From: Graham Leggett <minfrin@apache.org>
Date: Fri, 19 May 2023 10:29:02 +0000 (+0000)
Subject: mod_authnz_ldap.c: Make sure the authentication variables are set in
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad0cbd766acc7a31cff9ac75beb2c38a6ab79f84;p=thirdparty%2Fapache%2Fhttpd.git

mod_authnz_ldap.c: Make sure the authentication variables are set in
all cases where another module is the source of the authentication,
and that authenticated user is looked up in LDAP.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909928 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index cf802ca0ab1..b96efd7cc7d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_authnz_ldap.c: Make sure the authentication variables are set in
+     all cases where another module is the source of the authentication,
+     and that authenticated user is looked up in LDAP. [Graham Leggett]
+
   *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within
      bearer tokens, both as part of the aaa framework, and as a way to
      generate tokens and pass them to backend servers and services.
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index a3353623f98..2de813f69ea 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -688,6 +688,7 @@ static authz_status get_dn_for_nonldap_authn(request_rec *r, util_ldap_connectio
     authn_ldap_config_t *sec =
         (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
     const char *dn = NULL;
+    int remote_user_attribute_set = 0;
 
     /* Build the username filter */
     if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) {
@@ -710,6 +711,21 @@ static authz_status get_dn_for_nonldap_authn(request_rec *r, util_ldap_connectio
 
     req->dn = apr_pstrdup(r->pool, dn);
     req->user = r->user;
+
+    /* add environment variables */
+    remote_user_attribute_set = set_request_vars(r, LDAP_AUTHN, req->vals);
+
+    /* sanity check */
+    if (sec->remote_user_attribute && !remote_user_attribute_set) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10450)
+                  "auth_ldap non-ldap authenticate: "
+                  "REMOTE_USER was to be set with attribute '%s', "
+                  "but this attribute was not requested for in the "
+                  "LDAP query for the user. REMOTE_USER will fall "
+                  "back to username or DN as appropriate.",
+                  sec->remote_user_attribute);
+    }
+
     return AUTHZ_GRANTED;
 }