authnzldap: support "none" as a filter to suppress using a search filter,

which is required by some mainframe security products serving native
registry over LDAP.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1497371 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 38b7c2563378522095e6375aac8deedaafbfd06a..0e17d3ea3f0b2c47ffd1a5d639f6f35c0d51b830 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_authnz_ldap: Support primitive LDAP servers do not accept
+     filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
+     filter "none" to be specified in AuthLDAPURL. [Eric Covener]
+
   *) mod_file_cache: mod_file_cache should be able to serve files that
      haven't had a Content-Type set via e.g. mod_mime. [Eric Covener]
 

diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index fdf5ecf85fcf0e0f366109832991164afe391e82..d3ec2c07fb60d9a90ebb834b561c370dc4348006 100644 (file)
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -1301,7 +1301,9 @@ You can of course use search parameters on each of these.</p>
         will search for all objects in the tree. Filters are
         limited to approximately 8000 characters (the definition of
         <code>MAX_STRING_LEN</code> in the Apache source code). This
-        should be more than sufficient for any application.</dd>
+        should be more than sufficient for any application. The word "none"
+        may be used to not use any filter, which may be required by some
+        primitive LDAP servers.</dd>
 </dl>
 
     <p>When doing searches, the attribute, filter and username passed

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index d46eeb44ed27abecf49f83b8072e8577b76d9067..b1c5740c5d29e6ae4baf53ef543af7dc35ac2299 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -217,6 +217,7 @@ static void authn_ldap_build_filter(char *filtbuf,
     apr_size_t inbytes;
     apr_size_t outbytes;
     char *outbuf;
+    int nofilter = 0;
 
     if (sent_user != NULL) {
         user = apr_pstrdup (r->pool, sent_user);
@@ -249,7 +250,13 @@ static void authn_ldap_build_filter(char *filtbuf,
      * Create the first part of the filter, which consists of the
      * config-supplied portions.
      */
-    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
+
+    if ((nofilter = (filter && !strcasecmp(filter, "none")))) { 
+        apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute);
+    }
+    else { 
+        apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
+    }
 
     /*
      * Now add the client-supplied username to the filter, ensuring that any
@@ -303,8 +310,16 @@ static void authn_ldap_build_filter(char *filtbuf,
      * Append the closing parens of the filter, unless doing so would
      * overrun the buffer.
      */
-    if (q + 2 <= filtbuf_end)
-        strcat(filtbuf, "))");
+
+    if (nofilter) { 
+        if (q + 1 <= filtbuf_end)
+            strcat(filtbuf, ")");
+    } 
+    else { 
+        if (q + 2 <= filtbuf_end)
+            strcat(filtbuf, "))");
+    }
+
 }
 
 static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
@@ -545,6 +560,11 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
                       "user %s authentication failed; URI %s [%s][%s]",
                       user, r->uri, ldc->reason, ldap_err2string(result));
 
+        /* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific errors */
+        if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) { 
+            return AUTH_USER_NOT_FOUND;
+        }
+
         return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND
 #ifdef LDAP_SECURITY_ERROR
                  : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED