auth_ldap_starttls
);
168 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.bind-dn"))) {
169 PATCH(auth_ldap_binddn
);
170 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.bind-pw"))) {
171 PATCH(auth_ldap_bindpw
);
172 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) {
173 PATCH(auth_ldap_allow_empty_pw
);
182 static handler_t
mod_auth_uri_handler(server
*srv
, connection
*con
, void *p_d
) {
184 int auth_required
= 0, auth_satisfied
= 0;
185 char *http_authorization
= NULL
;
186 const char *auth_type
= NULL
;
188 mod_auth_plugin_data
*p
= p_d
;
190 data_string
*req_method
;
192 /* select the right config */
193 mod_auth_patch_connection(srv
, con
, p
);
195 if (p
->conf
.auth_require
== NULL
) return HANDLER_GO_ON
;
202 /* do we have to ask for auth ? */
207 /* search auth-directives for path */
208 for (k
= 0; k
< p
->conf
.auth_require
->used
; k
++) {
209 buffer
*require
= p
->conf
.auth_require
->data
[k
]->key
;
211 if (buffer_is_empty(require
)) continue;
212 if (buffer_string_length(con
->uri
.path
) < buffer_string_length(require
)) continue;
214 /* if we have a case-insensitive FS we have to lower-case the URI here too */
216 if (con
->conf
.force_lowercase_filenames
) {
217 if (0 == strncasecmp(con
->uri
.path
->ptr
, require
->ptr
, buffer_string_length(require
))) {
222 if (0 == strncmp(con
->uri
.path
->ptr
, require
->ptr
, buffer_string_length(require
))) {
229 /* nothing to do for us */
230 if (auth_required
== 0) return HANDLER_GO_ON
;
232 req
= ((data_array
*)(p
->conf
.auth_require
->data
[k
]))->value
;
233 req_method
= (data_string
*)array_get_element(req
, "method");
235 if (0 == strcmp(req_method
->value
->ptr
, "extern")) {
236 /* require REMOTE_USER to be already set */
237 if (NULL
== (ds
= (data_string
*)array_get_element(con
->environment
, "REMOTE_USER"))) {
238 con
->http_status
= 401;
240 return HANDLER_FINISHED
;
241 } else if (http_auth_match_rules(srv
, req
, ds
->value
->ptr
, NULL
, NULL
)) {
242 log_error_write(srv
, __FILE__
, __LINE__
, "s", "rules didn't match");
243 con
->http_status
= 401;
245 return HANDLER_FINISHED
;
247 return HANDLER_GO_ON
;
251 /* try to get Authorization-header */
253 if (NULL
!= (ds
= (data_string
*)array_get_element(con
->request
.headers
, "Authorization")) && !buffer_is_empty(ds
->value
)) {
256 http_authorization
= ds
->value
->ptr
;
258 /* parse auth-header */
259 if (NULL
!= (auth_realm
= strchr(http_authorization
, ' '))) {
260 int auth_type_len
= auth_realm
- http_authorization
;
262 if ((auth_type_len
== 5) &&
263 (0 == strncasecmp(http_authorization
, "Basic", auth_type_len
))) {
266 if (0 == strcmp(req_method
->value
->ptr
, "basic")) {
267 auth_satisfied
= http_auth_basic_check(srv
, con
, p
, req
, auth_realm
+1);
269 } else if ((auth_type_len
== 6) &&
270 (0 == strncasecmp(http_authorization
, "Digest", auth_type_len
))) {
271 auth_type
= "Digest";
272 if (0 == strcmp(req_method
->value
->ptr
, "digest")) {
273 if (-1 == (auth_satisfied
= http_auth_digest_check(srv
, con
, p
, req
, auth_realm
+1))) {
274 con
->http_status
= 400;
277 /* a field was missing */
279 return HANDLER_FINISHED
;
283 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
