httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pque...@apache.org
Subject svn commit: r645594 [24/28] - in /httpd/sandbox/amsterdam/d: ./ build/ docs/conf/ docs/conf/extra/ docs/man/ docs/manual/ docs/manual/developer/ docs/manual/faq/ docs/manual/howto/ docs/manual/misc/ docs/manual/mod/ docs/manual/platform/ docs/manual/pr...
Date Mon, 07 Apr 2008 16:31:24 GMT
Modified: httpd/sandbox/amsterdam/d/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/ldap/util_ldap.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/ldap/util_ldap.c (original)
+++ httpd/sandbox/amsterdam/d/modules/ldap/util_ldap.c Mon Apr  7 09:28:58 2008
@@ -66,6 +66,8 @@
         apr_global_mutex_unlock(st->util_ldap_cache_lock);      \
 } while (0)
 
+static apr_status_t util_ldap_connection_remove (void *param);
+
 static void util_ldap_strdup (char **str, const char *newstr)
 {
     if (*str) {
@@ -104,7 +106,7 @@
         return DECLINED;
     }
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     if (r->header_only)
         return OK;
@@ -119,9 +121,9 @@
     return OK;
 }
 
-/* ------------------------------------------------------------------ */
 
 
+/* ------------------------------------------------------------------ */
 /*
  * Closes an LDAP connection by unlocking it. The next time
  * uldap_connection_find() is called this connection will be
@@ -141,18 +143,22 @@
      * we don't have to...
      */
 
-    /* mark our connection as available for reuse */
-
+     if (!ldc->keep) { 
+         util_ldap_connection_remove(ldc);
+     }
+     else { 
+         /* mark our connection as available for reuse */
 #if APR_HAS_THREADS
-    apr_thread_mutex_unlock(ldc->lock);
+         apr_thread_mutex_unlock(ldc->lock);
 #endif
+     }
 }
 
 
 /*
  * Destroys an LDAP connection by unbinding and closing the connection to
  * the LDAP server. It is used to bring the connection back to a known
- * state after an error, and during pool cleanup.
+ * state after an error.
  */
 static apr_status_t uldap_connection_unbind(void *param)
 {
@@ -172,12 +178,17 @@
 
 /*
  * Clean up an LDAP connection by unbinding and unlocking the connection.
+ * This cleanup does not remove the util_ldap_connection_t from the 
+ * per-virtualhost list of connections, does not remove the storage
+ * for the util_ldap_connection_t or it's data, and is NOT run automatically.
  */
 static apr_status_t uldap_connection_cleanup(void *param)
 {
     util_ldap_connection_t *ldc = param;
 
     if (ldc) {
+        /* Release the rebind info for this connection. No more referral rebinds required. */
+        apr_ldap_rebind_remove(ldc->ldap);
 
         /* unbind and disconnect from the LDAP server */
         uldap_connection_unbind(ldc);
@@ -189,22 +200,82 @@
         if (ldc->binddn) {
             free((void*)ldc->binddn);
         }
-
+        /* ldc->reason is allocated from r->pool */
+        if (ldc->reason) {
+            ldc->reason = NULL;
+        }
         /* unlock this entry */
         uldap_connection_close(ldc);
 
+     }
+
+    return APR_SUCCESS;
+}
+
+/*
+ * util_ldap_connection_remove frees all storage associated with the LDAP
+ * connection and removes it completely from the per-virtualhost list of
+ * connections
+ *
+ * The caller should hold the lock for this connection
+ */
+static apr_status_t util_ldap_connection_remove (void *param) { 
+    util_ldap_connection_t *ldc = param, *l  = NULL, *prev = NULL;
+    util_ldap_state_t *st = ldc->st;
+
+    if (!ldc) return APR_SUCCESS;
+
+    uldap_connection_unbind(ldc);
+
+#if APR_HAS_THREADS
+    apr_thread_mutex_lock(st->mutex);
+#endif
+
+    /* Remove ldc from the list */
+    for (l=st->connections; l; l=l->next) {
+        if (l == ldc) {
+            if (prev) {
+                prev->next = l->next; 
+            }
+            else { 
+                st->connections = l->next;
+            }
+            break;
+        }
+        prev = l;
     }
 
+    /* Some unfortunate duplication between this method
+     * and uldap_connection_cleanup()
+    */
+    if (ldc->bindpw) {
+        free((void*)ldc->bindpw);
+    }
+    if (ldc->binddn) {
+        free((void*)ldc->binddn);
+    }
+
+#if APR_HAS_THREADS
+    apr_thread_mutex_unlock(ldc->lock);
+    apr_thread_mutex_unlock(st->mutex);
+#endif
+
+    /* Destory the pool associated with this connection */
+
+    apr_pool_destroy(ldc->pool);   
+   
     return APR_SUCCESS;
 }
 
 static int uldap_connection_init(request_rec *r,
-                                 util_ldap_connection_t *ldc )
+                                 util_ldap_connection_t *ldc)
 {
     int rc = 0, ldap_option = 0;
     int version  = LDAP_VERSION3;
     apr_ldap_err_t *result = NULL;
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
     struct timeval timeOut = {10,0};    /* 10 second connection timeout */
+#endif
     util_ldap_state_t *st =
         (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
         &ldap_module);
@@ -221,7 +292,6 @@
                   APR_LDAP_NONE,
                   &(result));
 
-
     if (result != NULL && result->rc) {
         ldc->reason = result->reason;
     }
@@ -238,6 +308,16 @@
         return(result->rc);
     }
 
+    /* Now that we have an ldap struct, add it to the referral list for rebinds. */
+    rc = apr_ldap_rebind_add(ldc->pool, ldc->ldap, ldc->binddn, ldc->bindpw);
+    if (rc != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                     "LDAP: Unable to add rebind cross reference entry. Out of memory?");
+        uldap_connection_unbind(ldc);
+        ldc->reason = "LDAP: Unable to add rebind cross reference entry.";
+        return(rc);
+    }
+
     /* always default to LDAP V3 */
     ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
 
@@ -267,10 +347,49 @@
     ldap_option = ldc->deref;
     ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &ldap_option);
 
+    /* Set options for rebind and referrals. */
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                 "LDAP: Setting referrals to %s.",
+                 ((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"));
+    apr_ldap_set_option(r->pool, ldc->ldap,
+                        APR_LDAP_OPT_REFERRALS,
+                        (void *)((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ?
+                                 LDAP_OPT_ON : LDAP_OPT_OFF),
+                        &(result));
+    if (result->rc != LDAP_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                     "Unable to set LDAP_OPT_REFERRALS option to %s: %d.",
+                     ((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"),
+                     result->rc);
+        result->reason = "Unable to set LDAP_OPT_REFERRALS.";
+        uldap_connection_unbind(ldc);
+        return(result->rc);
+    }
+
+    if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
+        /* Referral hop limit - only if referrals are enabled */
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                     "Setting referral hop limit to %d.",
+                     ldc->ReferralHopLimit);
+        apr_ldap_set_option(r->pool, ldc->ldap,
+                            APR_LDAP_OPT_REFHOPLIMIT,
+                            (void *)&ldc->ReferralHopLimit,
+                            &(result));
+        if (result->rc != LDAP_SUCCESS) {
+          ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                       "Unable to set LDAP_OPT_REFHOPLIMIT option to %d: %d.",
+                       ldc->ReferralHopLimit,
+                       result->rc);
+          result->reason = "Unable to set LDAP_OPT_REFHOPLIMIT.";
+          uldap_connection_unbind(ldc);
+          return(result->rc);
+        }
+    }
+
 /*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
 #ifdef APR_LDAP_OPT_VERIFY_CERT
-    apr_ldap_set_option(r->pool, ldc->ldap,
-                        APR_LDAP_OPT_VERIFY_CERT, &(st->verify_svr_cert), &(result));
+    apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_VERIFY_CERT,
+                        &(st->verify_svr_cert), &(result));
 #else
 #if defined(LDAPSSL_VERIFY_SERVER)
     if (st->verify_svr_cert) {
@@ -361,7 +480,7 @@
         rc = ldap_simple_bind_s(ldc->ldap,
                                 (char *)ldc->binddn,
                                 (char *)ldc->bindpw);
-        if (LDAP_SERVER_DOWN != rc) {
+        if (!AP_LDAP_IS_SERVER_DOWN(rc)) {
             break;
         } else if (failures == 5) {
            /* attempt to init the connection once again */
@@ -448,7 +567,8 @@
     util_ldap_state_t *st =
         (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
         &ldap_module);
-
+    util_ldap_config_t *dc =
+        (util_ldap_config_t *) ap_get_module_config(r->per_dir_config, &ldap_module);
 
