From e76f536790ae2e9fb872f1438601bc502183f531 Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Sun, 20 Sep 2009 17:50:19 +0000
Subject: [PATCH]  * mod_ldap: Pre-scan the requirements array before doing any
 LDAP lookups,    for cases where an LDAP URL is configured but non-LDAP
 authn/authz is in    effect. This stops us from trying to resolve file-based
 userids to a DN    when the AuthLDAPURL has been defined at a very high
 level.    PR 45946    Trunk patch: n/a due to authz refactoring (no provider
 called without require-ments)    2.2.x version of patch:
 http://people.apache.org/~covener/httpd-2.2.x-authnz_ldap-skipdnloookup-3.diff
    +1: covener, minfrin, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@817064 13f79535-47bb-0310-9956-ffa450edef68
---
 STATUS                        |  9 ---------
 modules/aaa/mod_authnz_ldap.c | 38 +++++++++++++++++++++++------------
 2 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/STATUS b/STATUS
index 9384942614c..de48dcbca3c 100644
--- a/STATUS
+++ b/STATUS
@@ -89,15 +89,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
- * mod_ldap: Pre-scan the requirements array before doing any LDAP lookups,
-   for cases where an LDAP URL is configured but non-LDAP authn/authz is in 
-   effect. This stops us from trying to resolve file-based userids to a DN
-   when the AuthLDAPURL has been defined at a very high level.
-   PR 45946
-   Trunk patch: n/a due to authz refactoring (no provider called without require-ments)
-   2.2.x version of patch: http://people.apache.org/~covener/httpd-2.2.x-authnz_ldap-skipdnloookup-3.diff
-   +1: covener, minfrin, jim
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index db13f1fd743..9b61022a1d8 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -527,6 +527,29 @@ static int authz_ldap_check_user_access(request_rec *r)
         return DECLINED;
     }
 
+    /* pre-scan for ldap-* requirements so we can get out of the way early */
+    for(x=0; x < reqs_arr->nelts; x++) {
+        if (! (reqs[x].method_mask & (AP_METHOD_BIT << m))) {
+            continue;
+        }
+
+        t = reqs[x].requirement;
+        w = ap_getword_white(r->pool, &t);
+
+        if (strncmp(w, "ldap-",5) == 0) {
+            required_ldap = 1;
+            break;
+        }
+    }
+
+    if (!required_ldap) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise (no ldap requirements)", getpid());
+        return DECLINED;
+    }
+
+
+
     if (sec->host) {
         ldc = util_ldap_connection_find(r, sec->host, sec->port,
                                        sec->binddn, sec->bindpw, sec->deref,
@@ -559,12 +582,6 @@ static int authz_ldap_check_user_access(request_rec *r)
 #endif
     }
 
-    if (!reqs_arr) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "[%" APR_PID_T_FMT "] auth_ldap authorise: no requirements array", getpid());
-        return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
-    }
-
     /*
      * If we have been authenticated by some other module than mod_auth_ldap,
      * the req structure needed for authorization needs to be created
@@ -615,7 +632,6 @@ static int authz_ldap_check_user_access(request_rec *r)
         w = ap_getword_white(r->pool, &t);
 
         if (strcmp(w, "ldap-user") == 0) {
-            required_ldap = 1;
             if (req->dn == NULL || strlen(req->dn) == 0) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -665,7 +681,6 @@ static int authz_ldap_check_user_access(request_rec *r)
             }
         }
         else if (strcmp(w, "ldap-dn") == 0) {
-            required_ldap = 1;
             if (req->dn == NULL || strlen(req->dn) == 0) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -693,7 +708,6 @@ static int authz_ldap_check_user_access(request_rec *r)
         else if (strcmp(w, "ldap-group") == 0) {
             struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
             int i;
-            required_ldap = 1;
 
             if (sec->group_attrib_is_dn) {
                 if (req->dn == NULL || strlen(req->dn) == 0) {
@@ -743,7 +757,6 @@ static int authz_ldap_check_user_access(request_rec *r)
             }
         }
         else if (strcmp(w, "ldap-attribute") == 0) {
-            required_ldap = 1;
             if (req->dn == NULL || strlen(req->dn) == 0) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -779,7 +792,6 @@ static int authz_ldap_check_user_access(request_rec *r)
             }
         }
         else if (strcmp(w, "ldap-filter") == 0) {
-            required_ldap = 1;
             if (req->dn == NULL || strlen(req->dn) == 0) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -843,9 +855,9 @@ static int authz_ldap_check_user_access(request_rec *r)
         return OK;
     }
 
-    if (!required_ldap || !sec->auth_authoritative) {
+    if (!sec->auth_authoritative) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise", getpid());
+                      "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise (not authoritative)", getpid());
         return DECLINED;
     }
 
-- 
2.47.2