auth_ldap

Igor Sysoev is at rambler-co.ru
Tue Aug 19 15:43:00 MSD 2008 

On Tue, Aug 19, 2008 at 10:55:24AM +0400, Maxim Dounin wrote:

> On Tue, Aug 19, 2008 at 12:23:02AM +0200, Markus Teichmann wrote:
> 
> >as a new user to this list, I just want to contribute my little auth_ldap 
> >module. I hope you enjoy it. Here is an example conf file:
> >
> >http {
> >    # LDAP URI
> >    auth_ldap_uri "ldap://127.0.0.1";
> >
> >    server {
> >        listen       80;
> >        server_name  localhost;
> >
> >        location / {
> >	    # Realm
> >            auth_ldap "LDAP Request";
> >            # Search Base
> >            auth_ldap_dn "ou=People,dc=chaos,dc=jmt";
> >            # The Attribute searching for. Normaly this is uid or cn
> >            auth_ldap_attribute "uid";
> >	    # Activate the authenticaten
> >	    # require off; will disable the module.
> >            require ldap-user;
> >
> >            root   html;
> >            index  index.html index.htm;
> >        }
> >...
> >
> >Also I have some questions during this coding. First of all is there a  
> >place for third party modules?
> 
> http://wiki.codemongers.com/NginxModules
> 
> >And much more important for me: how does the async calling mechanism in  
> >nginx work? I've played around with NGX_AGAIN, but I doesn't got the  
> >expected result. So all the ldap code ist sync now. Would be nice to  
> >change this.
> 
> You should be able to return NGX_AGAIN from your handler and then 
> post write event on request socket to continue work (or even call 
> r->write_event_handler(r) or ngx_http_core_run_phases(r) directly, 
> not sure which method is preffered).  See ngx_http_core_module.c 
> for details of how phases are handled.

Just warning: it should work, but I have no module to prove this
functionality.

> Some minor notes about code:
> 
> 1. You shouldn't use ngx_log_error_core() directly, use ngx_log_error() 
> instead.  With ngx_log_error_core() it's impossible to control log 
> level from config.
> 
> 2. This:
> 
> ...
>     /* compose filer */
>     ngx_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE);
>     ngx_snprintf(buf, NGX_HTTP_AUTH_BUF_SIZE, "(%V=%V)", 
> &(conf->attribute), &(r->headers_in.user) );
> ...
> 
> is ugly and unsafe since result is used in libldap where null 
> terminated string expected.  The ngx_snprintf does not terminate 
> strings with '\0' and doesn't preserve last character in buffer 
> for it.  Use something like
> 
>     p = ngx_snprintf(buf, NGX_HTTP_AUTH_BUF_SIZE - 1, ...)
>     *p = '\0';

ngx_snprintf has "%Z" for zero:

  "(%V=%V)%Z"

> instead.  It's also a good idea to check somewhere if result 
> actually fits into buffer - since truncated filter will probably 
> make ldap unhappy.  Alternatively you may consider just allocating 
> needed space from request pool - nginx pool allocator works really 
> fast and you don't need to free memory (it's automatically 
> freed upon request completion).
> 
> 3. It doesn't compile here under FreeBSD 7.0 (gcc 4.2.1) with 
> OpenLDAP 2.4.11 (current stable version, just installed).  
> Warnings are treated as errors under nginx build, and your module 
> have many.  Here is relevant part:
> 
> [cut here]
> 
> gcc -c -O -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter 
> -Wno-unused-function -Wunused-variable -Wunused-value -Werror -g  
> -I src/core  -I src/event  -I src/event/modules  -I src/os/unix  
> -I /usr/local/include  -I objs  -I src/http  -I src/http/modules  
> -I src/mail  -o 
> objs/addon/ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.o  
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c
> cc1: warnings being treated as errors
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In 
> function 'ngx_http_auth_ldap_handler':
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:140: 
> warning: 'main' is usually a function
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:171: 
> warning: pointer targets in passing argument 2 of 
> 'ldap_initialize' differ in signedness
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:193: 
> warning: pointer targets in passing argument 2 of 
> 'ldap_search_ext_s' differ in signedness
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:193: 
> warning: pointer targets in passing argument 4 of 
> 'ldap_search_ext_s' differ in signedness
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:207: 
> warning: implicit declaration of function 'ldap_simple_bind_s'
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:222: 
> warning: implicit declaration of function 'ldap_unbind'
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:142: 
> warning: unused variable 'p'
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In 
> function 'ngx_http_auth_ldap_merge_loc_conf':
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:281: 
> warning: unused variable 'result'
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In 
> function 'ngx_http_auth_ldap_uri':
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:344: 
> warning: pointer targets in passing argument 1 of 
> 'ldap_is_ldap_url' differ in signedness
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In 
> function 'ngx_http_auth_ldap_init_module':
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:355: 
> warning: 'main' is usually a function
> ../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:361: 
> warning: pointer targets in passing argument 2 of 
> 'ldap_initialize' differ in signedness
> *** Error code 1
> 
> [cut here]
> 
> Maxim Dounin


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list