 #if APR_HAS_THREADS
     /* mutex lock this function */
@@ -519,37 +639,43 @@
 /* artificially disable cache */
 /* l = NULL; */
 
-    /* If no connection what found after the second search, we
+    /* If no connection was found after the second search, we
      * must create one.
      */
     if (!l) {
-
-        /*
-         * Add the new connection entry to the linked list. Note that we
-         * don't actually establish an LDAP connection yet; that happens
-         * the first time authentication is requested.
-         */
-        /* create the details to the pool in st */
-        l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t));
-        if (apr_pool_create(&l->pool, st->pool) != APR_SUCCESS) { 
+        apr_pool_t *newpool;
+        if (apr_pool_create(&newpool, NULL) != APR_SUCCESS) {
             ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
                           "util_ldap: Failed to create memory pool");
 #if APR_HAS_THREADS
             apr_thread_mutex_unlock(st->mutex);
 #endif
             return NULL;
-    
         }
+ 
+        /*
+         * Add the new connection entry to the linked list. Note that we
+         * don't actually establish an LDAP connection yet; that happens
+         * the first time authentication is requested.
+         */
+
+        /* create the details of this connection in the new pool */
+        l = apr_pcalloc(newpool, sizeof(util_ldap_connection_t));
+        l->pool = newpool;
+        l->st = st;
+
 #if APR_HAS_THREADS
-        apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, st->pool);
+        apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, l->pool);
         apr_thread_mutex_lock(l->lock);
 #endif
         l->bound = 0;
-        l->host = apr_pstrdup(st->pool, host);
+        l->host = apr_pstrdup(l->pool, host);
         l->port = port;
         l->deref = deref;
         util_ldap_strdup((char**)&(l->binddn), binddn);
         util_ldap_strdup((char**)&(l->bindpw), bindpw);
+        l->ChaseReferrals = dc->ChaseReferrals;
+        l->ReferralHopLimit = dc->ReferralHopLimit;
 
         /* The security mode after parsing the URL will always be either
          * APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
@@ -561,6 +687,8 @@
         /* save away a copy of the client cert list that is presently valid */
         l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);
 
+        l->keep = 1;
+
         if (p) {
             p->next = l;
         }
@@ -658,10 +786,10 @@
     }
 
     /* search for reqdn */
-    if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
-                                    "(objectclass=*)", NULL, 1,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
+                               "(objectclass=*)", NULL, 1,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "DN Comparison ldap_search_ext_s() "
                       "failed with server down";
@@ -710,9 +838,9 @@
 /*
  * Does an generic ldap_compare operation. It accepts a cache that it will use
  * to lookup the compare in the cache. We cache two kinds of compares
- * (require group compares) and (require user compares). Each compare has a different
- * cache node: require group includes the DN; require user does not because the
- * require user cache is owned by the
+ * (require group compares) and (require user compares). Each compare has a
+ * different cache node: require group includes the DN; require user does not
+ * because the require user cache is owned by the
  *
  */
 static int uldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
@@ -798,11 +926,11 @@
         return result;
     }
 
-    if ((result = ldap_compare_s(ldc->ldap,
-                                 (char *)dn,
-                                 (char *)attrib,
-                                 (char *)value))
-                                               == LDAP_SERVER_DOWN) {
+    result = ldap_compare_s(ldc->ldap,
+                            (char *)dn,
+                            (char *)attrib,
+                            (char *)value);
+    if (AP_LDAP_IS_SERVER_DOWN(result)) { 
         /* connection failed - try again */
         ldc->reason = "ldap_compare_s() failed with server down";
         uldap_connection_unbind(ldc);
@@ -833,9 +961,12 @@
             {
                 void *junk;
 
-                junk = util_ald_cache_insert(curl->compare_cache, &the_compare_node);
+                junk = util_ald_cache_insert(curl->compare_cache,
+                                             &the_compare_node);
                 if(junk == NULL) {
-                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] cache_compare: Cache insertion failure.", getpid());
+                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                  "[%" APR_PID_T_FMT "] cache_compare: Cache"
+                                  " insertion failure.", getpid());
                 }
             }
             else {
@@ -860,16 +991,176 @@
     return result;
 }
 
