README


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220


Apache module mod_lookup_identity
=================================

Apache module to retrieve additional information about the
authenticated user.

It retrieves the GECOS information using the getpwnam call and stores
it in a note/environment variable (by default REMOTE_USER_GECOS).
It allows to get list of group names the user belongs using sssd dbus
org.freedesktop.sssd.infopipe.GetUserGroups call and any custom
attribute configured in /etc/sssd/sssd.conf using sssd dbus
org.freedesktop.sssd.infopipe.GetUserAttr call.

The sssd-dbus package needs to be installed and the ifp service
enabled in the [sssd] section of /etc/sssd/sssd.conf. Caching of
non-POSIX attributes need to be enabled in the [domain/*] section of
/etc/sssd/sssd.conf, configuration ldap_user_extra_attrs, and they
also need to be enabled in the [ifp] section using the user_attributes
configuration option.

Example of sssd.conf:

    [domain/example.com]
    ...
    ldap_user_extra_attrs = mail, telephoneNumber, givenname, sn

    [sssd]
    services = nss, pam, ssh, ifp

    [ifp]
    allowed_uids = apache, root
    user_attributes = +mail, +telephoneNumber, +givenname, +sn

The module itself needs to be loaded into Apache's configuration file
like /etc/httpd/conf/httpd.conf with directive like

    LoadModule lookup_identity_module modules/mod_lookup_identity.so

The default behaviour can be changed with the following directives:

    LookupOutput where_to_store_results

	Specifies if the lookups will be done at all and where the results
	of the lookup will be stored. Possible values are:

	    None: Disable the lookup altogether
	    Notes: Sets the Apache notes table only
	    Env: Sets environment variables only
	    All: Sets both (the default)

    LookupUserGECOS name

	Name of the note and/or environment variable for the GECOS
	value.

	Example: LookupUserGECOS REMOTE_USER_FULLNAME

	Default is REMOTE_USER_GECOS.

    LookupUserGroups name [separator]

	Name of the note and/or environment variable for the list of groups
	retrieved using the org.freedesktop.sssd.infopipe.GetUserGroups
	call, and optionally separator for multiple groups.

	If the separator is specified, it is used to concatenate
	multiple groups in single string value of the
	note/environment variable. If the separator is not specified,
	only one group is set.

	Example: if user alice is member of groups staff and student,
	option

	    LookupUserGroups REMOTE_USER_GROUPS :

	will set value of REMOTE_USER_GROUPS to staff:student. If the
	option is

	    LookupUserGroups REMOTE_USER_GROUPS

	the value will be either staff or student, depending on the
	order returned by the sssd dbus call (order not to be relied
	on).

	By default, groups are not retrieved.

    LookupUserGroupsIter name

	The number of groups the user is a member of (as returned by
	the org.freedesktop.sssd.infopipe.GetUserGroups call) will be
	stored in note/environment variable <name>_N and individual
	values in <name>_1 .. <name>_<<name>_N>. This allows for
	safe retrieval of groups without the separator clashing with
	the values.

	Example: if user alice is member of groups staff and student,
	option

	    LookupUserGroupsIter REMOTE_USER_GROUPS

	will set

	    REMOTE_USER_GROUPS_N=2
	    REMOTE_USER_GROUPS_1=staff
	    REMOTE_USER_GROUPS_2=student

	(or the values of REMOTE_USER_GROUPS_1 and REMOTE_USER_GROUPS_2
	will be flipped).

	If user is not a member of any group, the <name>_N value will
	be set to 0.

	By default, groups are not retrieved.

    LookupUserAttr the_attribute name [separator]

	Name of the attribute to be retrieved using the
	org.freedesktop.sssd.infopipe.GetUserAttr call and name of
	the note and/or environment variable where the value will
	be stored, and optionally separator for multivalued results.

	If the separator is specified, it is used to concatenate
	multiple values in single string value of the
	note/environment variable. If the separator is not specified,
	only one value is set.

	Example: LookupUserAttr mail REMOTE_USER_MAIL will retrieve
	one value from the mail attribute (from potentially
	multivalued attribute) and store them to note/environment
	variable REMOTE_USER_MAIL.

	LookupUserAttr mail REMOTE_USER_MAIL ", " will retrieve all
	the values and store them as coma-separated string.

	Multiple LookupUserAttr lines can be used to retrieve multiple
	attributes.

	By default, no user attributes are retrieved.

    LookupUserAttrIter the_attribute name

	The number of attribute values for the user (as returned by
	the org.freedesktop.sssd.infopipe.GetUserAttr call) will be
	stored in note/environment variable <name>_N and individual
	values in <name>_1 .. <name>_<<name>_N>. This allows for
	safe retrieval of multivalued attributes without the
	separator clashing with the values.

	Example: if user alice has multivalued custom attribute
	office_no with values M314 and P005,

	    LookupUserAttrIter office_no REMOTE_USER_OFFICE

	will cause the following notes/environment variables to be
	set:

	    REMOTE_USER_OFFICE_N=2
	    REMOTE_USER_OFFICE_1=M314
	    REMOTE_USER_OFFICE_2=P005

	Multiple LookupUserAttr lines can be used to retrieve multiple
	attributes.

	By default, no user attributes are retrieved.

    LookupDbusTimeout miliseconds

	Default: 5000 (== 5 s).

Please note that LookupUserGroups and LookupUserGroupsIter, as well as
LookupUserAttr and LookupUserAttrIter for single attribute can be
configured with the same note/environment variable name. For example,

    LookupUserGroups REMOTE_USER_GROUPS :
    LookupUserGroupsIter REMOTE_USER_GROUPS

can be set at the same time and for user with two groups, all the
following values will be set:

    REMOTE_USER_GROUPS=staff:student
    REMOTE_USER_GROUPS_N=2
    REMOTE_USER_GROUPS_1=staff
    REMOTE_USER_GROUPS_2=student

Building from sources
---------------------

When building from sources, command

    apxs -i -a -c $(pkg-config --cflags dbus-1) \
	mod_lookup_identity.c $(pkg-config --libs dbus-1) -Wall -pedantic

should build and install the module.

If the available version of sssd does not provide or is not configured
to provide the ifp dbus service, compile with

    apxs -DNO_USER_ATTR -i -a -c mod_lookup_identity.c -Wall -pedantic

In that case, the LookupUserAttr functionality will not be compiled
in and will not be available.

License
-------

Copyright 2013--2014 Jan Pazdziora

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.