From 596035cb85f10450331ded7718b56eccaeaaafc3 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Fri, 31 Aug 2007 20:51:34 +0000 Subject: [PATCH] Teach LDAP authorization to step out of the way like user/owner/groupfile/dbm do when no relevant authz directives are present PR 43281 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@571576 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 6 ++++++ STATUS | 9 --------- modules/aaa/mod_authnz_ldap.c | 8 +++++++- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 4410df2eba2..fbccb4ec364 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.6 + *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when + LDAP authentication is configured but we haven't seen any + 'Require ldap-*' directives, allowing authorization to be passed to lower + level modules (e.g. Require valid-user) + PR 43281 [Eric Covener] + *) mod_proxy: don't URLencode tilde in path component PR 38448 [Stijn Hoop ] diff --git a/STATUS b/STATUS index 2d0c73ffc6f..20c3c7e6c21 100644 --- a/STATUS +++ b/STATUS @@ -100,15 +100,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: Trunk version of patch works +1: rpluem, jim, niq - * mod_authnz_ldap: When no Require ldap-* are present, return DECLINED in the - auth_checker hook instead of HTTP_UNAUTHORIZED. - This makes authnz_ldap behave in the same fashion as authz_user, authz_dbm, - authz_owner, and authz_groupfile. - Trunk version of patch - This change is not required for trunk because of the authz-provider model - 2.2.x version of patch: - http://people.apache.org/~covener/2.2.x-authnz_ldap-decline.diff - +1: covener, niq, bnicholes PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 4f3d1ca004f..f520b0ae54f 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -512,6 +512,7 @@ static int authz_ldap_check_user_access(request_rec *r) const char *t; char *w, *value; int method_restricted = 0; + int required_ldap = 0; char filtbuf[FILTER_LENGTH]; const char *dn = NULL; @@ -615,6 +616,7 @@ static int authz_ldap_check_user_access(request_rec *r) w = ap_getword_white(r->pool, &t); if (strcmp(w, "ldap-user") == 0) { + required_ldap = 1; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " @@ -664,6 +666,7 @@ static int authz_ldap_check_user_access(request_rec *r) } } else if (strcmp(w, "ldap-dn") == 0) { + required_ldap = 1; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " @@ -691,6 +694,7 @@ static int authz_ldap_check_user_access(request_rec *r) else if (strcmp(w, "ldap-group") == 0) { struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts; int i; + required_ldap = 1; if (sec->group_attrib_is_dn) { if (req->dn == NULL || strlen(req->dn) == 0) { @@ -740,6 +744,7 @@ static int authz_ldap_check_user_access(request_rec *r) } } else if (strcmp(w, "ldap-attribute") == 0) { + required_ldap = 1; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " @@ -775,6 +780,7 @@ static int authz_ldap_check_user_access(request_rec *r) } } else if (strcmp(w, "ldap-filter") == 0) { + required_ldap = 1; if (req->dn == NULL || strlen(req->dn) == 0) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: " @@ -838,7 +844,7 @@ static int authz_ldap_check_user_access(request_rec *r) return OK; } - if (!sec->auth_authoritative) { + if (!required_ldap || !sec->auth_authoritative) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid()); return DECLINED; -- 2.47.3