+
+static util_compare_subgroup_t* uldap_get_subgroups(request_rec *r,
+                                                    util_ldap_connection_t *ldc,
+                                                    const char *url,
+                                                    const char *dn,
+                                                    char **subgroupAttrs,
+                                                    apr_array_header_t *subgroupclasses)
+{
+    int failures = 0;
+    int result = LDAP_COMPARE_FALSE;
+    util_compare_subgroup_t *res = NULL;
+    LDAPMessage *sga_res, *entry;
+    struct mod_auth_ldap_groupattr_entry_t *sgc_ents;
+    apr_array_header_t *subgroups = apr_array_make(r->pool, 20, sizeof(char *));
+
+    sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
+
+    if (!subgroupAttrs) {
+        return res;
+    }
+
+start_over:
+    /*
+     * 3.B. The cache didn't have any subgrouplist yet. Go check for subgroups.
+     */
+    if (failures++ > 10) {
+        /* too many failures */
+        return res;
+    }
+
+    if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
+        /* connect failed */
+        return res;
+    }
+
+    /* try to do the search */
+    result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
+                               (char *)"cn=*", subgroupAttrs, 0,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
+    if (AP_LDAP_IS_SERVER_DOWN(result)) {
+        ldc->reason = "ldap_search_ext_s() for subgroups failed with server"
+                      " down";
+        uldap_connection_unbind(ldc);
+        goto start_over;
+    }
+
+    /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
+    if (result != LDAP_SUCCESS) {
+        ldc->reason = "ldap_search_ext_s() for subgroups failed";
+        return res;
+    }
+
+    entry = ldap_first_entry(ldc->ldap, sga_res);
+
+    /*
+     * Get values for the provided sub-group attributes.
+     */
+    if (subgroupAttrs) {
+        int indx = 0, tmp_sgcIndex;
+
+        while (subgroupAttrs[indx]) {
+            char **values;
+            int val_index = 0;
+
+            /* Get *all* matching "member" values from this group. */
+            values = ldap_get_values(ldc->ldap, entry, subgroupAttrs[indx]);
+
+            if (values) {
+                val_index = 0;
+                /*
+                 * Now we are going to pare the subgroup members of this group
+                 * to *just* the subgroups, add them to the compare_nodep, and
+                 * then proceed to check the new level of subgroups.
+                 */
+                while (values[val_index]) {
+                    /* Check if this entry really is a group. */
+                    tmp_sgcIndex = 0;
+                    result = LDAP_COMPARE_FALSE;
+                    while ((tmp_sgcIndex < subgroupclasses->nelts)
+                           && (result != LDAP_COMPARE_TRUE)) {
+                        result = uldap_cache_compare(r, ldc, url,
+                                                     values[val_index],
+                                                     "objectClass",
+                                                     sgc_ents[tmp_sgcIndex].name
+                                                     );
+
+                        if (result != LDAP_COMPARE_TRUE) {
+                            tmp_sgcIndex++;
+                        }
+                    }
+                    /* It's a group, so add it to the array.  */
+                    if (result == LDAP_COMPARE_TRUE) {
+                        char **newgrp = (char **) apr_array_push(subgroups);
+                        *newgrp = apr_pstrdup(r->pool, values[val_index]);
+                    }
+                    val_index++;
+                }
+                ldap_value_free(values);
+            }
+            indx++;
+        }
+    }
+
+    ldap_msgfree(sga_res);
+
+    if (subgroups->nelts > 0) {
+        /* We need to fill in tmp_local_subgroups using the data from LDAP */
+        int sgindex;
+        char **group;
+        res = apr_pcalloc(r->pool, sizeof(util_compare_subgroup_t));
+        res->subgroupDNs  = apr_pcalloc(r->pool,
+                                        sizeof(char *) * (subgroups->nelts));
+        for (sgindex = 0; (group = apr_array_pop(subgroups)); sgindex++) {
+            res->subgroupDNs[sgindex] = apr_pstrdup(r->pool, *group);
+        }
+        res->len = sgindex;
+    }
+
+    return res;
+}
+
+
 /*
- * Does a recursive lookup operation to try to find a user within (cached) nested groups.
+ * Does a recursive lookup operation to try to find a user within (cached)
+ * nested groups. It accepts a cache that it will use to lookup previous
+ * compare attempts. We cache two kinds of compares (require group compares)
+ * and (require user compares). Each compare has a different cache node:
+ * require group includes the DN; require user does not because the require
+ * user cache is owned by the
  *
  * DON'T CALL THIS UNLESS YOU CALLED uldap_cache_compare FIRST!!!!!
+ *
+ *
+ * 1. Call uldap_cache_compare for each subgroupclass value to check the
+ *    generic, user-agnostic, cached group entry. This will create a new generic
+ *    cache entry if there
+ *    wasn't one. If nothing returns LDAP_COMPARE_TRUE skip to step 5 since we
+ *    have no groups.
+ * 2. Lock The cache and get the generic cache entry.
+ * 3. Check if there is already a subgrouplist in this generic group's cache
+ *    entry.
+ *    A. If there is, go to step 4.
+ *    B. If there isn't:
+ *       i)   Use ldap_search to get the full list
+ *            of subgroup "members" (which may include non-group "members").
+ *       ii)  Use uldap_cache_compare to strip the list down to just groups.
+ *       iii) Lock and add this stripped down list to the cache of the generic
+ *            group.
+ * 4. Loop through the sgl and call uldap_cache_compare (using the user info)
+ *    for each
+ *    subgroup to see if the subgroup contains the user and to get the subgroups
+ *    added to the
+ *    cache (with user-afinity, if they aren't already there).
+ *    A. If the user is in the subgroup, then we'll be returning
+ *       LDAP_COMPARE_TRUE.
+ *    B. if the user isn't in the subgroup (LDAP_COMPARE_FALSE via
+ *       uldap_cache_compare) then recursively call this function to get the
+ *       sub-subgroups added...
+ * 5. Cleanup local allocations.
+ * 6. Return the final result.
  */
-static int uldap_cache_check_subgroups(request_rec *r, util_ldap_connection_t *ldc,
+
+static int uldap_cache_check_subgroups(request_rec *r,
+                                       util_ldap_connection_t *ldc,
                                        const char *url, const char *dn,
                                        const char *attrib, const char *value,
-                                       char **subgroupAttrs, apr_array_header_t *subgroupclasses,
-                                       int cur_subgroup_depth, int max_subgroup_depth)
+                                       char **subgroupAttrs,
+                                       apr_array_header_t *subgroupclasses,
+                                       int cur_subgroup_depth,
+                                       int max_subgroup_depth)
 {
     int result = LDAP_COMPARE_FALSE;
     util_url_node_t *curl;
@@ -877,266 +1168,234 @@
     util_compare_node_t *compare_nodep;
     util_compare_node_t the_compare_node;
     util_compare_subgroup_t *tmp_local_sgl = NULL;
-    int failures = 0;
-    LDAPMessage *sga_res, *entry;
-    apr_array_header_t *subgroups = apr_array_make(r->pool, 20, sizeof(char *));
-
+    int sgl_cached_empty = 0, sgindex = 0, base_sgcIndex = 0;
+    struct mod_auth_ldap_groupattr_entry_t *sgc_ents =
+            (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
     util_ldap_state_t *st = (util_ldap_state_t *)
                             ap_get_module_config(r->server->module_config,
                                                  &ldap_module);
 
     /*
-     * 1. Call uldap_cache_compare for each subgroupclass value to check the generic,
-     *    user-agnostic, cached group entry. This will create a new generic cache entry if there
-     *    wasn't one. If nothing returns LDAP_COMPARE_TRUE skip to step 5 since we have no groups.
-     * 2. Lock The cache and get the generic cache entry.
-     * 3. Check if there is already a subgrouplist in this generic group's cache entry.
-     *    A. If there is, go to step 4.
-     *    B. If there isn't:
-     *       i) Use ldap_search to get the full list
-     *          of subgroup "members" (which may include non-group "members").
-     *       ii) Use uldap_cache_compare to strip the list down to just groups.
-     *       iii) Lock and add this stripped down list to the cache of the generic group.
-     * 4. Loop through the sgl and call uldap_cache_compare (using the user info) for each
-     *    subgroup to see if the subgroup contains the user and to get the subgroups added to the
-     *    cache (with user-afinity, if they aren't already there).
-     *    A. If the user is in the subgroup, then we'll be returning LDAP_COMPARE_TRUE.
-     *    B. if the user isn't in the subgroup (LDAP_COMPARE_FALSE via uldap_cache_compare) then
-     *       recursively call this function to get the sub-subgroups added...
-     * 5. Cleanup local allocations.
-     * 6. Return the final result.
-     */
-
-        /* Stop looking at deeper levels of nested groups if we have reached the max.
-         * Since we already checked the top-level group in uldap_cache_compare, we don't
-         * need to check it again here - so if max_subgroup_depth is set to 0, we won't
-         * check it (i.e. that is why we check < rather than <=).
-         * We'll be calling uldap_cache_compare from here to check if the user is in the
-         * next level before we recurse into that next level looking for more subgroups.
-         */
-    if (cur_subgroup_depth < max_subgroup_depth) {
-        int base_sgcIndex = 0;
-        int lcl_sgl_processedFlag = 0;
-        struct mod_auth_ldap_groupattr_entry_t *sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
-
-        /* 1. Check the "groupiness" of the specified basedn. Stopping at the first TRUE return. */
-        while ((base_sgcIndex < subgroupclasses->nelts) && (result != LDAP_COMPARE_TRUE)) {
-            result = uldap_cache_compare(r, ldc, url, dn, "objectClass", sgc_ents[base_sgcIndex].name);
-            if (result != LDAP_COMPARE_TRUE) {
-                base_sgcIndex++;
-            }
-        }
+     * Stop looking at deeper levels of nested groups if we have reached the
+     * max. Since we already checked the top-level group in uldap_cache_compare,
+     * we don't need to check it again here - so if max_subgroup_depth is set
+     * to 0, we won't check it (i.e. that is why we check < rather than <=).
+     * We'll be calling uldap_cache_compare from here to check if the user is
+     * in the next level before we recurse into that next level looking for
+     * more subgroups.
+     */
+    if (cur_subgroup_depth >= max_subgroup_depth) {
+        return LDAP_COMPARE_FALSE;
+    }
 
