PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ldap: Pre-scan the requirements array before doing any LDAP lookups,
- for cases where an LDAP URL is configured but non-LDAP authn/authz is in
- effect. This stops us from trying to resolve file-based userids to a DN
- when the AuthLDAPURL has been defined at a very high level.
- PR 45946
- Trunk patch: n/a due to authz refactoring (no provider called without require-ments)
- 2.2.x version of patch: http://people.apache.org/~covener/httpd-2.2.x-authnz_ldap-skipdnloookup-3.diff
- +1: covener, minfrin, jim
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
return DECLINED;
}
+ /* pre-scan for ldap-* requirements so we can get out of the way early */
+ for(x=0; x < reqs_arr->nelts; x++) {
+ if (! (reqs[x].method_mask & (AP_METHOD_BIT << m))) {
+ continue;
+ }
+
+ t = reqs[x].requirement;
+ w = ap_getword_white(r->pool, &t);
+
+ if (strncmp(w, "ldap-",5) == 0) {
+ required_ldap = 1;
+ break;
+ }
+ }
+
+ if (!required_ldap) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise (no ldap requirements)", getpid());
+ return DECLINED;
+ }
+
+
+
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
#endif
}
- if (!reqs_arr) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
/*
* If we have been authenticated by some other module than mod_auth_ldap,
* the req structure needed for authorization needs to be created
w = ap_getword_white(r->pool, &t);
if (strcmp(w, "ldap-user") == 0) {
- required_ldap = 1;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: "
}
}
else if (strcmp(w, "ldap-dn") == 0) {
- required_ldap = 1;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: "
else if (strcmp(w, "ldap-group") == 0) {
struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
int i;
- required_ldap = 1;
if (sec->group_attrib_is_dn) {
if (req->dn == NULL || strlen(req->dn) == 0) {
}
}
else if (strcmp(w, "ldap-attribute") == 0) {
- required_ldap = 1;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: "
}
}
else if (strcmp(w, "ldap-filter") == 0) {
- required_ldap = 1;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: "
return OK;
}
- if (!required_ldap || !sec->auth_authoritative) {
+ if (!sec->auth_authoritative) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid());
+ "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise (not authoritative)", getpid());
return DECLINED;
}
projects / thirdparty / apache / httpd.git / commitdiff
