httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject cvs commit: httpd-2.0/modules/experimental NWGNUauthldap NWGNUutilldap mod_auth_ldap.c util_ldap.c
Date Fri, 21 May 2004 22:42:56 GMT
minfrin     2004/05/21 15:42:56

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
               include  Tag: APACHE_2_0_BRANCH util_ldap.h
               modules/experimental Tag: APACHE_2_0_BRANCH NWGNUauthldap
                        NWGNUutilldap mod_auth_ldap.c util_ldap.c
  Log:
  Overhaul handling of LDAP error conditions, so that the util_ldap_*
  functions leave the connections in a sane state after errors have
  occurred.
  PR:	27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134, 27271
  Reviewed by:	minfrin, jim, trawick, bnicholes
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.277 +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.276
  retrieving revision 1.988.2.277
  diff -u -r1.988.2.276 -r1.988.2.277
  --- CHANGES	21 May 2004 20:02:13 -0000	1.988.2.276
  +++ CHANGES	21 May 2004 22:42:54 -0000	1.988.2.277
  @@ -1,5 +1,10 @@
   Changes with Apache 2.0.50
   
  +  *) Overhaul handling of LDAP error conditions, so that the util_ldap_*
  +     functions leave the connections in a sane state after errors have
  +     occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
  +     27271 [Graham Leggett]
  +                                                                                
     *) mod_ldap calls ldap_simple_bind_s() to validate the user
        credentials.  If the bind fails, the connection is left
        in an unbound state.  Make sure that the ldap connection
  
  
  
  1.751.2.867 +1 -12     httpd-2.0/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.866
  retrieving revision 1.751.2.867
  diff -u -r1.751.2.866 -r1.751.2.867
  --- STATUS	21 May 2004 22:22:06 -0000	1.751.2.866
  +++ STATUS	21 May 2004 22:42:55 -0000	1.751.2.867
  @@ -101,17 +101,6 @@
          PR 24437 [Jess Holle <jessh@ptc.com>]
          +1: minfrin, jim, trawick, bnicholes
   
  -    *) Overhaul handling of LDAP error conditions, so that the util_ldap_*
  -       functions leave the connections in a sane state after errors have
  -       occurred.
  -       include/util_ldap.h r1.18
  -       modules/experimental/NWGNUauthldap r1.12
  -       modules/experimental/NWGNUutilldap r1.9
  -       modules/experimental/mod_auth_ldap.c r1.24
  -       modules/experimental/util_ldap.c r1.28
  -       PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134, 27271       
  -       +1: minfrin, jim, trawick, bnicholes
  -
       *) RPM spec file changes: changed default dependancy to link to db4
          instead of db3. Fixed complaints about unpackaged files.
          build/rpm/httpd.spec.in 
  
  
  
  No                   revision
  No                   revision
  1.9.2.7   +14 -3     httpd-2.0/include/util_ldap.h
  
  Index: util_ldap.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/include/util_ldap.h,v
  retrieving revision 1.9.2.6
  retrieving revision 1.9.2.7
  diff -u -r1.9.2.6 -r1.9.2.7
  --- util_ldap.h	11 Feb 2004 18:07:46 -0000	1.9.2.6
  +++ util_ldap.h	21 May 2004 22:42:55 -0000	1.9.2.7
  @@ -155,14 +155,25 @@
   LDAP_DECLARE(void) util_ldap_connection_close(util_ldap_connection_t *ldc);
   
   /**
  - * Destroy a connection to an LDAP server
  + * Unbind a connection to an LDAP server
  + * @param ldc A structure containing the expanded details of the server
  + *            that was connected.
  + * @tip This function unbinds the LDAP connection, and disconnects from
  + *      the server. It is used during error conditions, to bring the LDAP
  + *      connection back to a known state.
  + * @deffunc apr_status_t util_ldap_connection_unbind(util_ldap_connection_t *ldc)
  + */
  +LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_unbind(void *param);
  +
  +/**
  + * Cleanup a connection to an LDAP server
    * @param ldc A structure containing the expanded details of the server
    *            that was connected.
    * @tip This function is registered with the pool cleanup to close down the
    *      LDAP connections when the server is finished with them.
  - * @deffunc apr_status_t util_ldap_connection_destroy(util_ldap_connection_t *ldc)
  + * @deffunc apr_status_t util_ldap_connection_cleanup(util_ldap_connection_t *ldc)
    */
  -LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_destroy(void *param);
  +LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_cleanup(void *param);
   
   /**
    * Find a connection in a list of connections
  
  
  
