Some LDAP servers (wrongly) return LDAP_CONSTRAINT_VIOLATION if a user is
locked due to too many password retries. This should not cause an internal
server error but be treated as "auth denied".
Submitted by: sf
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@
1162864 13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.2.20
+ *) mod_authnz_ldap: If the LDAP server returns constraint violation,
+ don't treat this as an error but as "auth denied". [Stefan Fritsch]
+
*) mod_reqtimeout: Fix a timed out connection going into the keep-alive
state after a timeout when discarding a request body. PR 51103.
[Stefan Fritsch]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_authnz_ldap: Treat 'constraint violation' as auth denied, not as
- internal server error.
- Trunk patch: http://svn.apache.org/viewvc?rev=1125646&view=rev
- 2.2.x patch: trunk patch works except for CHANGES
- +1: sf, covener, jim
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
#ifdef LDAP_INSUFFICIENT_RIGHTS
: (LDAP_INSUFFICIENT_RIGHTS == result) ? AUTH_DENIED
#endif
+#endif
+#ifdef LDAP_CONSTRAINT_VIOLATION
+ /* At least Sun Directory Server sends this if a user is
+ * locked. This is not covered by LDAP_SECURITY_ERROR.
+ */
+ : (LDAP_CONSTRAINT_VIOLATION == result) ? AUTH_DENIED
#endif
: AUTH_GENERAL_ERROR;
}
projects / thirdparty / apache / httpd.git / commitdiff
