diff options
author | David Kupka <dkupka@redhat.com> | 2017-03-02 11:09:41 +0000 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2017-03-22 10:38:25 +0100 |
commit | 2b4400d42f04bd5d7172598059d57f1fa1aeb8bf (patch) | |
tree | 9705e57a4d1828d93e57ca5fa8851bbd8d0a34ff | |
parent | 8ec9a634a1fa6e18570a0f2914cd18a585cb9206 (diff) | |
download | mod_lookup_identity-2b4400d42f04bd5d7172598059d57f1fa1aeb8bf.tar.gz mod_lookup_identity-2b4400d42f04bd5d7172598059d57f1fa1aeb8bf.tar.xz mod_lookup_identity-2b4400d42f04bd5d7172598059d57f1fa1aeb8bf.zip |
Add support for multiple users mapped to single certificate
-rw-r--r-- | README | 23 | ||||
-rw-r--r-- | mod_lookup_identity.c | 29 |
2 files changed, 49 insertions, 3 deletions
@@ -5,9 +5,17 @@ Apache module mod_lookup_identity Apache module to lookup user identifier and retrieve additional information about the authenticated user. -The module supports lookup of the user identifier based on certificate -via SSSD D-Bus call org.freedesktop.sssd.infopipe.Users.FindByCertificate, -setting up the r->user request structure. +The module supports lookup of the user identifier based on +certificate via SSSD D-Bus call, setting up the r->user request +structure. +Method org.freedesktop.sssd.infopipe.Users.FindByNameAndCertificate +is used by default and value of query string parameter configured +with directive LookupCertmapHintParam is passed to SSSD together with +certificate to allow mapping of single certificate to multiple user +accounts. +Setting NO_CERTIFICATE_MAPPING_SUPPORT at build time changes the +module so it does not check the query string and calls SSSD D-Bus +method org.freedesktop.sssd.infopipe.Users.FindByCertificate. It also allows retrieval of list of group names the user belongs to using org.freedesktop.sssd.infopipe.GetUserGroups call and any @@ -294,6 +302,15 @@ The default behaviour can be changed with the following directives: Default: 5000 (== 5 s). + LookupUserByCertificateParamName + + Name of parameter for HTTP request's query string. The value from + query string (if there is any) is then sent to SSSD together with + the certificate. This is useful when single certificate is + assigned to multiple user accounts. + + By default, no parameter is parsed from query string. + Please note that LookupUserGroups and LookupUserGroupsIter, as well as LookupUserAttr and LookupUserAttrIter for single attribute can be configured with the same note/environment variable name. For example, diff --git a/mod_lookup_identity.c b/mod_lookup_identity.c index 60845f0..00c16b5 100644 --- a/mod_lookup_identity.c +++ b/mod_lookup_identity.c @@ -27,6 +27,7 @@ #include "http_log.h" #include "http_protocol.h" #include "http_request.h" +#include "util_script.h" #include <pwd.h> #include <grp.h> @@ -38,7 +39,11 @@ #define DBUS_SSSD_IFACE_USERS "org.freedesktop.sssd.infopipe.Users" #define DBUS_SSSD_GET_USER_GROUPS_METHOD "GetUserGroups" #define DBUS_SSSD_GET_USER_ATTR_METHOD "GetUserAttr" +#ifndef NO_CERTIFICATE_MAPPING_SUPPORT +#define DBUS_SSSD_FIND_BY_CERTIFICATE "FindByNameAndCertificate" +#else #define DBUS_SSSD_FIND_BY_CERTIFICATE "FindByCertificate" +#endif #define DBUS_SSSD_DEST "org.freedesktop.sssd.infopipe" #define DBUS_SSSD_TIMEOUT 5000 #define DBUS_PROPERTIES "org.freedesktop.DBus.Properties" @@ -61,6 +66,9 @@ typedef struct lookup_identity_config { char * context; int output; char * output_gecos; +#ifndef NO_CERTIFICATE_MAPPING_SUPPORT + char * arg_name; +#endif #ifndef NO_USER_ATTR char * output_groups; char * output_groups_sep; @@ -88,6 +96,18 @@ static int lookup_user_by_certificate(request_rec * r) { dbus_error_init(&error); DBusMessage * message = NULL; DBusMessage * reply = NULL; +#ifndef NO_CERTIFICATE_MAPPING_SUPPORT + const char * username = ""; + apr_table_t * arg_table = NULL; + + if (cfg->arg_name) { + ap_args_to_table(r, &arg_table); + username = apr_table_get(arg_table, cfg->arg_name); + if (username == NULL) { + username = ""; + } + } +#endif DBusConnection * connection = dbus_bus_get(DBUS_BUS_SYSTEM, &error); if (! connection) { @@ -106,6 +126,9 @@ static int lookup_user_by_certificate(request_rec * r) { } dbus_message_set_auto_start(message, TRUE); if (! dbus_message_append_args(message, +#ifndef NO_CERTIFICATE_MAPPING_SUPPORT + DBUS_TYPE_STRING, &username, +#endif DBUS_TYPE_STRING, &(r->user), DBUS_TYPE_INVALID)) { stage = apr_psprintf(r->pool, "dbus_message_append_args(%s)", r->user); @@ -692,6 +715,9 @@ static void * merge_dir_conf(apr_pool_t * pool, void * base_void, void * add_voi lookup_identity_config * cfg = (lookup_identity_config *) create_dir_conf(pool, add->context); cfg->output = (add->output == LOOKUP_IDENTITY_OUTPUT_DEFAULT) ? base->output : add->output; cfg->output_gecos = add->output_gecos ? add->output_gecos : base->output_gecos; +#ifndef NO_CERTIFICATE_MAPPING_SUPPORT + cfg->arg_name = add->arg_name ? add->arg_name : base->arg_name; +#endif #ifndef NO_USER_ATTR cfg->output_groups = add->output_groups ? add->output_groups : base->output_groups; cfg->output_groups_sep = add->output_groups_sep ? add->output_groups_sep : base->output_groups_sep; @@ -732,6 +758,9 @@ static void * merge_dir_conf(apr_pool_t * pool, void * base_void, void * add_voi static const command_rec directives[] = { AP_INIT_TAKE1("LookupOutput", set_output, NULL, RSRC_CONF | ACCESS_CONF, "Specify where the lookup results should be stored (notes, variables, headers)"), AP_INIT_TAKE1("LookupUserGECOS", ap_set_string_slot, (void*)APR_OFFSETOF(lookup_identity_config, output_gecos), RSRC_CONF | ACCESS_CONF, "Name of the note/variable for the GECOS information"), +#ifndef NO_CERTIFICATE_MAPPING_SUPPORT + AP_INIT_TAKE1("LookupUserByCertificateParamName", ap_set_string_slot, (void*)APR_OFFSETOF(lookup_identity_config, arg_name), RSRC_CONF | ACCESS_CONF, "Name of the argument/variable in query string used to pass username"), +#endif #ifndef NO_USER_ATTR AP_INIT_TAKE12("LookupUserGroups", set_output_groups, NULL, RSRC_CONF | ACCESS_CONF, "Name of the note/variable for the group information"), AP_INIT_TAKE1("LookupUserGroupsIter", ap_set_string_slot, (void*)APR_OFFSETOF(lookup_identity_config, output_groups_iter), RSRC_CONF | ACCESS_CONF, "Name of the notes/variables for the group information"), |