backport r607766, r607841 from trunk for PR 39095

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@607929 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index b9a54e75fa4e9c673a1a205fa8539bf784716c0a..bb60864dd8edb20f1cd58cb9afe404bbca7d60d2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.7
 
+  *) mod_ldap: Try to establish a new backend LDAP connection when the
+     Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
+     LDAP server has closed the connection due to a timeout.
+     PR 39095 [Eric Covener]
+
   *) SECURITY: CVE-2007-6422 (cve.mitre.org)
      Prevent crash in balancer manager if invalid balancer name is passed
      as parameter. Reported by SecurityReason. [Ruediger Pluem]

diff --git a/STATUS b/STATUS
index 642c007e57b2ab56f398138453a3b004563f6230..836cf86cc9b8e5fb57679e3e228193ba1246a7f4 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -127,17 +127,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   *) mod_ldap: Try to establish a new backend LDAP connection when the
-      Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
-      LDAP server has closed the connection due to a timeout. 
-      PR 39095 [Eric Covener]
-        Trunk version of patch:
-          http://svn.apache.org/viewvc?view=rev&revision=607766
-          http://svn.apache.org/viewvc?rev=607841&view=rev
-        2.2.x
-          http://people.apache.org/~covener/2.2.x-ldap-server-down-with607841.diff
-      +1 covener, rpluem, wrowe
-
    * mod_status: Modified default refresh value to 10 secs so that its possible
                  to correct a typo in the URL.
       Trunk version of patch:

diff --git a/include/util_ldap.h b/include/util_ldap.h
index f0dca264ac02d89626c2bbbbb3e3ce5d4e769770..75a9d70a5c07ee7f035d34ab7cb193784d30c3eb 100644 (file)
--- a/include/util_ldap.h
+++ b/include/util_ldap.h
@@ -30,6 +30,13 @@
 #include "apr_time.h"
 #include "apr_ldap.h"
 
+#if APR_HAS_MICROSOFT_LDAPSDK
+#define AP_LDAP_IS_SERVER_DOWN(s)                ((s) == LDAP_SERVER_DOWN \
+                ||(s) == LDAP_UNAVAILABLE)
+#else
+#define AP_LDAP_IS_SERVER_DOWN(s)                ((s) == LDAP_SERVER_DOWN)
+#endif
+
 #if APR_HAS_SHARED_MEMORY
 #include "apr_rmm.h"
 #include "apr_shm.h"

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 6f1de7b4b5fa1b3ec825fa8108a56b4c6395ec07..7fbff414feaf5ca559527d40970d8365d0528245 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -401,7 +401,7 @@ start_over:
     util_ldap_connection_close(ldc);
 
     /* sanity check - if server is down, retry it up to 5 times */
-    if (result == LDAP_SERVER_DOWN) {
+    if (AP_LDAP_IS_SERVER_DOWN(result)) {
         if (failures++ <= 5) {
             goto start_over;
         }

diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index 2cce2348148a7d9c714d2f343cdc71364344fbda..aba9606b3465a9bc12f9a81a3056bd339b156886 100644 (file)
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -369,7 +369,7 @@ static int uldap_connection_open(request_rec *r,
         rc = ldap_simple_bind_s(ldc->ldap,
                                 (char *)ldc->binddn,
                                 (char *)ldc->bindpw);
-        if (LDAP_SERVER_DOWN != rc) {
+        if (!AP_LDAP_IS_SERVER_DOWN(rc)) {
             break;
         } else if (failures == 5) {
            /* attempt to init the connection once again */
@@ -671,10 +671,10 @@ start_over:
     }
 
     /* search for reqdn */
-    if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
-                                    "(objectclass=*)", NULL, 1,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
+                               "(objectclass=*)", NULL, 1,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "DN Comparison ldap_search_ext_s() "
                       "failed with server down";
@@ -808,11 +808,11 @@ start_over:
         return result;
     }
 
-    if ((result = ldap_compare_s(ldc->ldap,
-                                 (char *)dn,
-                                 (char *)attrib,
-                                 (char *)value))
-                                               == LDAP_SERVER_DOWN) {
+    result = ldap_compare_s(ldc->ldap,
+                            (char *)dn,
+                            (char *)attrib,
+                            (char *)value);
+    if (AP_LDAP_IS_SERVER_DOWN(result)) { 
         /* connection failed - try again */
         ldc->reason = "ldap_compare_s() failed with server down";
         uldap_connection_unbind(ldc);
@@ -956,11 +956,11 @@ start_over:
     }
 
     /* try do the search */
-    if ((result = ldap_search_ext_s(ldc->ldap,
-                                    (char *)basedn, scope,
-                                    (char *)filter, attrs, 0,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap,
+                               (char *)basedn, scope,
+                               (char *)filter, attrs, 0,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "ldap_search_ext_s() for user failed with server down";
         uldap_connection_unbind(ldc);
@@ -1014,9 +1014,10 @@ start_over:
      * fails, it means that the password is wrong (the dn obviously
      * exists, since we just retrieved it)
      */
-    if ((result = ldap_simple_bind_s(ldc->ldap,
-                                     (char *)*binddn,
-                                     (char *)bindpw)) == LDAP_SERVER_DOWN) {
+    result = ldap_simple_bind_s(ldc->ldap,
+                                (char *)*binddn,
+                                (char *)bindpw);
+    if (AP_LDAP_IS_SERVER_DOWN(result)) {
         ldc->reason = "ldap_simple_bind_s() to check user credentials "
                       "failed with server down";
         ldap_msgfree(res);
@@ -1204,11 +1205,11 @@ start_over:
     }
 
     /* try do the search */
-    if ((result = ldap_search_ext_s(ldc->ldap,
-                                    (char *)basedn, scope,
-                                    (char *)filter, attrs, 0,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap,
+                               (char *)basedn, scope,
+                               (char *)filter, attrs, 0,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "ldap_search_ext_s() for user failed with server down";
         uldap_connection_unbind(ldc);