  No                   revision
  No                   revision
  1.6.2.6   +2 -1      httpd-2.0/modules/experimental/NWGNUauthldap
  
  Index: NWGNUauthldap
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/experimental/NWGNUauthldap,v
  retrieving revision 1.6.2.5
  retrieving revision 1.6.2.6
  diff -u -r1.6.2.5 -r1.6.2.6
  --- NWGNUauthldap	8 Apr 2004 15:38:14 -0000	1.6.2.5
  +++ NWGNUauthldap	21 May 2004 22:42:56 -0000	1.6.2.6
  @@ -209,7 +209,8 @@
   FILES_nlm_Ximports = \
   	util_ldap_connection_find \
   	util_ldap_connection_close \
  -	util_ldap_connection_destroy \
  +	util_ldap_connection_unbind \
  +	util_ldap_connection_cleanup \
   	util_ldap_cache_checkuserid \
   	util_ldap_cache_compare \
   	util_ldap_cache_comparedn \
  
  
  
  1.6.2.3   +2 -1      httpd-2.0/modules/experimental/NWGNUutilldap
  
  Index: NWGNUutilldap
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/experimental/NWGNUutilldap,v
  retrieving revision 1.6.2.2
  retrieving revision 1.6.2.3
  diff -u -r1.6.2.2 -r1.6.2.3
  --- NWGNUutilldap	7 Mar 2003 20:12:29 -0000	1.6.2.2
  +++ NWGNUutilldap	21 May 2004 22:42:56 -0000	1.6.2.3
  @@ -223,7 +223,8 @@
   	ldap_module \
   	util_ldap_connection_find \
   	util_ldap_connection_close \
  -	util_ldap_connection_destroy \
  +	util_ldap_connection_unbind \
  +	util_ldap_connection_cleanup \
   	util_ldap_cache_checkuserid \
   	util_ldap_cache_compare \
   	util_ldap_cache_comparedn \
  
  
  
  1.8.2.13  +0 -1      httpd-2.0/modules/experimental/mod_auth_ldap.c
  
  Index: mod_auth_ldap.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/experimental/mod_auth_ldap.c,v
  retrieving revision 1.8.2.12
  retrieving revision 1.8.2.13
  diff -u -r1.8.2.12 -r1.8.2.13
  --- mod_auth_ldap.c	12 Apr 2004 21:26:26 -0000	1.8.2.12
  +++ mod_auth_ldap.c	21 May 2004 22:42:56 -0000	1.8.2.13
  @@ -330,7 +330,6 @@
   
       /* sanity check - if server is down, retry it up to 5 times */
       if (result == LDAP_SERVER_DOWN) {
  -        util_ldap_connection_destroy(ldc);
           if (failures++ <= 5) {
               goto start_over;
           }
  
  
  
  1.6.2.15  +45 -38    httpd-2.0/modules/experimental/util_ldap.c
  
  Index: util_ldap.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/experimental/util_ldap.c,v
  retrieving revision 1.6.2.14
  retrieving revision 1.6.2.15
  diff -u -r1.6.2.14 -r1.6.2.15
  --- util_ldap.c	21 May 2004 20:02:39 -0000	1.6.2.14
  +++ util_ldap.c	21 May 2004 22:42:56 -0000	1.6.2.15
  @@ -185,44 +185,53 @@
   
   
   /*
  - * Destroys an LDAP connection by unbinding. This function is registered
  - * with the pool cleanup function - causing the LDAP connections to be
  - * shut down cleanly on graceful restart.
  + * Destroys an LDAP connection by unbinding and closing the connection to
  + * the LDAP server. It is used to bring the connection back to a known
  + * state after an error, and during pool cleanup.
    */
  -LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_destroy(void *param)
  +LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_unbind(void *param)
   {
       util_ldap_connection_t *ldc = param;
   
       if (ldc) {
  -
  -        /* unbinding from the LDAP server */
           if (ldc->ldap) {
               ldap_unbind_s(ldc->ldap);
  -            ldc->bound = 0;
               ldc->ldap = NULL;
           }
  +        ldc->bound = 0;
  +    }
  +
  +    return APR_SUCCESS;
  +}
  +
  +
  +/*
  + * Clean up an LDAP connection by unbinding and unlocking the connection.
  + * This function is registered with the pool cleanup function - causing
  + * the LDAP connections to be shut down cleanly on graceful restart.
  + */
  +LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_cleanup(void *param)
  +{
  +    util_ldap_connection_t *ldc = param;
  +
  +    if (ldc) {
  +
  +        /* unbind and disconnect from the LDAP server */
  +        util_ldap_connection_unbind(ldc);
   
