From: Eric Covener Date: Tue, 1 Jan 2008 22:29:45 +0000 (+0000) Subject: backport r607766, r607841 from trunk for PR 39095 X-Git-Tag: 2.2.7~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16be70046f300a2b0720659591382d94f6350aa2;p=thirdparty%2Fapache%2Fhttpd.git backport r607766, r607841 from trunk for PR 39095 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@607929 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index b9a54e75fa4..bb60864dd8e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@  -*- coding: utf-8 -*- Changes with Apache 2.2.7 + *) mod_ldap: Try to establish a new backend LDAP connection when the + Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the + LDAP server has closed the connection due to a timeout. + PR 39095 [Eric Covener] + *) SECURITY: CVE-2007-6422 (cve.mitre.org) Prevent crash in balancer manager if invalid balancer name is passed as parameter. Reported by SecurityReason. [Ruediger Pluem] diff --git a/STATUS b/STATUS index 642c007e57b..836cf86cc9b 100644 --- a/STATUS +++ b/STATUS @@ -127,17 +127,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ldap: Try to establish a new backend LDAP connection when the - Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the - LDAP server has closed the connection due to a timeout. - PR 39095 [Eric Covener] - Trunk version of patch: - http://svn.apache.org/viewvc?view=rev&revision=607766 - http://svn.apache.org/viewvc?rev=607841&view=rev - 2.2.x - http://people.apache.org/~covener/2.2.x-ldap-server-down-with607841.diff - +1 covener, rpluem, wrowe - * mod_status: Modified default refresh value to 10 secs so that its possible to correct a typo in the URL. Trunk version of patch: diff --git a/include/util_ldap.h b/include/util_ldap.h index f0dca264ac0..75a9d70a5c0 100644 --- a/include/util_ldap.h +++ b/include/util_ldap.h @@ -30,6 +30,13 @@ #include "apr_time.h" #include "apr_ldap.h" +#if APR_HAS_MICROSOFT_LDAPSDK +#define AP_LDAP_IS_SERVER_DOWN(s) ((s) == LDAP_SERVER_DOWN \ + ||(s) == LDAP_UNAVAILABLE) +#else +#define AP_LDAP_IS_SERVER_DOWN(s) ((s) == LDAP_SERVER_DOWN) +#endif + #if APR_HAS_SHARED_MEMORY #include "apr_rmm.h" #include "apr_shm.h" diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 6f1de7b4b5f..7fbff414fea 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -401,7 +401,7 @@ start_over: util_ldap_connection_close(ldc); /* sanity check - if server is down, retry it up to 5 times */ - if (result == LDAP_SERVER_DOWN) { + if (AP_LDAP_IS_SERVER_DOWN(result)) { if (failures++ <= 5) { goto start_over; } diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index 2cce2348148..aba9606b346 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -369,7 +369,7 @@ static int uldap_connection_open(request_rec *r, rc = ldap_simple_bind_s(ldc->ldap, (char *)ldc->binddn, (char *)ldc->bindpw); - if (LDAP_SERVER_DOWN != rc) { + if (!AP_LDAP_IS_SERVER_DOWN(rc)) { break; } else if (failures == 5) { /* attempt to init the connection once again */ @@ -671,10 +671,10 @@ start_over: } /* search for reqdn */ - if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE, - "(objectclass=*)", NULL, 1, - NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)) - == LDAP_SERVER_DOWN) + result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE, + "(objectclass=*)", NULL, 1, + NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res); + if (AP_LDAP_IS_SERVER_DOWN(result)) { ldc->reason = "DN Comparison ldap_search_ext_s() " "failed with server down"; @@ -808,11 +808,11 @@ start_over: return result; } - if ((result = ldap_compare_s(ldc->ldap, - (char *)dn, - (char *)attrib, - (char *)value)) - == LDAP_SERVER_DOWN) { + result = ldap_compare_s(ldc->ldap, + (char *)dn, + (char *)attrib, + (char *)value); + if (AP_LDAP_IS_SERVER_DOWN(result)) { /* connection failed - try again */ ldc->reason = "ldap_compare_s() failed with server down"; uldap_connection_unbind(ldc); @@ -956,11 +956,11 @@ start_over: } /* try do the search */ - if ((result = ldap_search_ext_s(ldc->ldap, - (char *)basedn, scope, - (char *)filter, attrs, 0, - NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)) - == LDAP_SERVER_DOWN) + result = ldap_search_ext_s(ldc->ldap, + (char *)basedn, scope, + (char *)filter, attrs, 0, + NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res); + if (AP_LDAP_IS_SERVER_DOWN(result)) { ldc->reason = "ldap_search_ext_s() for user failed with server down"; uldap_connection_unbind(ldc); @@ -1014,9 +1014,10 @@ start_over: * fails, it means that the password is wrong (the dn obviously * exists, since we just retrieved it) */ - if ((result = ldap_simple_bind_s(ldc->ldap, - (char *)*binddn, - (char *)bindpw)) == LDAP_SERVER_DOWN) { + result = ldap_simple_bind_s(ldc->ldap, + (char *)*binddn, + (char *)bindpw); + if (AP_LDAP_IS_SERVER_DOWN(result)) { ldc->reason = "ldap_simple_bind_s() to check user credentials " "failed with server down"; ldap_msgfree(res); @@ -1204,11 +1205,11 @@ start_over: } /* try do the search */ - if ((result = ldap_search_ext_s(ldc->ldap, - (char *)basedn, scope, - (char *)filter, attrs, 0, - NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)) - == LDAP_SERVER_DOWN) + result = ldap_search_ext_s(ldc->ldap, + (char *)basedn, scope, + (char *)filter, attrs, 0, + NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res); + if (AP_LDAP_IS_SERVER_DOWN(result)) { ldc->reason = "ldap_search_ext_s() for user failed with server down"; uldap_connection_unbind(ldc);