+    /*
+     * 1. Check the "groupiness" of the specified basedn. Stopping at the first
+     *    TRUE return.
+     */
+    while ((base_sgcIndex < subgroupclasses->nelts)
+           && (result != LDAP_COMPARE_TRUE)) {
+        result = uldap_cache_compare(r, ldc, url, dn, "objectClass",
+                                     sgc_ents[base_sgcIndex].name);
         if (result != LDAP_COMPARE_TRUE) {
-            /* The dn we were handed doesn't seem to be a group, how can we check for SUB-groups if this
-             * isn't a group?!?!?!
-             */
-            ldc->reason = "DN failed group verification.";
-            return result;
+            base_sgcIndex++;
         }
+    }
 
-        /* 2. Find previously created cache entry and check if there is already a subgrouplist. */
-        LDAP_CACHE_LOCK();
-        curnode.url = url;
-        curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
-        LDAP_CACHE_UNLOCK();
+    if (result != LDAP_COMPARE_TRUE) {
+        ldc->reason = "DN failed group verification.";
+        return result;
+    }
 
-        if (curl && curl->compare_cache) {
-            /* make a comparison to the cache */
-            LDAP_CACHE_LOCK();
+    /*
+     * 2. Find previously created cache entry and check if there is already a
+     *    subgrouplist.
+     */
+    LDAP_CACHE_LOCK();
+    curnode.url = url;
+    curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
+    LDAP_CACHE_UNLOCK();
 
-            the_compare_node.dn = (char *)dn;
-            the_compare_node.attrib = (char *)"objectClass";
-            the_compare_node.value = (char *)sgc_ents[base_sgcIndex].name;
-            the_compare_node.result = 0;
-            the_compare_node.sgl_processed = 0;
-            the_compare_node.subgroupList = NULL;
+    if (curl && curl->compare_cache) {
+        /* make a comparison to the cache */
+        LDAP_CACHE_LOCK();
 
-            compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
+        the_compare_node.dn = (char *)dn;
+        the_compare_node.attrib = (char *)"objectClass";
+        the_compare_node.value = (char *)sgc_ents[base_sgcIndex].name;
+        the_compare_node.result = 0;
+        the_compare_node.sgl_processed = 0;
+        the_compare_node.subgroupList = NULL;
 
-            if (compare_nodep == NULL) {
-                /* Didn't find it. This shouldn't happen since we just called uldap_cache_compare. */
-                LDAP_CACHE_UNLOCK();
-                ldc->reason = "check_subgroups failed to find cached element.";
-                return LDAP_COMPARE_FALSE;
-            }
-            else {
-                /* Found the generic group entry... but the user isn't in this group or we wouldn't be here. */
-                lcl_sgl_processedFlag = compare_nodep->sgl_processed;
-                if(compare_nodep->sgl_processed && compare_nodep->subgroupList) {
+        compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+                                             &the_compare_node);
+
+        if (compare_nodep != NULL) {
+            /*
+             * Found the generic group entry... but the user isn't in this
+             * group or we wouldn't be here.
+             */
+            if (compare_nodep->sgl_processed) {
+                if (compare_nodep->subgroupList) {
                     /* Make a local copy of the subgroup list */
                     int i;
-                    tmp_local_sgl = apr_pcalloc(r->pool, sizeof(util_compare_subgroup_t));
+                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                  "[%" APR_PID_T_FMT "] util_ldap:"
+                                  " Making local copy of SGL for "
+                                  "group (%s)(objectClass=%s) ",
+                                  getpid(), dn,
+                                  (char *)sgc_ents[base_sgcIndex].name);
+                    tmp_local_sgl = apr_pcalloc(r->pool,
+                                                sizeof(util_compare_subgroup_t));
                     tmp_local_sgl->len = compare_nodep->subgroupList->len;
-                    tmp_local_sgl->subgroupDNs = apr_pcalloc(r->pool, sizeof(char *) * compare_nodep->subgroupList->len);
+                    tmp_local_sgl->subgroupDNs =
+                        apr_pcalloc(r->pool,
+                                    sizeof(char *) * compare_nodep->subgroupList->len);
                     for (i = 0; i < compare_nodep->subgroupList->len; i++) {
-                        tmp_local_sgl->subgroupDNs[i] = apr_pstrdup(r->pool, compare_nodep->subgroupList->subgroupDNs[i]);
+                        tmp_local_sgl->subgroupDNs[i] =
+                            apr_pstrdup(r->pool,
+                                        compare_nodep->subgroupList->subgroupDNs[i]);
                     }
                 }
+                else {
+                    sgl_cached_empty = 1;
+                }
             }
-            /* unlock this read lock */
-            LDAP_CACHE_UNLOCK();
-        }
-        else {
-              /* If we get here, something is wrong. Caches should have been created and
-                 this group entry should be found in the cache. */
-            ldc->reason = "check_subgroups failed to find any caches.";
-            return LDAP_COMPARE_FALSE;
         }
+        LDAP_CACHE_UNLOCK();
+    }
 
-        result = LDAP_COMPARE_FALSE;
-
-        /* No cache entry had a processed SGL. Retrieve from LDAP server */
-        if ((lcl_sgl_processedFlag == 0) && (!tmp_local_sgl)) {
-start_over:
-            /* 3.B. The cache didn't have any subgrouplist yet. Go check for subgroups. */
-            if (failures++ > 10) {
-                /* too many failures */
-                return result;
-            }
-
-            if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
-                /* connect failed */
-                return result;
-            }
+    if (!tmp_local_sgl && !sgl_cached_empty) {
+        /* No Cached SGL, retrieve from LDAP */
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                      "[%" APR_PID_T_FMT "] util_ldap: no cached SGL for %s,"
+                      " retrieving from LDAP" , getpid(), dn);
+        tmp_local_sgl = uldap_get_subgroups(r, ldc, url, dn, subgroupAttrs,
+                                            subgroupclasses);
+        if (!tmp_local_sgl) {
+            /* No SGL aailable via LDAP either */
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+                          " util_ldap: no subgroups for %s" , getpid(), dn);
+        }
 
-            /* try to do the search */
-            result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
-                                       (char *)"cn=*", subgroupAttrs, 0,
-                                       NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
-            if (result == LDAP_SERVER_DOWN) {
-                ldc->reason = "ldap_search_ext_s() for subgroups failed with server down";
-                uldap_connection_unbind(ldc);
-                goto start_over;
-            }
+      if (curl && curl->compare_cache) {
+        /*
+         * Find the generic group cache entry and add the sgl we just retrieved.
+         */
+        LDAP_CACHE_LOCK();
 
