backport r902654 from trunk:

mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the password to
UTF-8.

PR: 45318
Adapted patch from Johannes Mueller

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1005537 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index f98c17a5fc94f4316c82c7e13986d1512136fb2e..e4e8ebcc2a4db96a140cf8ff6180e61656a9fb70 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.17
 
+  *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
+     password to UTF-8. PR 45318.
+     [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
+
   *) core: check symlink ownership if both FollowSymlinks and
      SymlinksIfOwnerMatch are set [Nick Kew]
 

diff --git a/STATUS b/STATUS
index 826dd609d2f1b1fd405fab1bfbea6a45d01703d2..2c5d3ec26840e3438e760f93cb7fd64180626899 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -102,12 +102,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      +1: trawick, wrowe
      niq: +1 to the 2.2.x patch, but why r951900 and r987379 in trunk patches?
 
-   * mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the password to
-     UTF-8.
-     Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=902654
-     2.2 patch: trunk patch works
-     +1: sf, rpluem, wrowe
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index bb08d20f406ba4a87e0783b766755bc9ee2db7a5..037bbcffdabe56d9790b6ac01a5546bbaf7ece83 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -154,6 +154,29 @@ static apr_xlate_t* get_conv_set (request_rec *r)
 }
 
 
+static const char* authn_ldap_xlate_password(request_rec *r,
+                                             const char* sent_password)
+{
+    apr_xlate_t *convset = NULL;
+    apr_size_t inbytes;
+    apr_size_t outbytes;
+    char *outbuf;
+
+    if (charset_conversions && (convset = get_conv_set(r)) ) {
+        inbytes = strlen(sent_password);
+        outbytes = (inbytes+1)*3;
+        outbuf = apr_pcalloc(r->pool, outbytes);
+
+        /* Convert the password to UTF-8. */
+        if (apr_xlate_conv_buffer(convset, sent_password, &inbytes, outbuf,
+                                  &outbytes) == APR_SUCCESS)
+            return outbuf;
+    }
+
+    return sent_password;
+}
+
+
 /*
  * Build the search filter, or at least as much of the search filter that
  * will fit in the buffer. We don't worry about the buffer not being able
@@ -344,6 +367,7 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
     int result = 0;
     int remote_user_attribute_set = 0;
     const char *dn = NULL;
+    const char *utfpassword;
 
     authn_ldap_request_t *req =
         (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t));
@@ -397,9 +421,13 @@ start_over:
     /* build the username filter */
     authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
 
+    /* convert password to utf-8 */
+    utfpassword = authn_ldap_xlate_password(r, password);
+
     /* do the user search */
     result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
-                                         sec->attributes, filtbuf, password, &dn, &vals);
+                                         sec->attributes, filtbuf, utfpassword,
+                                         &dn, &vals);
     util_ldap_connection_close(ldc);
 
     /* sanity check - if server is down, retry it up to 5 times */