From: Eric Covener Date: Thu, 27 Jun 2013 14:25:50 +0000 (+0000) Subject: authnzldap: support "none" as a filter to suppress using a search filter, X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f267e251d679b27d49cd28d073ff458eb3ec445;p=thirdparty%2Fapache%2Fhttpd.git authnzldap: support "none" as a filter to suppress using a search filter, which is required by some mainframe security products serving native registry over LDAP. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1497371 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 38b7c256337..0e17d3ea3f0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_authnz_ldap: Support primitive LDAP servers do not accept + filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special + filter "none" to be specified in AuthLDAPURL. [Eric Covener] + *) mod_file_cache: mod_file_cache should be able to serve files that haven't had a Content-Type set via e.g. mod_mime. [Eric Covener] diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index fdf5ecf85fc..d3ec2c07fb6 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -1301,7 +1301,9 @@ You can of course use search parameters on each of these.

will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This - should be more than sufficient for any application. + should be more than sufficient for any application. The word "none" + may be used to not use any filter, which may be required by some + primitive LDAP servers.

When doing searches, the attribute, filter and username passed diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index d46eeb44ed2..b1c5740c5d2 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -217,6 +217,7 @@ static void authn_ldap_build_filter(char *filtbuf, apr_size_t inbytes; apr_size_t outbytes; char *outbuf; + int nofilter = 0; if (sent_user != NULL) { user = apr_pstrdup (r->pool, sent_user); @@ -249,7 +250,13 @@ static void authn_ldap_build_filter(char *filtbuf, * Create the first part of the filter, which consists of the * config-supplied portions. */ - apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute); + + if ((nofilter = (filter && !strcasecmp(filter, "none")))) { + apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute); + } + else { + apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute); + } /* * Now add the client-supplied username to the filter, ensuring that any @@ -303,8 +310,16 @@ static void authn_ldap_build_filter(char *filtbuf, * Append the closing parens of the filter, unless doing so would * overrun the buffer. */ - if (q + 2 <= filtbuf_end) - strcat(filtbuf, "))"); + + if (nofilter) { + if (q + 1 <= filtbuf_end) + strcat(filtbuf, ")"); + } + else { + if (q + 2 <= filtbuf_end) + strcat(filtbuf, "))"); + } + } static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d) @@ -545,6 +560,11 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, "user %s authentication failed; URI %s [%s][%s]", user, r->uri, ldc->reason, ldap_err2string(result)); + /* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific errors */ + if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) { + return AUTH_USER_NOT_FOUND; + } + return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND #ifdef LDAP_SECURITY_ERROR : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED