Author: covener
Date: Fri Aug 31 13:51:34 2007
New Revision: 571576
URL: http://svn.apache.org/viewvc?rev=571576&view=rev
Log:
Teach LDAP authorization to step out of the way like user/owner/groupfile/dbm do
when no relevant authz directives are present
PR 43281
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=571576&r1=571575&r2=571576&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Aug 31 13:51:34 2007
@@ -1,6 +1,12 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.6
+ *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when
+ LDAP authentication is configured but we haven't seen any
+ 'Require ldap-*' directives, allowing authorization to be passed to lower
+ level modules (e.g. Require valid-user)
+ PR 43281 [Eric Covener]
+
*) mod_proxy: don't URLencode tilde in path component
PR 38448 [Stijn Hoop <stijn sandcat.nl>]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=571576&r1=571575&r2=571576&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Aug 31 13:51:34 2007
@@ -100,15 +100,6 @@
Trunk version of patch works
+1: rpluem, jim, niq
- * mod_authnz_ldap: When no Require ldap-* are present, return DECLINED in the
- auth_checker hook instead of HTTP_UNAUTHORIZED.
- This makes authnz_ldap behave in the same fashion as authz_user, authz_dbm,
- authz_owner, and authz_groupfile.
- Trunk version of patch
- This change is not required for trunk because of the authz-provider model
- 2.2.x version of patch:
- http://people.apache.org/~covener/2.2.x-authnz_ldap-decline.diff
- +1: covener, niq, bnicholes
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
Modified: httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c?rev=571576&r1=571575&r2=571576&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c Fri Aug 31 13:51:34 2007
@@ -512,6 +512,7 @@
const char *t;
char *w, *value;
int method_restricted = 0;
+ int required_ldap = 0;
char filtbuf[FILTER_LENGTH];
const char *dn = NULL;
@@ -615,6 +616,7 @@
w = ap_getword_white(r->pool, &t);
if (strcmp(w, "ldap-user") == 0) {
+ required_ldap = 1;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -664,6 +666,7 @@
}
}
else if (strcmp(w, "ldap-dn") == 0) {
+ required_ldap = 1;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -691,6 +694,7 @@
else if (strcmp(w, "ldap-group") == 0) {
struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t
*) sec->groupattr->elts;
int i;
+ required_ldap = 1;
if (sec->group_attrib_is_dn) {
if (req->dn == NULL || strlen(req->dn) == 0) {
@@ -740,6 +744,7 @@
}
}
else if (strcmp(w, "ldap-attribute") == 0) {
+ required_ldap = 1;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -775,6 +780,7 @@
}
}
else if (strcmp(w, "ldap-filter") == 0) {
+ required_ldap = 1;
if (req->dn == NULL || strlen(req->dn) == 0) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: "
@@ -838,7 +844,7 @@
return OK;
}
- if (!sec->auth_authoritative) {
+ if (!required_ldap || !sec->auth_authoritative) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authorise: declining to authorise",
getpid());
return DECLINED;
|