-            /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
-            if (result != LDAP_SUCCESS) {
-                ldc->reason = "ldap_search_ext_s() for subgroups failed";
-                return result;
-            }
+        the_compare_node.dn = (char *)dn;
+        the_compare_node.attrib = (char *)"objectClass";
+        the_compare_node.value = (char *)sgc_ents[base_sgcIndex].name;
+        the_compare_node.result = 0;
+        the_compare_node.sgl_processed = 0;
+        the_compare_node.subgroupList = NULL;
 
-            entry = ldap_first_entry(ldc->ldap, sga_res);
+        compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+                                             &the_compare_node);
 
+        if (compare_nodep == NULL) {
             /*
-             * Get values for the provided sub-group attributes.
+             * The group entry we want to attach our SGL to doesn't exist.
+             * We only got here if we verified this DN was actually a group
+             * based on the objectClass, but we can't call the compare function
+             * while we already hold the cache lock -- only the insert.
              */
-            if (subgroupAttrs) {
-                int indx = 0, tmp_sgcIndex;
-
-                while (subgroupAttrs[indx]) {
-                    char **values;
-                    int val_index = 0;
-
-                    /* Get *all* matching "member" values from this group. */
-                    values = ldap_get_values(ldc->ldap, entry, subgroupAttrs[indx]);
-
-                    if (values) {
-                        val_index = 0;
-                        /*
-                         * Now we are going to pare the subgroup members of this group to *just*
-                         * the subgroups, add them to the compare_nodep, and then proceed to check
-                         * the new level of subgroups.
-                         */
-                        while (values[val_index]) {
-                            /* Check if this entry really is a group. */
-                            tmp_sgcIndex = 0;
-                            result = LDAP_COMPARE_FALSE;
-                            while ((tmp_sgcIndex < subgroupclasses->nelts) && (result != LDAP_COMPARE_TRUE)) {
-                                result = uldap_cache_compare(r, ldc, url, values[val_index], "objectClass",
-                                                             sgc_ents[tmp_sgcIndex].name);
-
-                                if (result != LDAP_COMPARE_TRUE) {
-                                    tmp_sgcIndex++;
-                                }
-                            }
-                            /* It's a group, so add it to the array.  */
-                            if (result == LDAP_COMPARE_TRUE) {
-                                char **newgrp = (char **) apr_array_push(subgroups);
-                                *newgrp = apr_pstrdup(r->pool, values[val_index]);
-                            }
-                            val_index++;
-                        }
-                        ldap_value_free(values);
-                    }
-                    indx++;
-                }
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "[%" APR_PID_T_FMT "] util_ldap: Cache entry "
+                          "for %s doesn't exist",
+                           getpid(), dn);
+            the_compare_node.result = LDAP_COMPARE_TRUE;
+            util_ald_cache_insert(curl->compare_cache, &the_compare_node);
+            compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+                                                 &the_compare_node);
+            if (compare_nodep == NULL) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "[%" APR_PID_T_FMT "] util_ldap: Couldn't "
+                              "retrieve group entry for %s from cache",
+                               getpid(), dn);
             }
+        }
 
-            ldap_msgfree(sga_res);
-
-            if (subgroups->nelts > 0) {
-                /* We need to fill in tmp_local_subgroups using the data from LDAP */
-                int sgindex;
-                char **group;
-                tmp_local_sgl = apr_pcalloc(r->pool, sizeof(util_compare_subgroup_t));
-                tmp_local_sgl->subgroupDNs  = apr_pcalloc(r->pool, sizeof(char *) * (subgroups->nelts));
-                for (sgindex = 0; (group = apr_array_pop(subgroups)); sgindex++) {
-                    tmp_local_sgl->subgroupDNs[sgindex] = apr_pstrdup(r->pool, *group);
+        /*
+         * We have a valid cache entry and a locally generated SGL.
+         * Attach the SGL to the cache entry
+         */
+        if (compare_nodep && !compare_nodep->sgl_processed) {
+            if (!tmp_local_sgl) {
+                /* We looked up an SGL for a group and found it to be empty */
+                if (compare_nodep->subgroupList == NULL) {
+                    compare_nodep->sgl_processed = 1;
                 }
-                tmp_local_sgl->len = sgindex;
-            }
-
-            /* Find the generic group cache entry and add the sgl. */
-            LDAP_CACHE_LOCK();
-
-            the_compare_node.dn = (char *)dn;
-            the_compare_node.attrib = (char *)"objectClass";
-            the_compare_node.value = (char *)sgc_ents[base_sgcIndex].name;
-            the_compare_node.result = 0;
-            the_compare_node.sgl_processed = 0;
-            the_compare_node.subgroupList = NULL;
-
-            compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
-
-            if (compare_nodep == NULL) {
-                /* Didn't find it. This shouldn't happen since we just called uldap_cache_compare. */
-                LDAP_CACHE_UNLOCK();
-                ldc->reason = "check_subgroups failed to find the cache entry to add sub-group list to.";
-                return LDAP_COMPARE_FALSE;
             }
             else {
-                 /* overwrite SGL if it was previously updated between the last
-                 ** two times we looked at the cache
-                 */
-                 compare_nodep->sgl_processed = 1;
-                 if (tmp_local_sgl) {
-                     compare_nodep->subgroupList = util_ald_sgl_dup(curl->compare_cache, tmp_local_sgl);
-                 }
-                 else {
-                     /* We didn't find a single subgroup, next time save us from looking */
-                     compare_nodep->subgroupList = NULL;
-                 }
-            }
-            /* unlock this read lock */
-            LDAP_CACHE_UNLOCK();
-        }
-
-        /* tmp_local_sgl has either been created, or copied out of the cache */
-        /* If tmp_local_sgl is NULL, there are no subgroups to process and we'll return false */
-        result = LDAP_COMPARE_FALSE;
-        if (tmp_local_sgl) {
-            int sgindex = 0;
-            const char *group = NULL;
-            while ((result != LDAP_COMPARE_TRUE) && (sgindex < tmp_local_sgl->len)) {
-                group = tmp_local_sgl->subgroupDNs[sgindex];
-                /* 4. Now loop through the subgroupList and call uldap_cache_compare to check for the user. */
-                result = uldap_cache_compare(r, ldc, url, group, attrib, value);
-                if (result == LDAP_COMPARE_TRUE) {
-                    /* 4.A. We found the user in the subgroup. Return LDAP_COMPARE_TRUE. */
-                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] util_ldap:"
-                                  " Found the user in a subgroup (%s) at level %d of %d. (7).",
-                                  getpid(), group, cur_subgroup_depth+1, max_subgroup_depth);
+                util_compare_subgroup_t *sgl_copy =
+                    util_ald_sgl_dup(curl->compare_cache, tmp_local_sgl);
+                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                             "Copying local SGL of len %d for group %s into cache",
+                             tmp_local_sgl->len, dn);
+                if (sgl_copy) {
+                    if (compare_nodep->subgroupList) {
+                        util_ald_sgl_free(curl->compare_cache,
+                                          &(compare_nodep->subgroupList));
+                    }
+                    compare_nodep->subgroupList = sgl_copy;
+                    compare_nodep->sgl_processed = 1;
                 }
                 else {
-                    /* 4.B. We didn't find the user in this subgroup, so recurse into it and keep looking. */
-                    result = uldap_cache_check_subgroups(r, ldc, url, group, attrib,
-                                                         value, subgroupAttrs, subgroupclasses,
-                                                         cur_subgroup_depth+1, max_subgroup_depth);
+                    ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                                 "Copy of SGL failed to obtain shared memory, "
+                                 "couldn't update cache");
                 }
-                sgindex++;
             }
         }
+        LDAP_CACHE_UNLOCK();
+      }
+    }
+
+    /*
+     * tmp_local_sgl has either been created, or copied out of the cache
+     * If tmp_local_sgl is NULL, there are no subgroups to process and we'll
+     * return false
+     */
+    result = LDAP_COMPARE_FALSE;
+    if (!tmp_local_sgl) {
+        return result;
+    }
+
+    while ((result != LDAP_COMPARE_TRUE) && (sgindex < tmp_local_sgl->len)) {
+        const char *group = NULL;
+        group = tmp_local_sgl->subgroupDNs[sgindex];
+        /*
+         * 4. Now loop through the subgroupList and call uldap_cache_compare
+         * to check for the user.
+         */
+        result = uldap_cache_compare(r, ldc, url, group, attrib, value);
+        if (result == LDAP_COMPARE_TRUE) {
+            /*
+             * 4.A. We found the user in the subgroup. Return
+             * LDAP_COMPARE_TRUE.
+             */
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+                          " util_ldap: Found user %s in a subgroup (%s) at"
+                          " level %d of %d.", getpid(), r->user, group,
+                          cur_subgroup_depth+1, max_subgroup_depth);
+        }
+        else {
+            /*
+             * 4.B. We didn't find the user in this subgroup, so recurse into
+             * it and keep looking.
+             */
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+                          " util_ldap: user %s not found in subgroup (%s) at"
+                          " level %d of %d.", getpid(), r->user, group,
+                          cur_subgroup_depth+1, max_subgroup_depth);
+            result = uldap_cache_check_subgroups(r, ldc, url, group, attrib,
+                                                 value, subgroupAttrs,
+                                                 subgroupclasses,
+                                                 cur_subgroup_depth+1,
+                                                 max_subgroup_depth);
+        }
+        sgindex++;
     }
 
