From: Graham Leggett Date: Thu, 23 Nov 2023 10:22:58 +0000 (+0000) Subject: Optimise handling LDAP authorization where LDAP was not used X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f7e8e2b93a5cb1f88383873137a9e5ede07e909;p=thirdparty%2Fapache%2Fhttpd.git Optimise handling LDAP authorization where LDAP was not used previously for LDAP authentication. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1914067 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/ldap-optimise.txt b/changes-entries/ldap-optimise.txt new file mode 100644 index 00000000000..ed7e1d58c3a --- /dev/null +++ b/changes-entries/ldap-optimise.txt @@ -0,0 +1,4 @@ + + *) Optimise handling LDAP authorization where LDAP was not used + previously for LDAP authentication. [Yann Ylavic] + diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 0f84e009df4..1a760d4917f 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -767,32 +767,27 @@ static authz_status ldapuser_check_authorization(request_rec *r, return AUTHZ_DENIED; } - if (!req) { - authz_status rv = AUTHZ_DENIED; - req = build_request_config(r); - ldc = get_connection_for_authz(r, LDAP_COMPARE); - if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) { - return rv; - } - } - else { - ldc = get_connection_for_authz(r, LDAP_COMPARE); - } - - /* * If we have been authenticated by some other module than mod_authnz_ldap, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ - - - if (!*r->user) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699) - "ldap authorize: Userid is blank, AuthType=%s", - r->ap_auth_type); + if (!req) { + req = build_request_config(r); + } + ldc = get_connection_for_authz(r, LDAP_COMPARE); + if (!req->dn) { + authz_status rv; + if (!*r->user) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699) + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + rv = get_dn_for_nonldap_authn(r, ldc); + if (rv != AUTHZ_GRANTED) { + return rv; + } } - if (req->dn == NULL || !*req->dn) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01702) "auth_ldap authorize: require user: user's DN has not " @@ -895,17 +890,27 @@ static authz_status ldapgroup_check_authorization(request_rec *r, return AUTHZ_DENIED; } + /* + * If we have been authenticated by some other module than mod_authnz_ldap, + * the req structure needed for authorization needs to be created + * and populated with the userid and DN of the account in LDAP + */ if (!req) { - authz_status rv = AUTHZ_DENIED; req = build_request_config(r); - ldc = get_connection_for_authz(r, LDAP_COMPARE); - if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) { + } + ldc = get_connection_for_authz(r, LDAP_COMPARE); + if (!req->dn) { + authz_status rv; + if (!*r->user) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01699) + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + rv = get_dn_for_nonldap_authn(r, ldc); + if (rv != AUTHZ_GRANTED) { return rv; } } - else { - ldc = get_connection_for_authz(r, LDAP_COMPARE); - } /* * If there are no elements in the group attribute array, the default should be @@ -1101,24 +1106,22 @@ static authz_status ldapdn_check_authorization(request_rec *r, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ - - if (!*r->user) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722) - "ldap authorize: Userid is blank, AuthType=%s", - r->ap_auth_type); - } - if (!req) { - authz_status rv = AUTHZ_DENIED; req = build_request_config(r); - ldc = get_connection_for_authz(r, LDAP_SEARCH); /* comparedn is a search */ - if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) { + } + ldc = get_connection_for_authz(r, LDAP_SEARCH); /* comparedn is a search */ + if (!req->dn) { + authz_status rv; + if (!*r->user) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01722) + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + rv = get_dn_for_nonldap_authn(r, ldc); + if (rv != AUTHZ_GRANTED) { return rv; } } - else { - ldc = get_connection_for_authz(r, LDAP_SEARCH); /* comparedn is a search */ - } require = ap_expr_str_exec(r, expr, &err); if (err) { @@ -1201,25 +1204,22 @@ static authz_status ldapattribute_check_authorization(request_rec *r, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ - - if (!*r->user) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730) - "ldap authorize: Userid is blank, AuthType=%s", - r->ap_auth_type); - } - if (!req) { - authz_status rv = AUTHZ_DENIED; req = build_request_config(r); - ldc = get_connection_for_authz(r, LDAP_COMPARE); - if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) { + } + ldc = get_connection_for_authz(r, LDAP_COMPARE); + if (!req->dn) { + authz_status rv; + if (!*r->user) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01730) + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + rv = get_dn_for_nonldap_authn(r, ldc); + if (rv != AUTHZ_GRANTED) { return rv; } } - else { - ldc = get_connection_for_authz(r, LDAP_COMPARE); - } - if (req->dn == NULL || !*req->dn) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01733) "auth_ldap authorize: require ldap-attribute: user's DN " @@ -1310,25 +1310,22 @@ static authz_status ldapfilter_check_authorization(request_rec *r, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ - - if (!*r->user) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739) - "ldap authorize: Userid is blank, AuthType=%s", - r->ap_auth_type); - } - if (!req) { - authz_status rv = AUTHZ_DENIED; req = build_request_config(r); - ldc = get_connection_for_authz(r, LDAP_SEARCH); - if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) { + } + ldc = get_connection_for_authz(r, LDAP_SEARCH); + if (!req->dn) { + authz_status rv; + if (!*r->user) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739) + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + rv = get_dn_for_nonldap_authn(r, ldc); + if (rv != AUTHZ_GRANTED) { return rv; } } - else { - ldc = get_connection_for_authz(r, LDAP_SEARCH); - } - if (req->dn == NULL || !*req->dn) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742) "auth_ldap authorize: require ldap-filter: user's DN " @@ -1440,24 +1437,27 @@ static authz_status ldapsearch_check_authorization(request_rec *r, * the req structure needed for authorization needs to be created * and populated with the userid and DN of the account in LDAP */ - if (!req) { - authz_status rv = AUTHZ_DENIED; req = build_request_config(r); - ldc = get_connection_for_authz(r, LDAP_SEARCH); - if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) { + } + ldc = get_connection_for_authz(r, LDAP_SEARCH); + if (!req->dn && r->user) { + authz_status rv; + if (!*r->user) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10487) + "ldap authorize: Userid is blank, AuthType=%s", + r->ap_auth_type); + } + rv = get_dn_for_nonldap_authn(r, ldc); + if (rv != AUTHZ_GRANTED) { return rv; } - } - else { - ldc = get_connection_for_authz(r, LDAP_SEARCH); - } - - if (req->dn == NULL || !*req->dn) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636) - "auth_ldap authorize: require ldap-filter: user's DN " - "has not been defined; failing authorization"); - return AUTHZ_DENIED; + if (req->dn == NULL || !*req->dn) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636) + "auth_ldap authorize: require ldap-search: user's DN " + "has not been defined; failing authorization"); + return AUTHZ_DENIED; + } } require = ap_expr_str_exec(r, expr, &err);