Teach LDAP authorization to step out of the way like user/owner/groupfile/dbm do

author Eric Covener <covener@apache.org>

Fri, 31 Aug 2007 20:51:34 +0000 (20:51 +0000)

committer Eric Covener <covener@apache.org>

Fri, 31 Aug 2007 20:51:34 +0000 (20:51 +0000)
author Eric Covener <covener@apache.org>
Fri, 31 Aug 2007 20:51:34 +0000 (20:51 +0000)
committer Eric Covener <covener@apache.org>
Fri, 31 Aug 2007 20:51:34 +0000 (20:51 +0000)
diff --git a/CHANGES b/CHANGES

index 4410df2eba2fd522507f57fa8f30e30518937639..fbccb4ec364f60a51e75a31cf2ffdad45d4f0987 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
  Changes with Apache 2.2.6
  
+  *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when
+     LDAP authentication is configured but we haven't seen any 
+     'Require ldap-*' directives, allowing authorization to be passed to lower 
+     level modules (e.g. Require valid-user) 
+     PR 43281 [Eric Covener]
+     
    *) mod_proxy: don't URLencode tilde in path component
       PR 38448 [Stijn Hoop <stijn sandcat.nl>]
  
diff --git a/STATUS b/STATUS

index 2d0c73ffc6f20d729bd90dfb5a4a86146ed1f4a4..20c3c7e6c21a97954e11db03c21eb3ddfe0b7aaf 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -100,15 +100,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
           Trunk version of patch works
        +1: rpluem, jim, niq
  
-   * mod_authnz_ldap: When no Require ldap-* are present, return DECLINED in the
-     auth_checker hook instead of HTTP_UNAUTHORIZED. 
-     This makes authnz_ldap behave in the same fashion as authz_user, authz_dbm, 
-     authz_owner, and authz_groupfile. 
-     Trunk version of patch
-       This change is not required for trunk because of the authz-provider model
-     2.2.x version of patch:
-      http://people.apache.org/~covener/2.2.x-authnz_ldap-decline.diff  
-     +1: covener, niq, bnicholes
  
  
  PATCHES PROPOSED TO BACKPORT FROM TRUNK:
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c

index 4f3d1ca004f80b64132ded9ef62f90d9e1416f10..f520b0ae54f81ced5d58b9ca69cb314a91af5a72 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -512,6 +512,7 @@ static int authz_ldap_check_user_access(request_rec *r)
      const char *t;
      char *w, *value;
      int method_restricted = 0;
+    int required_ldap = 0;
  
      char filtbuf[FILTER_LENGTH];
      const char *dn = NULL;
@@ -615,6 +616,7 @@ static int authz_ldap_check_user_access(request_rec *r)
          w = ap_getword_white(r->pool, &t);
  
          if (strcmp(w, "ldap-user") == 0) {
+            required_ldap = 1;
              if (req->dn == NULL || strlen(req->dn) == 0) {
                  ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                                "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -664,6 +666,7 @@ static int authz_ldap_check_user_access(request_rec *r)
              }
          }
          else if (strcmp(w, "ldap-dn") == 0) {
+            required_ldap = 1;
              if (req->dn == NULL || strlen(req->dn) == 0) {
                  ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                                "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -691,6 +694,7 @@ static int authz_ldap_check_user_access(request_rec *r)
          else if (strcmp(w, "ldap-group") == 0) {
              struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
              int i;
+            required_ldap = 1;
  
              if (sec->group_attrib_is_dn) {
                  if (req->dn == NULL || strlen(req->dn) == 0) {
@@ -740,6 +744,7 @@ static int authz_ldap_check_user_access(request_rec *r)
              }
          }
          else if (strcmp(w, "ldap-attribute") == 0) {
+            required_ldap = 1;
              if (req->dn == NULL || strlen(req->dn) == 0) {
                  ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                                "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -775,6 +780,7 @@ static int authz_ldap_check_user_access(request_rec *r)
              }
          }
          else if (strcmp(w, "ldap-filter") == 0) {
+            required_ldap = 1;
              if (req->dn == NULL || strlen(req->dn) == 0) {
                  ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                                "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -838,7 +844,7 @@ static int authz_ldap_check_user_access(request_rec *r)
          return OK;
      }
  
-    if (!sec->auth_authoritative) {
+    if (!required_ldap || !sec->auth_authoritative) {
          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                        "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid());
          return DECLINED;
author	Eric Covener <covener@apache.org>
	Fri, 31 Aug 2007 20:51:34 +0000 (20:51 +0000)
committer	Eric Covener <covener@apache.org>
	Fri, 31 Aug 2007 20:51:34 +0000 (20:51 +0000)
CHANGES		patch \| blob \| blame \| history
STATUS		patch \| blob \| blame \| history
modules/aaa/mod_authnz_ldap.c		patch \| blob \| blame \| history