*) Add the ldap-search option to mod_authnz_ldap, allowing authorization

     to be based on arbitrary expressions that do not include the username.
     Make sure that when ldap searches are too long, we explicitly log the
     error.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1922957 13f79535-47bb-0310-9956-ffa450edef68

Author: jimjag

STATUS

@@ -157,25 +157,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) Add the ldap-search option to mod_authnz_ldap, allowing authorization
-     to be based on arbitrary expressions that do not include the username.
-     Make sure that when ldap searches are too long, we explicitly log the
-     error.
-     Trunk version of patch:
-        https://svn.apache.org/r1589993
-        https://svn.apache.org/r1591012
-        https://svn.apache.org/r1596108
-        https://svn.apache.org/r1745033
-        https://svn.apache.org/r1913958
-        https://svn.apache.org/r1913959
-        https://svn.apache.org/r1914091
-        https://svn.apache.org/r1914281
-     Backport version for 2.4.x of patch:
-        https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/httpd-2.4-httpd-2.4-ldap-search5.patch
-     +1: minfrin, covener, jim
-     rpluem says: https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/httpd-2.4-ldap-search5.patch returns 404
-       covener: fixed slightly diff URL above
-
   *) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
                 in the host name or port. PR 69233.
      trunk patch: https://svn.apache.org/r1912462

docs/manual/expr.xml

@@ -61,6 +61,7 @@
 <seealso><a href="mod/mod_authnz_ldap.html#reqdn">Require ldap-dn</a></seealso>
 <seealso><a href="mod/mod_authnz_ldap.html#reqattribute">Require ldap-attribute</a></seealso>
 <seealso><a href="mod/mod_authnz_ldap.html#reqfilter">Require ldap-filter</a></seealso>
+<seealso><a href="mod/mod_authnz_ldap.html#reqsearch">Require ldap-search</a></seealso>
 <seealso><a href="mod/mod_authz_dbd.html#reqgroup">Require dbd-group</a></seealso>
 <seealso><a href="mod/mod_authz_dbm.html#reqgroup">Require dbm-group</a></seealso>
 <seealso><a href="mod/mod_authz_groupfile.html#reqgroup">Require group</a></seealso>

docs/manual/mod/mod_authnz_ldap.xml

@@ -89,6 +89,7 @@ for HTTP Basic authentication.</description>
           <li><a href="#reqdn">Require ldap-dn</a></li>
           <li><a href="#reqattribute">Require ldap-attribute</a></li>
           <li><a href="#reqfilter">Require ldap-filter</a></li>
+          <li><a href="#reqsearch">Require ldap-search</a></li>
         </ul>
       </li>
 
@@ -234,6 +235,11 @@ in <module>mod_ldap</module> for details of the cache tunables.
       directive, and the search filter successfully finds a single user
       object that matches the dn of the authenticated user.</li>
 
+      <li>Grant access if there is a <a href="#reqsearch">
+      <code>Require ldap-search</code></a>
+      directive, and the search filter successfully returns a single
+      matching object with any distinguished name.</li>
+
       <li>otherwise, deny or decline access</li>
     </ul>
 
@@ -531,6 +537,28 @@ Require ldap-filter "&amp;(cell=*)(department=marketing)"
 
 </section>
 
+<section id="reqsearch"><title>Require ldap-search</title>
+
+    <p>The <code>Require ldap-search</code> directive allows the
+    administrator to grant access based on a generic LDAP search filter using an
+    <a href="../expr.html">expression</a>. If there is exactly one match to the search filter,
+    regardless of the distinguished name, access is granted.</p>
+
+    <p>The following directive would grant access to URLs that match the given objects in the
+    LDAP server:</p>
+
+<highlight language="config">
+&lt;LocationMatch ^/dav/(?<SITENAME>[^/]+)/&gt;
+Require ldap-search (cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website)
+&lt;/LocationMatch&gt;
+</highlight>
+
+    <p>Note: care must be taken to ensure that any expressions are properly escaped to guard
+    against LDAP injection. The <strong>ldap</strong> function can be used as per the example
+    above.</p>
+
+</section>
+
 </section>
 
 <section id="examples"><title>Examples</title>