     return result;
@@ -1203,12 +1462,10 @@
                 /* ...and entry is valid */
                 *binddn = apr_pstrdup(r->pool, search_nodep->dn);
                 if (attrs) {
-                    int i = 0, k = 0;
-                    while (attrs[k++]);
-                    *retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
-                    while (search_nodep->vals[i]) {
+                    int i;
+                    *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals);
+                    for (i = 0; i < search_nodep->numvals; i++) {
                         (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
-                        i++;
                     }
                 }
                 LDAP_CACHE_UNLOCK();
@@ -1236,11 +1493,11 @@
     }
 
     /* try do the search */
-    if ((result = ldap_search_ext_s(ldc->ldap,
-                                    (char *)basedn, scope,
-                                    (char *)filter, attrs, 0,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap,
+                               (char *)basedn, scope,
+                               (char *)filter, attrs, 0,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "ldap_search_ext_s() for user failed with server down";
         uldap_connection_unbind(ldc);
@@ -1294,9 +1551,10 @@
      * fails, it means that the password is wrong (the dn obviously
      * exists, since we just retrieved it)
      */
-    if ((result = ldap_simple_bind_s(ldc->ldap,
-                                     (char *)*binddn,
-                                     (char *)bindpw)) == LDAP_SERVER_DOWN) {
+    result = ldap_simple_bind_s(ldc->ldap,
+                                (char *)*binddn,
+                                (char *)bindpw);
+    if (AP_LDAP_IS_SERVER_DOWN(result)) {
         ldc->reason = "ldap_simple_bind_s() to check user credentials "
                       "failed with server down";
         ldap_msgfree(res);
@@ -1451,12 +1709,10 @@
                 /* ...and entry is valid */
                 *binddn = apr_pstrdup(r->pool, search_nodep->dn);
                 if (attrs) {
-                    int i = 0, k = 0;
-                    while (attrs[k++]);
-                    *retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
-                    while (search_nodep->vals[i]) {
+                    int i;
+                    *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals);
+                    for (i = 0; i < search_nodep->numvals; i++) {
                         (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
-                        i++;
                     }
                 }
                 LDAP_CACHE_UNLOCK();
@@ -1484,11 +1740,11 @@
     }
 
     /* try do the search */
-    if ((result = ldap_search_ext_s(ldc->ldap,
-                                    (char *)basedn, scope,
-                                    (char *)filter, attrs, 0,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap,
+                               (char *)basedn, scope,
+                               (char *)filter, attrs, 0,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "ldap_search_ext_s() for user failed with server down";
         uldap_connection_unbind(ldc);
@@ -1674,8 +1930,8 @@
     st->search_cache_ttl = atol(ttl) * 1000000;
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
-                 "[%" APR_PID_T_FMT "] ldap cache: Setting cache TTL to %ld microseconds.",
-                 getpid(), st->search_cache_ttl);
+                 "[%" APR_PID_T_FMT "] ldap cache: Setting cache TTL to %ld"
+                 " microseconds.", getpid(), st->search_cache_ttl);
 
     return NULL;
 }
@@ -1698,8 +1954,8 @@
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
-                 "[%" APR_PID_T_FMT "] ldap cache: Setting search cache size to %ld entries.",
-                 getpid(), st->search_cache_size);
+                 "[%" APR_PID_T_FMT "] ldap cache: Setting search cache size"
+                 " to %ld entries.", getpid(), st->search_cache_size);
 
     return NULL;
 }
@@ -1719,8 +1975,8 @@
     st->compare_cache_ttl = atol(ttl) * 1000000;
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
-                 "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache TTL to %ld microseconds.",
-                 getpid(), st->compare_cache_ttl);
+                 "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache TTL"
+                 " to %ld microseconds.", getpid(), st->compare_cache_ttl);
 
     return NULL;
 }
@@ -1743,8 +1999,8 @@
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
-                 "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache size to %ld "
-                 "entries.", getpid(), st->compare_cache_size);
+                 "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache size"
+                 " to %ld entries.", getpid(), st->compare_cache_size);
 
     return NULL;
 }
@@ -2052,9 +2308,11 @@
                                                     void *dummy,
                                                     const char *ttl)
 {
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
     util_ldap_state_t *st =
         (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
                                                   &ldap_module);
+#endif
     const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
 
     if (err != NULL) {
@@ -2065,11 +2323,11 @@
     st->connectionTimeout = atol(ttl);
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
-                 "[%" APR_PID_T_FMT "] ldap connection: Setting connection timeout to "
-                 "%ld seconds.", getpid(), st->connectionTimeout);
+                 "[%" APR_PID_T_FMT "] ldap connection: Setting connection"
+                 " timeout to %ld seconds.", getpid(), st->connectionTimeout);
 #else
     ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
-                 "LDAP: Connection timout option not supported by the "
+                 "LDAP: Connection timeout option not supported by the "
                  "LDAP SDK in use." );
 #endif
 
