auth_ldap

Maxim Dounin mdounin at mdounin.ru
Tue Aug 19 10:55:24 MSD 2008 

Hello!

On Tue, Aug 19, 2008 at 12:23:02AM +0200, Markus Teichmann wrote:

> as a new user to this list, I just want to contribute my little auth_ldap 
> module. I hope you enjoy it. Here is an example conf file:
>
> http {
>     # LDAP URI
>     auth_ldap_uri "ldap://127.0.0.1";
>
>     server {
>         listen       80;
>         server_name  localhost;
>
>         location / {
> 	    # Realm
>             auth_ldap "LDAP Request";
>             # Search Base
>             auth_ldap_dn "ou=People,dc=chaos,dc=jmt";
>             # The Attribute searching for. Normaly this is uid or cn
>             auth_ldap_attribute "uid";
> 	    # Activate the authenticaten
> 	    # require off; will disable the module.
>             require ldap-user;
>
>             root   html;
>             index  index.html index.htm;
>         }
> ...
>
> Also I have some questions during this coding. First of all is there a  
> place for third party modules?

http://wiki.codemongers.com/NginxModules

> And much more important for me: how does the async calling mechanism in  
> nginx work? I've played around with NGX_AGAIN, but I doesn't got the  
> expected result. So all the ldap code ist sync now. Would be nice to  
> change this.

You should be able to return NGX_AGAIN from your handler and then 
post write event on request socket to continue work (or even call 
r->write_event_handler(r) or ngx_http_core_run_phases(r) directly, 
not sure which method is preffered).  See ngx_http_core_module.c 
for details of how phases are handled.

Some minor notes about code:

1. You shouldn't use ngx_log_error_core() directly, use ngx_log_error() 
instead.  With ngx_log_error_core() it's impossible to control log 
level from config.

2. This:

...
     /* compose filer */
     ngx_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE);
     ngx_snprintf(buf, NGX_HTTP_AUTH_BUF_SIZE, "(%V=%V)", 
&(conf->attribute), &(r->headers_in.user) );
...

is ugly and unsafe since result is used in libldap where null 
terminated string expected.  The ngx_snprintf does not terminate 
strings with '\0' and doesn't preserve last character in buffer 
for it.  Use something like

     p = ngx_snprintf(buf, NGX_HTTP_AUTH_BUF_SIZE - 1, ...)
     *p = '\0';

instead.  It's also a good idea to check somewhere if result 
actually fits into buffer - since truncated filter will probably 
make ldap unhappy.  Alternatively you may consider just allocating 
needed space from request pool - nginx pool allocator works really 
fast and you don't need to free memory (it's automatically 
freed upon request completion).

3. It doesn't compile here under FreeBSD 7.0 (gcc 4.2.1) with 
OpenLDAP 2.4.11 (current stable version, just installed).  
Warnings are treated as errors under nginx build, and your module 
have many.  Here is relevant part:

[cut here]

gcc -c -O -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter 
-Wno-unused-function -Wunused-variable -Wunused-value -Werror -g  
-I src/core  -I src/event  -I src/event/modules  -I src/os/unix  
-I /usr/local/include  -I objs  -I src/http  -I src/http/modules  
-I src/mail  -o 
objs/addon/ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.o  
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c
cc1: warnings being treated as errors
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In 
function 'ngx_http_auth_ldap_handler':
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:140: 
warning: 'main' is usually a function
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:171: 
warning: pointer targets in passing argument 2 of 
'ldap_initialize' differ in signedness
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:193: 
warning: pointer targets in passing argument 2 of 
'ldap_search_ext_s' differ in signedness
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:193: 
warning: pointer targets in passing argument 4 of 
'ldap_search_ext_s' differ in signedness
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:207: 
warning: implicit declaration of function 'ldap_simple_bind_s'
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:222: 
warning: implicit declaration of function 'ldap_unbind'
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:142: 
warning: unused variable 'p'
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In 
function 'ngx_http_auth_ldap_merge_loc_conf':
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:281: 
warning: unused variable 'result'
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In 
function 'ngx_http_auth_ldap_uri':
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:344: 
warning: pointer targets in passing argument 1 of 
'ldap_is_ldap_url' differ in signedness
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In 
function 'ngx_http_auth_ldap_init_module':
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:355: 
warning: 'main' is usually a function
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:361: 
warning: pointer targets in passing argument 2 of 
'ldap_initialize' differ in signedness
*** Error code 1

[cut here]

Maxim Dounin

More information about the nginx mailing list