284 "unknown authentication type:",
290 if (!auth_satisfied
) {
291 data_string
*method
, *realm
;
292 method
= (data_string
*)array_get_element(req
, "method");
293 realm
= (data_string
*)array_get_element(req
, "realm");
295 con
->http_status
= 401;
298 if (0 == strcmp(method
->value
->ptr
, "basic")) {
299 buffer_copy_string_len(p
->tmp_buf
, CONST_STR_LEN("Basic realm=\""));
300 buffer_append_string_buffer(p
->tmp_buf
, realm
->value
);
301 buffer_append_string_len(p
->tmp_buf
, CONST_STR_LEN("\", charset=\"UTF-8\""));
303 response_header_insert(srv
, con
, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(p
->tmp_buf
));
304 } else if (0 == strcmp(method
->value
->ptr
, "digest")) {
306 http_auth_digest_generate_nonce(srv
, p
, srv
->tmp_buf
, &hh
);
308 buffer_copy_string_len(p
->tmp_buf
, CONST_STR_LEN("Digest realm=\""));
309 buffer_append_string_buffer(p
->tmp_buf
, realm
->value
);
310 buffer_append_string_len(p
->tmp_buf
, CONST_STR_LEN("\", charset=\"UTF-8\", nonce=\""));
311 buffer_append_string(p
->tmp_buf
, hh
);
312 buffer_append_string_len(p
->tmp_buf
, CONST_STR_LEN("\", qop=\"auth\""));
314 response_header_insert(srv
, con
, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(p
->tmp_buf
));
318 return HANDLER_FINISHED
;
320 /* the REMOTE_USER header */
322 if (NULL
== (ds
= (data_string
*)array_get_element(con
->environment
, "REMOTE_USER"))) {
323 if (NULL
== (ds
= (data_string
*)array_get_unused_element(con
->environment
, TYPE_STRING
))) {
324 ds
= data_string_init();
326 buffer_copy_string(ds
->key
, "REMOTE_USER");
327 array_insert_unique(con
->environment
, (data_unset
*)ds
);
329 buffer_copy_buffer(ds
->value
, p
->auth_user
);
331 /* AUTH_TYPE environment */
333 if (NULL
== (ds
= (data_string
*)array_get_element(con
->environment
, "AUTH_TYPE"))) {
334 if (NULL
== (ds
= (data_string
*)array_get_unused_element(con
->environment
, TYPE_STRING
))) {
335 ds
= data_string_init();
337 buffer_copy_string(ds
->key
, "AUTH_TYPE");
338 array_insert_unique(con
->environment
, (data_unset
*)ds
);
340 buffer_copy_string(ds
->value
, auth_type
);
343 return HANDLER_GO_ON
;
346 SETDEFAULTS_FUNC(mod_auth_set_defaults
) {
347 mod_auth_plugin_data
*p
= p_d
;
350 config_values_t cv
[] = {
351 { "auth.backend", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 0 */
352 { "auth.backend.plain.groupfile", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 1 */
353 { "auth.backend.plain.userfile", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 2 */
354 { "auth.require", NULL
, T_CONFIG_LOCAL
, T_CONFIG_SCOPE_CONNECTION
}, /* 3 */
355 { "auth.backend.ldap.hostname", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 4 */
356 { "auth.backend.ldap.base-dn", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 5 */
357 { "auth.backend.ldap.filter", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 6 */
358 { "auth.backend.ldap.ca-file", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 7 */
359 { "auth.backend.ldap.starttls", NULL
, T_CONFIG_BOOLEAN
, T_CONFIG_SCOPE_CONNECTION
}, /* 8 */
360 { "auth.backend.ldap.bind-dn", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 9 */
361 { "auth.backend.ldap.bind-pw", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 10 */
362 { "auth.backend.ldap.allow-empty-pw", NULL
, T_CONFIG_BOOLEAN
, T_CONFIG_SCOPE_CONNECTION
}, /* 11 */
363 { "auth.backend.htdigest.userfile", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 12 */
364 { "auth.backend.htpasswd.userfile", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 13 */
365 { "auth.debug", NULL
, T_CONFIG_SHORT
, T_CONFIG_SCOPE_CONNECTION
}, /* 14 */
366 { NULL
, NULL
, T_CONFIG_UNSET
, T_CONFIG_SCOPE_UNSET
}
369 p
->config_storage
= calloc(1, srv
->config_context
->used
* sizeof(mod_auth_plugin_config
*));
371 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
372 data_config
const* config
= (data_config
const*)srv
->config_context
->data
[i
];
373 mod_auth_plugin_config
*s
;
377 s
= calloc(1, sizeof(mod_auth_plugin_config
));
378 s
->auth_plain_groupfile
= buffer_init();
379 s
->auth_plain_userfile
= buffer_init();
380 s
->auth_htdigest_userfile
= buffer_init();
381 s
->auth_htpasswd_userfile
= buffer_init();
382 s
->auth_backend_conf
= buffer_init();
384 s
->auth_ldap_hostname
= buffer_init();
385 s
->auth_ldap_basedn
= buffer_init();
386 s
->auth_ldap_binddn
= buffer_init();
387 s
->auth_ldap_bindpw
= buffer_init();
388 s
->auth_ldap_filter
= buffer_init();
389 s
->auth_ldap_cafile
= buffer_init();
390 s
->auth_ldap_starttls
= 0;
393 s
->auth_require
= array_init();
396 s
->ldap_filter_pre
= buffer_init();
397 s
->ldap_filter_post
= buffer_init();
401 cv
[0].destination
= s
->auth_backend_conf
;
402 cv
[1].destination
= s
->auth_plain_groupfile
;
403 cv
[2].destination
= s
->auth_plain_userfile
;
404 cv
[3].destination
= s
->auth_require
;
405 cv
[4].destination
= s
->auth_ldap_hostname
;
406 cv
[5].destination
= s
->auth_ldap_basedn
;
407 cv
[6].destination
= s
->auth_ldap_filter
;
408 cv
[7].destination
= s
->auth_ldap_cafile
;
409 cv
[8].destination
= &(s
->auth_ldap_starttls
);
410 cv
[9].destination
= s
->auth_ldap_binddn
;
411 cv
[10].destination
= s
->auth_ldap_bindpw
;
412 cv
[11].destination
= &(s
->auth_ldap_allow_empty_pw
);
413 cv
[12].destination
= s
->auth_htdigest_userfile
;
414 cv
[13].destination
= s
->auth_htpasswd_userfile
;
415 cv
[14].destination
= &(s
->auth_debug
);
417 p
->config_storage
[i
] = s
;
419 if (0 != config_insert_values_global(srv
, config
->value
, cv
, i
== 0 ? T_CONFIG_SCOPE_SERVER
: T_CONFIG_SCOPE_CONNECTION
)) {
420 return HANDLER_ERROR
;
423 if (!buffer_string_is_empty(s
->auth_backend_conf
)) {
424 if (0 == strcmp(s
->auth_backend_conf
->ptr
, "htpasswd")) {
425 s
->auth_backend
= AUTH_BACKEND_HTPASSWD
;
426 } else if (0 == strcmp(s
->auth_backend_conf
->ptr
, "htdigest")) {
427 s
->auth_backend
= AUTH_BACKEND_HTDIGEST
;
428 } else if (0 == strcmp(s
->auth_backend_conf
->ptr
, "plain")) {
429 s
->auth_backend
= AUTH_BACKEND_PLAIN
;
430 } else if (0 == strcmp(s
->auth_backend_conf
->ptr
, "ldap")) {
431 s
->auth_backend
= AUTH_BACKEND_LDAP
;
433 log_error_write(srv
, __FILE__
, __LINE__
, "sb", "auth.backend not supported:", s
->auth_backend_conf
);
435 return HANDLER_ERROR
;
440 if (!buffer_string_is_empty(s
->auth_ldap_filter
)) {
445 if (NULL
== (dollar
= strchr(s
->auth_ldap_filter
->ptr
, '$'))) {
446 log_error_write(srv
, __FILE__
, __LINE__
, "s", "ldap: auth.backend.ldap.filter is missing a replace-operator '$'");
448 return HANDLER_ERROR
;
451 buffer_copy_string_len(s
->ldap_filter_pre
, s
->auth_ldap_filter
->ptr
, dollar
- s
->auth_ldap_filter
->ptr
);
452 buffer_copy_string(s
->ldap_filter_post
, dollar
+1);
456 /* no auth.require for this section */
457 if (NULL
== (da
= (data_array
*)array_get_element(config
->value
, "auth.require"))) continue;
459 if (da
->type
!= TYPE_ARRAY
) continue;
461 for (n
= 0; n
< da
->value
->used
; n
++) {
463 data_array
*da_file
= (data_array
*)da
->value
->data
[n
];
464 const char *method
, *realm
, *require
;
466 if (da
->value
->data
[n
]->type
!= TYPE_ARRAY
) {
467 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
468 "auth.require should contain an array as in:",
469 "auth.require = ( \"...\" => ( ..., ...) )");
471 return HANDLER_ERROR
;
474 method
= realm
= require
= NULL
;
476 for (m
= 0; m
< da_file
->value
->used
; m
++) {
477 if (da_file
->value
->data
[m
]->type
== TYPE_STRING
) {
478 if (0 == strcmp(da_file
->value
->data
[m
]->key
->ptr
, "method")) {
479 method
= ((data_string
*)(da_file
->value
->data
[m
]))->value
->ptr
;
480 } else if (0 == strcmp(da_file
->value
->data
[m
]->key
->ptr
, "realm")) {
481 realm
= ((data_string
*)(da_file
->value
->data
[m
]))->value
->ptr
;
482 } else if (0 == strcmp(da_file
->value
->data
[m
]->key
->ptr
, "require")) {
483 require
= ((data_string
*)(da_file
->value
->data
[m
]))->value
->ptr
;
485 log_error_write(srv
, __FILE__
, __LINE__
, "ssbs",
486 "the field is unknown in:",
487 "auth.require = ( \"...\" => ( ..., -> \"",
488 da_file
->value
->data
[m
]->key
,
489 "\" <- => \"...\" ) )");
491 return HANDLER_ERROR
;
494 log_error_write(srv
, __FILE__
, __LINE__
, "ssbs",
495 "a string was expected for:",
496 "auth.require = ( \"...\" => ( ..., -> \"",
497 da_file
->value
->data
[m
]->key
,
498 "\" <- => \"...\" ) )");
500 return HANDLER_ERROR
;
504 if (method
== NULL
) {
505 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
506 "the method field is missing in:",
507 "auth.require = ( \"...\" => ( ..., \"method\" => \"...\" ) )");
508 return HANDLER_ERROR
;
510 if (0 != strcmp(method
, "basic") &&
511 0 != strcmp(method
, "digest") &&
512 0 != strcmp(method
, "extern")) {
513 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
514 "method has to be either \"basic\", \"digest\" or \"extern\" in",
515 "auth.require = ( \"...\" => ( ..., \"method\" => \"...\") )");
516 return HANDLER_ERROR
;
521 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
522 "the realm field is missing in:",
523 "auth.require = ( \"...\" => ( ..., \"realm\" => \"...\" ) )");
524 return HANDLER_ERROR
;
527 if (require
== NULL
) {
528 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
529 "the require field is missing in:",
530 "auth.require = ( \"...\" => ( ..., \"require\" => \"...\" ) )");
531 return HANDLER_ERROR
;
534 if (method
&& realm
&& require
) {
538 a
= data_array_init();
539 buffer_copy_buffer(a
->key
, da_file
->key
);
541 ds
= data_string_init();
543 buffer_copy_string_len(ds
->key
, CONST_STR_LEN("method"));
