access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
+ *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
+ try other providers in the case of an LDAP bind failure.
+ PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
+
*) mod_proxy, mod_proxy_http: Support remote https proxies
by using HTTP CONNECT.
PR 19188. [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow other authentication
- providers a chance to run when mod_authnz_ldap finds a user but can't
- verify their password. PR46608.
- Trunk patch: http://svn.apache.org/viewvc?rev=881808&view=rev
- doc: http://svn.apache.org/viewvc?view=revision&revision=881812
- 2.2.x patch: http://people.apache.org/~covener/patches/2.2.x-ldap_bind_authoritative.diff
- 2.2.x doc : http://people.apache.org/~covener/patches/2.2.x-ldap_bind_authoritative-doc.diff
- (resolves loglevel conflict introduced after the trunk commit)
- +1: covener, pgollucci
- rpluem says: I am +1 once you provide proper documentation for the manual
- covener says: doc revision added above
- minfrin says: The trunk patches no longer apply clean, is it possible to
- create a v2.2. patch?
- covener: resolved conflict
-
* mod_include: Allow fine control over the removal of Last-Modified and ETag headers
within the INCLUDES filter, making it possible to cache responses if
desired. Fix the default value of the SSIAccessEnable directive.
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>AuthLDAPBindAuthoritative</name>
+<description>Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot successfully bind with the users credentials.</description>
+<syntax>AuthLDAPBindAuthoritative<em>off|on</em></syntax>
+<default>AuthLDAPBindAuhtoritative on</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+<compatibility>Available in versions later than 2.2.14</compatibility>
+
+<usage>
+ <p>By default, subsequent authentication providers are only queried if a
+ user cannot be mapped to a DN, but not if the user can be mapped to a DN and their
+ password cannot be verified with an LDAP bind.
+ If <directive module="mod_authnz_ldap">AuthLDAPBindAuthoritative</directive>
+ is set to <em>off</em>, other configured authentication modules will have
+ a chance to validate the user if the LDAP bind (with the current users credentials)
+ fails for any reason.</p>
+ <p> This allows users present in both LDAP and
+ <directive module="mod_authn_file">AuthUserFile</directive> to authenticate
+ when the LDAP server is available but the users account is locked or password
+ is otherwise unusable.</p>
+</usage>
+<seealso><directive module="mod_authn_file">AuthUserFile</directive></seealso>
+<seealso><directive module="mod_auth_basic">AuthBasicProvider</directive></seealso>
+</directivesynopsis>
+
<directivesynopsis>
<name>AuthLDAPBindDN</name>
<description>Optional DN to use in binding to the LDAP server</description>
deref_options deref; /* how to handle alias dereferening */
char *binddn; /* DN to bind to server (can be NULL) */
char *bindpw; /* Password to bind to server (can be NULL) */
+ int bind_authoritative; /* If true, will return errors when bind fails */
int user_is_dn; /* If true, connection->user is DN instead of userid */
char *remote_user_attribute; /* If set, connection->user is this attribute instead of userid */
sec->host = NULL;
sec->binddn = NULL;
sec->bindpw = NULL;
+ sec->bind_authoritative = 1;
sec->deref = always;
sec->group_attrib_is_dn = 1;
sec->auth_authoritative = 1;
/* handle bind failure */
if (result != LDAP_SUCCESS) {
+ if (!sec->bind_authoritative) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
+ "user %s authentication failed; URI %s [%s][%s] (not authoritative)",
+ getpid(), user, r->uri, ldc->reason, ldap_err2string(result));
+ return AUTH_USER_NOT_FOUND;
+ }
+
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: "
"user %s authentication failed; URI %s [%s][%s]",
(void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG,
"Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
+ AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(authn_ldap_config_t, bind_authoritative), OR_AUTHCFG,
+ "Set to 'on' to return failures when user-specific bind fails - defaults to on."),
+
AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
(void *)APR_OFFSETOF(authn_ldap_config_t, user_is_dn), OR_AUTHCFG,
"Set to 'on' to set the REMOTE_USER environment variable to be the full "
projects / thirdparty / apache / httpd.git / commitdiff
