From: Stefan Fritsch Date: Sat, 21 May 2011 08:13:59 +0000 (+0000) Subject: Some LDAP servers (wrongly) return LDAP_CONSTRAINT_VIOLATION if a user is X-Git-Tag: 2.3.13~117 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5a6911625913a999b3718a1c816bb49e0ccbbdc5;p=thirdparty%2Fapache%2Fhttpd.git Some LDAP servers (wrongly) return LDAP_CONSTRAINT_VIOLATION if a user is locked due to too many password retries. This should not cause an internal server error but be treated as "auth denied". git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1125646 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 13b38b65fbc..744e92c09d8 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.13 + *) mod_authnz_ldap: If the LDAP server returns constraint violation, + don't treat this as an error but as "auth denied". [Stefan Fritsch] + *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO for SCGI/FCGI. PR 50880, 50851. [Mark Montague , Jim Jagielski] diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 8c1e6c56967..42501e52453 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -567,6 +567,12 @@ start_over: #ifdef LDAP_INSUFFICIENT_RIGHTS : (LDAP_INSUFFICIENT_RIGHTS == result) ? AUTH_DENIED #endif +#endif +#ifdef LDAP_CONSTRAINT_VIOLATION + /* At least Sun Directory Server sends this if a user is + * locked. This is not covered by LDAP_SECURITY_ERROR. + */ + : (LDAP_CONSTRAINT_VIOLATION == result) ? AUTH_DENIED #endif : AUTH_GENERAL_ERROR; }