1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
Apache module mod_lookup_identity
=================================
Apache module to retrieve additional information about the
authenticated user.
It retrieves the GECOS information using the getpwnam call and stores
it in a note/environment variable (by default REMOTE_USER_GECOS).
It allows to get list of group names the user belongs using sssd dbus
org.freedesktop.sssd.infopipe.GetUserGroups call and any custom
attribute configured in /etc/sssd/sssd.conf using sssd dbus
org.freedesktop.sssd.infopipe.GetUserAttr call.
The sssd-dbus package needs to be installed and the ifp service
enabled in the [sssd] section of /etc/sssd/sssd.conf. Caching of
non-POSIX attributes need to be enabled in the [domain/*] section of
/etc/sssd/sssd.conf, configuration ldap_user_extra_attrs, and they
also need to be enabled in the [ifp] section using the user_attributes
configuration option.
Example of sssd.conf:
[domain/example.com]
...
ldap_user_extra_attrs = mail, telephoneNumber, givenname, sn
[sssd]
services = nss, pam, ssh, ifp
[ifp]
allowed_uids = apache, root
user_attributes = +mail, +telephoneNumber, +givenname, +sn
The module itself needs to be loaded into Apache's configuration file
like /etc/httpd/conf/httpd.conf with directive like
LoadModule lookup_identity_module modules/mod_lookup_identity.so
The default behaviour can be changed with the following directives:
LookupOutput where_to_store_results
Specifies if the lookups will be done at all and where the results
of the lookup will be stored. Possible values are:
None: Disable the lookup altogether
Notes: Sets the Apache notes table only
Env: Sets environment variables only
All: Sets both (the default)
LookupUserGECOS name
Name of the note and/or environment variable for the GECOS
value.
Example: LookupUserGECOS REMOTE_USER_FULLNAME
Default is REMOTE_USER_GECOS.
LookupUserGroups name [separator]
Name of the note and/or environment variable for the list of groups
retrieved using the org.freedesktop.sssd.infopipe.GetUserGroups
call, and optionally separator for multiple groups.
If the separator is specified, it is used to concatenate
multiple groups in single string value of the
note/environment variable. If the separator is not specified,
only one group is set.
Example: if user alice is member of groups staff and student,
option
LookupUserGroups REMOTE_USER_GROUPS :
will set value of REMOTE_USER_GROUPS to staff:student. If the
option is
LookupUserGroups REMOTE_USER_GROUPS
the value will be either staff or student, depending on the
order returned by the sssd dbus call (order not to be relied
on).
By default, groups are not retrieved.
LookupUserGroupsIter name
The number of groups the user is a member of (as returned by
the org.freedesktop.sssd.infopipe.GetUserGroups call) will be
stored in note/environment variable <name>_N and individual
values in <name>_1 .. <name>_<<name>_N>. This allows for
safe retrieval of groups without the separator clashing with
the values.
Example: if user alice is member of groups staff and student,
option
LookupUserGroupsIter REMOTE_USER_GROUPS
will set
REMOTE_USER_GROUPS_N=2
REMOTE_USER_GROUPS_1=staff
REMOTE_USER_GROUPS_2=student
(or the values of REMOTE_USER_GROUPS_1 and REMOTE_USER_GROUPS_2
will be flipped).
If user is not a member of any group, the <name>_N value will
be set to 0.
By default, groups are not retrieved.
LookupUserAttr the_attribute name [separator]
Name of the attribute to be retrieved using the
org.freedesktop.sssd.infopipe.GetUserAttr call and name of
the note and/or environment variable where the value will
be stored, and optionally separator for multivalued results.
If the separator is specified, it is used to concatenate
multiple values in single string value of the
note/environment variable. If the separator is not specified,
only one value is set.
Example: LookupUserAttr mail REMOTE_USER_MAIL will retrieve
one value from the mail attribute (from potentially
multivalued attribute) and store them to note/environment
variable REMOTE_USER_MAIL.
LookupUserAttr mail REMOTE_USER_MAIL ", " will retrieve all
the values and store them as coma-separated string.
Multiple LookupUserAttr lines can be used to retrieve multiple
attributes.
By default, no user attributes are retrieved.
LookupUserAttrIter the_attribute name
The number of attribute values for the user (as returned by
the org.freedesktop.sssd.infopipe.GetUserAttr call) will be
stored in note/environment variable <name>_N and individual
values in <name>_1 .. <name>_<<name>_N>. This allows for
safe retrieval of multivalued attributes without the
separator clashing with the values.
Example: if user alice has multivalued custom attribute
office_no with values M314 and P005,
LookupUserAttrIter office_no REMOTE_USER_OFFICE
will cause the following notes/environment variables to be
set:
REMOTE_USER_OFFICE_N=2
REMOTE_USER_OFFICE_1=M314
REMOTE_USER_OFFICE_2=P005
Multiple LookupUserAttr lines can be used to retrieve multiple
attributes.
By default, no user attributes are retrieved.
LookupDbusTimeout miliseconds
Default: 5000 (== 5 s).
Please note that LookupUserGroups and LookupUserGroupsIter, as well as
LookupUserAttr and LookupUserAttrIter for single attribute can be
configured with the same note/environment variable name. For example,
LookupUserGroups REMOTE_USER_GROUPS :
LookupUserGroupsIter REMOTE_USER_GROUPS
can be set at the same time and for user with two groups, all the
following values will be set:
REMOTE_USER_GROUPS=staff:student
REMOTE_USER_GROUPS_N=2
REMOTE_USER_GROUPS_1=staff
REMOTE_USER_GROUPS_2=student
Building from sources
---------------------
When building from sources, command
apxs -i -a -c $(pkg-config --cflags dbus-1) \
mod_lookup_identity.c $(pkg-config --libs dbus-1) -Wall -pedantic
should build and install the module.
If the available version of sssd does not provide or is not configured
to provide the ifp dbus service, compile with
apxs -DNO_USER_ATTR -i -a -c mod_lookup_identity.c -Wall -pedantic
In that case, the LookupUserAttr functionality will not be compiled
in and will not be available.
License
-------
Copyright 2013--2014 Jan Pazdziora
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
|