diff options
| author | Jan Pazdziora <jpazdziora@redhat.com> | 2015-04-24 13:34:18 +0200 |
|---|---|---|
| committer | Jan Pazdziora <jpazdziora@redhat.com> | 2015-05-04 14:16:17 +0200 |
| commit | abd1ee22aabe2a7cbe8b719544499485e7037bb4 (patch) | |
| tree | bc98d01f2a7bcb8d4e59ccf6d522dad9bc1f88ea | |
| parent | 2de8600b1118e3632eae41bcbeb9f0393178ab55 (diff) | |
| download | mod_authnz_pam-abd1ee22aabe2a7cbe8b719544499485e7037bb4.tar.gz mod_authnz_pam-abd1ee22aabe2a7cbe8b719544499485e7037bb4.tar.xz mod_authnz_pam-abd1ee22aabe2a7cbe8b719544499485e7037bb4.zip | |
Add support for replacement placeholders %s and %u.
| -rw-r--r-- | README | 14 | ||||
| -rw-r--r-- | mod_authnz_pam.c | 37 |
2 files changed, 50 insertions, 1 deletions
@@ -80,6 +80,20 @@ FreeIPA server, the setting would be AuthPAMExpiredRedirect https://<IPA-server>/ipa/ui/reset_password.html +It is also possible to use placeholders in the URL that will be replaced +with current location (for backreference) and username (to prefill) +on the target page: + + %s URL of the current page + %u The username that was used for the PAM authentication + %% The character % itself. + +For example for FreeIPA 4.1+, the value can actually be + + https://<IPA-server>/ipa/ui/reset_password.html?url=%s + +SELinux: + On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to be enabled: diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c index 0568fdf..3de486e 100644 --- a/mod_authnz_pam.c +++ b/mod_authnz_pam.c @@ -71,6 +71,41 @@ static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, s return PAM_SUCCESS; } +static const char * format_location(request_rec * r, const char * url, const char *login) { + const char * out = ""; + const char * p = url; + const char * append = NULL; + while (*p) { + if (*p == '%') { + if (*(p + 1) == '%') { + append = "%"; + } else if (*(p + 1) == 's') { + append = ap_construct_url(r->pool, r->uri, r); + if (r->args) { + append = apr_pstrcat(r->pool, append, "?", r->args, NULL); + } + } else if (*(p + 1) == 'u') { + append = login; + } + } + if (append) { + char * prefix = ""; + if (p != url) { + prefix = apr_pstrndup(r->pool, url, p - url); + } + out = apr_pstrcat(r->pool, out, prefix, ap_escape_urlencoded(r->pool, append), NULL); + p++; + url = p + 1; + append = NULL; + } + p++; + } + if (p != url) { + out = apr_pstrcat(r->pool, out, url, NULL); + } + return out; +} + module AP_MODULE_DECLARE_DATA authnz_pam_module; #define _REMOTE_USER_ENV_NAME "REMOTE_USER" @@ -109,7 +144,7 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "mod_authnz_pam: PAM_NEW_AUTHTOK_REQD: redirect to [%s]", conf->expired_redirect_url); - apr_table_addn(r->headers_out, "Location", conf->expired_redirect_url); + apr_table_addn(r->headers_out, "Location", format_location(r, conf->expired_redirect_url, login)); return HTTP_TEMPORARY_REDIRECT; } } |