544 buffer_copy_string(ds
->value
, method
);
546 array_insert_unique(a
->value
, (data_unset
*)ds
);
548 ds
= data_string_init();
550 buffer_copy_string_len(ds
->key
, CONST_STR_LEN("realm"));
551 buffer_copy_string(ds
->value
, realm
);
553 array_insert_unique(a
->value
, (data_unset
*)ds
);
555 ds
= data_string_init();
557 buffer_copy_string_len(ds
->key
, CONST_STR_LEN("require"));
558 buffer_copy_string(ds
->value
, require
);
560 array_insert_unique(a
->value
, (data_unset
*)ds
);
562 array_insert_unique(s
->auth_require
, (data_unset
*)a
);
566 switch(s
->auth_backend
) {
567 case AUTH_BACKEND_LDAP
: {
568 handler_t ret
= auth_ldap_init(srv
, s
);
569 if (ret
== HANDLER_ERROR
)
578 return HANDLER_GO_ON
;
581 handler_t
auth_ldap_init(server
*srv
, mod_auth_plugin_config
*s
) {
585 if (s
->auth_ldap_basedn
->used
== 0) {
586 log_error_write(srv
, __FILE__
, __LINE__
, "s", "ldap: auth.backend.ldap.base-dn has to be set");
588 return HANDLER_ERROR
;
592 if (!buffer_string_is_empty(s
->auth_ldap_hostname
)) {
593 /* free old context */
594 if (NULL
!= s
->ldap
) ldap_unbind_s(s
->ldap
);
596 if (NULL
== (s
->ldap
= ldap_init(s
->auth_ldap_hostname
->ptr
, LDAP_PORT
))) {
597 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "ldap ...", strerror(errno
));
599 return HANDLER_ERROR
;
603 if (LDAP_OPT_SUCCESS
!= (ret
= ldap_set_option(s
->ldap
, LDAP_OPT_PROTOCOL_VERSION
, &ret
))) {
604 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "ldap:", ldap_err2string(ret
));
606 return HANDLER_ERROR
;
609 if (s
->auth_ldap_starttls
) {
610 /* if no CA file is given, it is ok, as we will use encryption
611 * if the server requires a CAfile it will tell us */
612 if (!buffer_string_is_empty(s
->auth_ldap_cafile
)) {
613 if (LDAP_OPT_SUCCESS
!= (ret
= ldap_set_option(NULL
, LDAP_OPT_X_TLS_CACERTFILE
,
614 s
->auth_ldap_cafile
->ptr
))) {
615 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
616 "Loading CA certificate failed:", ldap_err2string(ret
));
618 return HANDLER_ERROR
;
622 if (LDAP_OPT_SUCCESS
!= (ret
= ldap_start_tls_s(s
->ldap
, NULL
, NULL
))) {
623 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "ldap startTLS failed:", ldap_err2string(ret
));
625 return HANDLER_ERROR
;
631 if (!buffer_string_is_empty(s
->auth_ldap_binddn
)) {
632 if (LDAP_SUCCESS
!= (ret
= ldap_simple_bind_s(s
->ldap
, s
->auth_ldap_binddn
->ptr
, s
->auth_ldap_bindpw
->ptr
))) {
633 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "ldap:", ldap_err2string(ret
));
635 return HANDLER_ERROR
;
638 if (LDAP_SUCCESS
!= (ret
= ldap_simple_bind_s(s
->ldap
, NULL
, NULL
))) {
639 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "ldap:", ldap_err2string(ret
));
641 return HANDLER_ERROR
;
645 return HANDLER_GO_ON
;
648 log_error_write(srv
, __FILE__
, __LINE__
, "s", "no ldap support available");
649 return HANDLER_ERROR
;
653 int mod_auth_plugin_init(plugin
*p
);
654 int mod_auth_plugin_init(plugin
*p
) {
655 p
->version
= LIGHTTPD_VERSION_ID
;
656 p
->name
= buffer_init_string("auth");
657 p
->init
= mod_auth_init
;
658 p
->set_defaults
= mod_auth_set_defaults
;
659 p
->handle_uri_clean
= mod_auth_uri_handler
;
660 p
->cleanup
= mod_auth_free
;