@@ -2077,6 +2335,48 @@
 }
 
 
+static const char *util_ldap_set_chase_referrals(cmd_parms *cmd,
+                                                 void *config,
+                                                 int mode)
+{
+    util_ldap_config_t *dc =  config;
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+                      "LDAP: Setting refferal chasing %s",
+                      (mode == AP_LDAP_CHASEREFERRALS_ON) ? "ON" : "OFF");
+
+    dc->ChaseReferrals = mode;
+
+    return(NULL);
+}
+
+static const char *util_ldap_set_referral_hop_limit(cmd_parms *cmd,
+                                                    void *config,
+                                                    const char *hop_limit)
+{
+    util_ldap_config_t *dc =  config;
+
+    dc->ReferralHopLimit = atol(hop_limit);
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+                 "LDAP: Limit chased referrals to maximum of %d hops.",
+                 dc->ReferralHopLimit);
+
+    return NULL;
+}
+
+static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) {
+   util_ldap_config_t *dc =
+       (util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
+
+   /* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */
+   dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
+   dc->ReferralHopLimit = AP_LDAP_DEFAULT_HOPLIMIT;
+
+   return dc;
+}
+
+
 static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
 {
     util_ldap_state_t *st =
@@ -2105,6 +2405,9 @@
     st->connectionTimeout = 10;
     st->verify_svr_cert = 1;
 
+    /* Initialize the rebind callback's cross reference list. */
+    apr_ldap_rebind_init (p);
+
     return st;
 }
 
@@ -2369,23 +2672,25 @@
 
     AP_INIT_TAKE23("LDAPTrustedGlobalCert", util_ldap_set_trusted_global_cert,
                    NULL, RSRC_CONF,
-                   "Takes three args; the file and/or directory containing "
-                   "the trusted CA certificates (and global client certs "
-                   "for Netware) used to validate the LDAP server.  Second "
-                   "arg is the cert type for the first arg, one of CA_DER, "
-                   "CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, "
-                   "CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. "
-                   "Third arg is an optional passphrase if applicable."),
+                   "Takes three arguments; the first argument is the cert "
+                   "type of the second argument, one of CA_DER, CA_BASE64, "
+                   "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
+                   "CERT_NICKNAME, KEY_DER, or KEY_BASE64. The second argument "
+                   "specifes the file and/or directory containing the trusted CA "
+                   "certificates (and global client certs for Netware) used to "
+                   "validate the LDAP server. The third argument is an optional "
+                   "passphrase if applicable."),
 
     AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert,
                    NULL, RSRC_CONF,
-                   "Takes three args; the file and/or directory containing "
-                   "the client certificate, or certificate ID used to "
-                   "validate this LDAP client.  Second arg is the cert type "
-                   "for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, "
-                   "CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
-                   "CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an "
-                   "optional passphrase if applicable."),
+                   "Takes three arguments: the first argument is the certificate "
+                   "type of the second argument, one of CA_DER, CA_BASE64, "
+                   "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
+                   "CERT_NICKNAME, KEY_DER, or KEY_BASE64. The second argument "
+                   "specifies the file and/or directory containing the client "
+                   "certificate, or certificate ID used to validate this LDAP "
+                   "client.  The third argument is an optional passphrase if "
+                   "applicable."),
 
     AP_INIT_TAKE1("LDAPTrustedMode", util_ldap_set_trusted_mode,
                   NULL, RSRC_CONF,
@@ -2394,14 +2699,24 @@
 
     AP_INIT_FLAG("LDAPVerifyServerCert", util_ldap_set_verify_srv_cert,
                   NULL, RSRC_CONF,
-                  "Set to 'ON' requires that the server certificate be verified "
-                  "before a secure LDAP connection can be establish.  Default 'ON'"),
+                  "Set to 'ON' requires that the server certificate be verified"
+                  " before a secure LDAP connection can be establish.  Default"
+                  " 'ON'"),
 
     AP_INIT_TAKE1("LDAPConnectionTimeout", util_ldap_set_connection_timeout,
                   NULL, RSRC_CONF,
                   "Specify the LDAP socket connection timeout in seconds "
                   "(default: 10)"),
 
+    AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals,
+                  NULL, OR_AUTHCFG,
+                  "Choose whether referrals are chased ['ON'|'OFF'].  Default 'ON'"),
+
+    AP_INIT_TAKE1("LDAPReferralHopLimit", util_ldap_set_referral_hop_limit,
+                  NULL, OR_AUTHCFG,
+                  "Limit the number of referral hops that LDAP can follow. "
+                  "(Integer value, default=" AP_LDAP_DEFAULT_HOPLIMIT_STR ")"),
+
     {NULL}
 };
 
@@ -2426,7 +2741,7 @@
 
 module AP_MODULE_DECLARE_DATA ldap_module = {
    STANDARD20_MODULE_STUFF,
-   NULL,                        /* create dir config */
+   util_ldap_create_dir_config, /* create dir config */
    NULL,                        /* merge dir config */
    util_ldap_create_config,     /* create server config */
    util_ldap_merge_config,      /* merge server config */

Modified: httpd/sandbox/amsterdam/d/modules/ldap/util_ldap_cache_mgr.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/ldap/util_ldap_cache_mgr.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/ldap/util_ldap_cache_mgr.c (original)
+++ httpd/sandbox/amsterdam/d/modules/ldap/util_ldap_cache_mgr.c Mon Apr  7 09:28:58 2008
@@ -145,14 +145,32 @@
     int i = 0;
     util_compare_subgroup_t *sgl_out = NULL;
 
-    if (!sgl_in) return NULL;
+    if (!sgl_in) {
+        return NULL;
+    }
 
     sgl_out = (util_compare_subgroup_t *) util_ald_alloc(cache, sizeof(util_compare_subgroup_t));
-    sgl_out->subgroupDNs = util_ald_alloc(cache, sizeof(char *) * sgl_in->len);
-    sgl_out->len = sgl_in->len;
-
-    for (i = 0; i < sgl_in->len; i++) {
-        sgl_out->subgroupDNs[i] = util_ald_strdup(cache, sgl_in->subgroupDNs[i]);
+    if (sgl_out) {
+        sgl_out->subgroupDNs = util_ald_alloc(cache, sizeof(char *) * sgl_in->len);
+        if (sgl_out->subgroupDNs) {
+            for (i = 0; i < sgl_in->len; i++) {
+                sgl_out->subgroupDNs[i] = util_ald_strdup(cache, sgl_in->subgroupDNs[i]);
+                if (!sgl_out->subgroupDNs[i]) {
+                    /* We ran out of SHM, delete the strings we allocated for the SGL */
+                    for (i = (i - 1); i >= 0; i--) {
+                            util_ald_free(cache, sgl_out->subgroupDNs[i]);
+                    }
+                    util_ald_free(cache, sgl_out->subgroupDNs);
+                    util_ald_free(cache, sgl_out);
+                    sgl_out =  NULL;
+                    break;
+                }
+            }
+            /* We were able to allocate new strings for all the subgroups */
+            if (sgl_out != NULL) {
+                sgl_out->len = sgl_in->len;
+            }
+        }
     }
 
     return sgl_out;

Modified: httpd/sandbox/amsterdam/d/modules/loggers/mod_log_forensic.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/loggers/mod_log_forensic.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/loggers/mod_log_forensic.c (original)
+++ httpd/sandbox/amsterdam/d/modules/loggers/mod_log_forensic.c Mon Apr  7 09:28:58 2008
@@ -195,8 +195,8 @@
     if (!(id = apr_table_get(r->subprocess_env, "UNIQUE_ID"))) {
         /* we make the assumption that we can't go through all the PIDs in
            under 1 second */
-        id = apr_psprintf(r->pool, "%x:%lx:%x", getpid(), time(NULL),
-                          apr_atomic_inc32(&next_id));
+        id = apr_psprintf(r->pool, "%" APR_PID_T_FMT ":%lx:%x", getpid(), 
+                          time(NULL), apr_atomic_inc32(&next_id));
     }
     ap_set_module_config(r->request_config, &log_forensic_module, (char *)id);
 

