httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cove...@apache.org
Subject svn commit: r571576 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/aaa/mod_authnz_ldap.c
Date Fri, 31 Aug 2007 20:51:34 GMT
Author: covener
Date: Fri Aug 31 13:51:34 2007
New Revision: 571576

URL: http://svn.apache.org/viewvc?rev=571576&view=rev
Log:
Teach LDAP authorization to step out of the way like user/owner/groupfile/dbm do
when no relevant authz directives are present
PR 43281

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=571576&r1=571575&r2=571576&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Aug 31 13:51:34 2007
@@ -1,6 +1,12 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.6
 
+  *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when
+     LDAP authentication is configured but we haven't seen any 
+     'Require ldap-*' directives, allowing authorization to be passed to lower 
+     level modules (e.g. Require valid-user) 
+     PR 43281 [Eric Covener]
+     
   *) mod_proxy: don't URLencode tilde in path component
      PR 38448 [Stijn Hoop <stijn sandcat.nl>]
 

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=571576&r1=571575&r2=571576&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Aug 31 13:51:34 2007
@@ -100,15 +100,6 @@
          Trunk version of patch works
       +1: rpluem, jim, niq
 
-   * mod_authnz_ldap: When no Require ldap-* are present, return DECLINED in the
-     auth_checker hook instead of HTTP_UNAUTHORIZED. 
-     This makes authnz_ldap behave in the same fashion as authz_user, authz_dbm, 
-     authz_owner, and authz_groupfile. 
-     Trunk version of patch
-       This change is not required for trunk because of the authz-provider model
-     2.2.x version of patch:
-      http://people.apache.org/~covener/2.2.x-authnz_ldap-decline.diff  
-     +1: covener, niq, bnicholes
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:

Modified: httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c?rev=571576&r1=571575&r2=571576&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c Fri Aug 31 13:51:34 2007
@@ -512,6 +512,7 @@
     const char *t;
     char *w, *value;
     int method_restricted = 0;
+    int required_ldap = 0;
 
     char filtbuf[FILTER_LENGTH];
     const char *dn = NULL;
@@ -615,6 +616,7 @@
         w = ap_getword_white(r->pool, &t);
 
         if (strcmp(w, "ldap-user") == 0) {
+            required_ldap = 1;
             if (req->dn == NULL || strlen(req->dn) == 0) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -664,6 +666,7 @@
             }
         }
         else if (strcmp(w, "ldap-dn") == 0) {
+            required_ldap = 1;
             if (req->dn == NULL || strlen(req->dn) == 0) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -691,6 +694,7 @@
         else if (strcmp(w, "ldap-group") == 0) {
             struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t
*) sec->groupattr->elts;
             int i;
+            required_ldap = 1;
 
             if (sec->group_attrib_is_dn) {
                 if (req->dn == NULL || strlen(req->dn) == 0) {
@@ -740,6 +744,7 @@
             }
         }
         else if (strcmp(w, "ldap-attribute") == 0) {
+            required_ldap = 1;
             if (req->dn == NULL || strlen(req->dn) == 0) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -775,6 +780,7 @@
             }
         }
         else if (strcmp(w, "ldap-filter") == 0) {
+            required_ldap = 1;
             if (req->dn == NULL || strlen(req->dn) == 0) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -838,7 +844,7 @@
         return OK;
     }
 
-    if (!sec->auth_authoritative) {
+    if (!required_ldap || !sec->auth_authoritative) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                       "[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise",
getpid());
         return DECLINED;



Mime
View raw message