From: Eric Covener <covener@apache.org>
Date: Tue, 1 Oct 2013 16:41:37 +0000 (+0000)
Subject: Don't use a hardcoded cn=* in case the subgroup has no CN.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a6233c621b5202882bb20cb43132cb14e5377c3;p=thirdparty%2Fapache%2Fhttpd.git

Don't use a hardcoded cn=* in case the subgroup has no CN.

Submitted By: David Hawes <dhawes vt.edu>
Committed By: Eric Covener



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1528143 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 4977bcd0d9d..30ae64b0021 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
+     instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
+
   *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
      allowing custom parameters to be configured via SSLCertificateFile,
      and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index 0ae19cbdbee..750e6a7259d 100644
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -1243,7 +1243,7 @@ start_over:
 
     /* try to do the search */
     result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
-                               (char *)"cn=*", subgroupAttrs, 0,
+                               NULL, subgroupAttrs, 0,
                                NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
     if (AP_LDAP_IS_SERVER_DOWN(result)) {
         ldc->reason = "ldap_search_ext_s() for subgroups failed with server"