From: Bradley Nicholes Date: Mon, 26 Apr 2004 22:04:59 +0000 (+0000) Subject: Backport the util_ldap patch that updates the bind credentials so that util_ldap... X-Git-Tag: 2.0.50~151 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc53e5b0a3154f7b49d9d1ef13810b2ba9c9b335;p=thirdparty%2Fapache%2Fhttpd.git Backport the util_ldap patch that updates the bind credentials so that util_ldap will properly reuse the cached ldap connections. Reviewed by: bnicholes, minfrin, trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@103535 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 4a967ea91e1..f5c84d1f468 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,10 @@ Changes with Apache 2.0.50 + *) Update the bind credentials for the cached LDAP connection to + reflect the last bind. This prevents util_ldap from creating + unnecessary connections rather than reusing cached connections. + [Brad Nicholes] + *) mod_isapi: GetServerVariable returned improperly terminated header fields given "ALL_HTTP" or "ALL_RAW". PR 20656. [Jesse Pelton ] diff --git a/STATUS b/STATUS index bf07cbbad77..19db88275b2 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 2.0 STATUS: -*-text-*- -Last modified at [$Date: 2004/04/26 19:03:40 $] +Last modified at [$Date: 2004/04/26 22:04:58 $] Release: @@ -167,16 +167,6 @@ PATCHES TO BACKPORT FROM 2.1 modules/mappers/mod_rewrite.c: r1.255 +1: nd, trawick - *) Update the ldc->binddn and ldc->bindpw associated with the LDAP - connection to match the authenticating user DN and password after - ldap_simple_bind_s() is called to authenticate the user. Otherwise - the next time that this connection is reused, it will indicate that - it is bound to the original user DN specified by ldc->binddn when in - fact it is bound to a completely different user DN who may not have - sufficient rights to complete the requested search. - modules/experimental/util_ldap.c: r1.22, r1.24 - +1: bnicholes, minfrin, trawick - *) (re-)add support for RewriteRules in containers. PR 27985 modules/mappers/mod_rewrite.c: r1.254 +1: nd, trawick diff --git a/modules/experimental/util_ldap.c b/modules/experimental/util_ldap.c index e91b2f08f0d..70dcf06919e 100644 --- a/modules/experimental/util_ldap.c +++ b/modules/experimental/util_ldap.c @@ -88,6 +88,20 @@ void *util_ldap_create_config(apr_pool_t *p, server_rec *s); "\"http://www.w3.org/TR/REC-html40/frameset.dtd\">\n" #endif + +static void util_ldap_strdup (char **str, const char *newstr) +{ + if (*str) { + free(*str); + *str = NULL; + } + + if (newstr) { + *str = calloc(1, strlen(newstr)+1); + strcpy (*str, newstr); + } +} + /* * Status Handler * -------------- @@ -179,25 +193,36 @@ LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_destroy(void *param) { util_ldap_connection_t *ldc = param; - /* unbinding from the LDAP server */ - if (ldc->ldap) { - ldap_unbind_s(ldc->ldap); - ldc->bound = 0; - ldc->ldap = NULL; - } + if (ldc) { + + /* unbinding from the LDAP server */ + if (ldc->ldap) { + ldap_unbind_s(ldc->ldap); + ldc->bound = 0; + ldc->ldap = NULL; + } + + if (ldc->bindpw) { + free((void*)ldc->bindpw); + } + + if (ldc->binddn) { + free((void*)ldc->binddn); + } - /* release the lock we were using. The lock should have - already been released in the close connection call. - But just in case it wasn't, we first try to get the lock - before unlocking it to avoid unlocking an unheld lock. - Unlocking an unheld lock causes problems on NetWare. The - other option would be to assume that close connection did - its job. */ + /* release the lock we were using. The lock should have + already been released in the close connection call. + But just in case it wasn't, we first try to get the lock + before unlocking it to avoid unlocking an unheld lock. + Unlocking an unheld lock causes problems on NetWare. The + other option would be to assume that close connection did + its job. */ #if APR_HAS_THREADS - apr_thread_mutex_trylock(ldc->lock); - apr_thread_mutex_unlock(ldc->lock); + apr_thread_mutex_trylock(ldc->lock); + apr_thread_mutex_unlock(ldc->lock); #endif + } return APR_SUCCESS; } @@ -290,11 +315,6 @@ LDAP_DECLARE(int) util_ldap_connection_open(request_rec *r, /* always default to LDAP V3 */ ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version); - - /* add the cleanup to the pool */ - apr_pool_cleanup_register(ldc->pool, ldc, - util_ldap_connection_destroy, - apr_pool_cleanup_null); } @@ -395,8 +415,8 @@ LDAP_DECLARE(util_ldap_connection_t *)util_ldap_connection_find(request_rec *r, /* the bind credentials have changed */ l->bound = 0; - l->binddn = apr_pstrdup(st->pool, binddn); - l->bindpw = apr_pstrdup(st->pool, bindpw); + util_ldap_strdup((char**)&(l->binddn), binddn); + util_ldap_strdup((char**)&(l->bindpw), bindpw); break; } #if APR_HAS_THREADS @@ -434,10 +454,15 @@ LDAP_DECLARE(util_ldap_connection_t *)util_ldap_connection_find(request_rec *r, l->host = apr_pstrdup(st->pool, host); l->port = port; l->deref = deref; - l->binddn = apr_pstrdup(st->pool, binddn); - l->bindpw = apr_pstrdup(st->pool, bindpw); + util_ldap_strdup((char**)&(l->binddn), binddn); + util_ldap_strdup((char**)&(l->bindpw), bindpw); l->secure = secure; + /* add the cleanup to the pool */ + apr_pool_cleanup_register(l->pool, l, + util_ldap_connection_destroy, + apr_pool_cleanup_null); + if (p) { p->next = l; } @@ -817,7 +842,7 @@ start_over: /* Grab the dn, copy it into the pool, and free it again */ dn = ldap_get_dn(ldc->ldap, entry); - *binddn = apr_pstrdup(st->pool, dn); + *binddn = apr_pstrdup(r->pool, dn); ldap_memfree(dn); /* @@ -852,6 +877,18 @@ start_over: ldap_msgfree(res); return result; } + else { + /* + * Since we just bound the connection to the authenticating user id, update the + * ldc->binddn and ldc->bindpw to reflect the change and also to allow the next + * call to util_ldap_connection_open() to handle the connection reuse appropriately. + * Otherwise the next time that this connection is reused, it will indicate that + * it is bound to the original user id specified ldc->binddn when in fact it is + * bound to a completely different user id. + */ + util_ldap_strdup((char**)&(ldc->binddn), *binddn); + util_ldap_strdup((char**)&(ldc->bindpw), bindpw); + } /* * Get values for the provided attributes. @@ -881,17 +918,17 @@ start_over: /* * Add the new username to the search cache. */ - LDAP_CACHE_WRLOCK(); - the_search_node.username = filter; - the_search_node.dn = *binddn; - the_search_node.bindpw = bindpw; - the_search_node.lastbind = apr_time_now(); - the_search_node.vals = vals; if (curl) { + LDAP_CACHE_WRLOCK(); + the_search_node.username = filter; + the_search_node.dn = *binddn; + the_search_node.bindpw = bindpw; + the_search_node.lastbind = apr_time_now(); + the_search_node.vals = vals; util_ald_cache_insert(curl->search_cache, &the_search_node); + LDAP_CACHE_UNLOCK(); } ldap_msgfree(res); - LDAP_CACHE_UNLOCK(); ldc->reason = "Authentication successful"; return LDAP_SUCCESS;