  +        /* free the username and password */
           if (ldc->bindpw) {
               free((void*)ldc->bindpw);
           }
  -    
           if (ldc->binddn) {
               free((void*)ldc->binddn);
           }
   
  -        /* release the lock we were using.  The lock should have
  -           already been released in the close connection call.  
  -           But just in case it wasn't, we first try to get the lock
  -           before unlocking it to avoid unlocking an unheld lock. 
  -           Unlocking an unheld lock causes problems on NetWare.  The
  -           other option would be to assume that close connection did
  -           its job. */
  -#if APR_HAS_THREADS
  -        apr_thread_mutex_trylock(ldc->lock);
  -        apr_thread_mutex_unlock(ldc->lock);
  -#endif
  -
  +        /* unlock this entry */
  +        util_ldap_connection_close(ldc);
  +    
       }
  +
       return APR_SUCCESS;
   }
   
  @@ -342,10 +351,10 @@
           ldc->bound = 0;
           ldc->reason = "LDAP: ldap_simple_bind_s() failed";
       }
  -	else {
  -		ldc->bound = 1;
  -		ldc->reason = "LDAP: connection open successful";
  -	}
  +    else {
  +        ldc->bound = 1;
  +        ldc->reason = "LDAP: connection open successful";
  +    }
   
       return(result);
   }
  @@ -461,7 +470,7 @@
   
           /* add the cleanup to the pool */
           apr_pool_cleanup_register(l->pool, l,
  -                                  util_ldap_connection_destroy,
  +                                  util_ldap_connection_cleanup,
                                     apr_pool_cleanup_null);
   
           if (p) {
  @@ -565,8 +574,8 @@
       if ((result = ldap_search_ext_s(ldc->ldap, const_cast(reqdn), LDAP_SCOPE_BASE, 
   				    "(objectclass=*)", NULL, 1, 
   				    NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) {
  -        util_ldap_connection_close(ldc);
           ldc->reason = "DN Comparison ldap_search_ext_s() failed with server down";
  +        util_ldap_connection_unbind(ldc);
           goto start_over;
       }
       if (result != LDAP_SUCCESS) {
  @@ -694,8 +703,8 @@
       if ((result = ldap_compare_s(ldc->ldap, const_cast(dn), const_cast(attrib), const_cast(value)))
           == LDAP_SERVER_DOWN) { 
           /* connection failed - try again */
  -        util_ldap_connection_close(ldc);
           ldc->reason = "ldap_compare_s() failed with server down";
  +        util_ldap_connection_unbind(ldc);
           goto start_over;
       }
   
  @@ -815,6 +824,7 @@
   				    const_cast(filter), attrs, 0, 
   				    NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) {
           ldc->reason = "ldap_search_ext_s() for user failed with server down";
  +        util_ldap_connection_unbind(ldc);
           goto start_over;
       }
   
  @@ -869,6 +879,7 @@
            LDAP_SERVER_DOWN) {
           ldc->reason = "ldap_simple_bind_s() to check user credentials failed with server
down";
           ldap_msgfree(res);
  +        util_ldap_connection_unbind(ldc);
           goto start_over;
       }
   
  @@ -876,22 +887,17 @@
       if (result != LDAP_SUCCESS) {
           ldc->reason = "ldap_simple_bind_s() to check user credentials failed";
           ldap_msgfree(res);
  -        ldap_unbind_s(ldc->ldap);
  -        ldc->ldap = NULL;
  -        ldc->bound = 0;
  +        util_ldap_connection_unbind(ldc);
           return result;
       }
       else {
           /*
  -         * Since we just bound the connection to the authenticating user id, update the
  -         * ldc->binddn and ldc->bindpw to reflect the change and also to allow the
next 
  -         * call to util_ldap_connection_open() to handle the connection reuse appropriately.
  -         * Otherwise the next time that this connection is reused, it will indicate that
  -         * it is bound to the original user id specified ldc->binddn when in fact it
is 
  -         * bound to a completely different user id.
  +         * We have just bound the connection to a different user and password
  +         * combination, which might be reused unintentionally next time this
  +         * connection is used from the connection pool. To ensure no confusion,
  +         * we mark the connection as unbound.
            */
  -        util_ldap_strdup((char**)&(ldc->binddn), *binddn);
  -        util_ldap_strdup((char**)&(ldc->bindpw), bindpw);
  +        ldc->bound = 0;
       }
   
       /*
  @@ -937,6 +943,7 @@
       ldc->reason = "Authentication successful";
       return LDAP_SUCCESS;
   }
  +
   
   /*
    * Reports if ssl support is enabled 
  
  
  

Mime
View raw message