From: Jim Jagielski <jim@apache.org>
Date: Mon, 29 Aug 2011 15:26:39 +0000 (+0000)
Subject: Merge r1125646 from trunk:
X-Git-Tag: 2.2.20~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4870abcb740d31f05d5a5d3e326252378a6d5111;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1125646 from trunk:

Some LDAP servers (wrongly) return LDAP_CONSTRAINT_VIOLATION if a user is
locked due to too many password retries. This should not cause an internal
server error but be treated as "auth denied".

Submitted by: sf
Reviewed/backported by: jim



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1162864 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 4027cf983a9..cf22c79862c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.20
 
+  *) mod_authnz_ldap: If the LDAP server returns constraint violation,
+     don't treat this as an error but as "auth denied". [Stefan Fritsch]
+
   *) mod_reqtimeout: Fix a timed out connection going into the keep-alive
      state after a timeout when discarding a request body. PR 51103.
      [Stefan Fritsch]
diff --git a/STATUS b/STATUS
index 29a10ebf136..9d635d67e7e 100644
--- a/STATUS
+++ b/STATUS
@@ -92,11 +92,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * mod_authnz_ldap: Treat 'constraint violation' as auth denied, not as
-    internal server error.
-    Trunk patch: http://svn.apache.org/viewvc?rev=1125646&view=rev
-    2.2.x patch: trunk patch works except for CHANGES
-    +1: sf, covener, jim
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 037bbcffdab..ce1af3db4de 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -464,6 +464,12 @@ start_over:
 #ifdef LDAP_INSUFFICIENT_RIGHTS
                  : (LDAP_INSUFFICIENT_RIGHTS == result) ? AUTH_DENIED
 #endif
+#endif
+#ifdef LDAP_CONSTRAINT_VIOLATION
+    /* At least Sun Directory Server sends this if a user is
+     * locked. This is not covered by LDAP_SECURITY_ERROR.
+     */
+                 : (LDAP_CONSTRAINT_VIOLATION == result) ? AUTH_DENIED
 #endif
                  : AUTH_GENERAL_ERROR;
     }