Modified: httpd/sandbox/amsterdam/d/modules/loggers/mod_logio.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/loggers/mod_logio.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/loggers/mod_logio.c (original)
+++ httpd/sandbox/amsterdam/d/modules/loggers/mod_logio.c Mon Apr  7 09:28:58 2008
@@ -66,6 +66,16 @@
 }
 
 /*
+ * Optional function for modules to adjust bytes_in
+ */
+
+static void ap_logio_add_bytes_in(conn_rec *c, apr_off_t bytes){
+    logio_config_t *cf = ap_get_module_config(c->conn_config, &logio_module);
+
+    cf->bytes_in += bytes;
+}
+
+/*
  * Format items...
  */
 
@@ -162,6 +172,7 @@
                              AP_FTYPE_NETWORK - 1);
 
     APR_REGISTER_OPTIONAL_FN(ap_logio_add_bytes_out);
+    APR_REGISTER_OPTIONAL_FN(ap_logio_add_bytes_in);
 }
 
 module AP_MODULE_DECLARE_DATA logio_module =

Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_dir.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_dir.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_dir.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_dir.c Mon Apr  7 09:28:58 2008
@@ -176,7 +176,7 @@
             name_ptr = apr_pstrcat(r->pool, name_ptr, "?", r->args, NULL);
         }
 
-        rr = ap_sub_req_lookup_uri(name_ptr, r, NULL);
+        rr = ap_sub_req_lookup_uri(name_ptr, r, r->output_filters);
 
         /* The sub request lookup is very liberal, and the core map_to_storage
          * handler will almost always result in HTTP_OK as /foo/index.html

Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_imagemap.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_imagemap.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_imagemap.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_imagemap.c Mon Apr  7 09:28:58 2008
@@ -479,13 +479,16 @@
 
 static void menu_header(request_rec *r, char *menu)
 {
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
-    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
-           "</title>\n</head><body>\n", NULL);
+    ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", 
+              ap_escape_html(r->pool, r->uri),
+              "</title>\n</head><body>\n", NULL);
 
     if (!strcasecmp(menu, "formatted")) {
-        ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr />\n\n", NULL);
+        ap_rvputs(r, "<h1>Menu for ", 
+                  ap_escape_html(r->pool, r->uri),
+                  "</h1>\n<hr />\n\n", NULL);
     }
 
     return;

Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_negotiation.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_negotiation.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_negotiation.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_negotiation.c Mon Apr  7 09:28:58 2008
@@ -1165,8 +1165,10 @@
 
         /* Double check, we still don't multi-resolve non-ordinary files
          */
-        if (sub_req->finfo.filetype != APR_REG)
+        if (sub_req->finfo.filetype != APR_REG) {
+	    /* XXX sub req not destroyed -- may be a bug/unintentional ? */
             continue;
+	}
 
         /* If it has a handler, we'll pretend it's a CGI script,
          * since that's a good indication of the sort of thing it
@@ -2712,7 +2714,7 @@
     if (!variant->sub_req) {
         int status;
 
-        sub_req = ap_sub_req_lookup_file(variant->file_name, r, NULL);
+        sub_req = ap_sub_req_lookup_file(variant->file_name, r, r->output_filters);
         status = sub_req->status;
 
         if (status != HTTP_OK &&
@@ -3122,7 +3124,7 @@
          * a sub_req structure yet.  Get one now.
          */
 
-        sub_req = ap_sub_req_lookup_file(best->file_name, r, NULL);
+        sub_req = ap_sub_req_lookup_file(best->file_name, r, r->output_filters);
         if (sub_req->status != HTTP_OK) {
             res = sub_req->status;
             ap_destroy_sub_req(sub_req);

Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_rewrite.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_rewrite.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_rewrite.c Mon Apr  7 09:28:58 2008
@@ -235,6 +235,8 @@
                   char *);
     char **argv;                   /* argv of the external rewrite map    */
     const char *dbdq;              /* SQL SELECT statement for rewritemap */
+    const char *checkfile2;        /* filename to check for map existence
+                                      NULL if only one file               */
 } rewritemap_entry;
 
 /* special pattern types for RewriteCond */
@@ -1612,6 +1614,21 @@
             ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
                           "mod_rewrite: can't access DBM RewriteMap file %s",
                           s->checkfile);
+        }
+        else if(s->checkfile2 != NULL) {
+            apr_finfo_t st2;
+
+            rv = apr_stat(&st2, s->checkfile2, APR_FINFO_MIN, r->pool);
+            if (rv != APR_SUCCESS) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+                              "mod_rewrite: can't access DBM RewriteMap "
+                              "file %s", s->checkfile2);
+            }
+            else if(st2.mtime > st.mtime) {
+                st.mtime = st2.mtime;
+            }
+        }
+        if(rv != APR_SUCCESS) {
             rewritelog((r, 1, NULL,
                         "can't open DBM RewriteMap file, see error log"));
             return NULL;
@@ -2927,6 +2944,7 @@
         newmap->type      = MAPTYPE_TXT;
         newmap->datafile  = fname;
         newmap->checkfile = fname;
+        newmap->checkfile2= NULL;
         newmap->cachename = apr_psprintf(cmd->pool, "%pp:%s",
                                          (void *)cmd->server, a1);
     }
@@ -2939,11 +2957,11 @@
         newmap->type      = MAPTYPE_RND;
         newmap->datafile  = fname;
         newmap->checkfile = fname;
+        newmap->checkfile2= NULL;
         newmap->cachename = apr_psprintf(cmd->pool, "%pp:%s",
                                          (void *)cmd->server, a1);
     }
     else if (strncasecmp(a2, "dbm", 3) == 0) {
-        const char *ignored_fname;
         apr_status_t rv;
 
         newmap->type = MAPTYPE_DBM;
@@ -2978,7 +2996,7 @@
 
         rv = apr_dbm_get_usednames_ex(cmd->pool, newmap->dbmtype,
                                       newmap->datafile, &newmap->checkfile,
-                                      &ignored_fname);
+                                      &newmap->checkfile2);
         if (rv != APR_SUCCESS) {
             return apr_pstrcat(cmd->pool, "RewriteMap: dbm type ",
                                newmap->dbmtype, " is invalid", NULL);
@@ -3015,12 +3033,14 @@
         newmap->type      = MAPTYPE_PRG;
         newmap->datafile  = NULL;
         newmap->checkfile = newmap->argv[0];
+        newmap->checkfile2= NULL;
         newmap->cachename = NULL;
     }
     else if (strncasecmp(a2, "int:", 4) == 0) {
         newmap->type      = MAPTYPE_INT;
         newmap->datafile  = NULL;
         newmap->checkfile = NULL;
+        newmap->checkfile2= NULL;
         newmap->cachename = NULL;
         newmap->func      = (char *(*)(request_rec *,char *))
                             apr_hash_get(mapfunc_hash, a2+4, strlen(a2+4));
@@ -3038,6 +3058,7 @@
         newmap->type      = MAPTYPE_TXT;
         newmap->datafile  = fname;
         newmap->checkfile = fname;
+        newmap->checkfile2= NULL;
         newmap->cachename = apr_psprintf(cmd->pool, "%pp:%s",
                                          (void *)cmd->server, a1);
     }
@@ -4157,7 +4178,6 @@
     APR_OPTIONAL_FN_TYPE(ap_register_rewrite_mapfunc) *map_pfn_register;
 
     /* register int: rewritemap handlers */
-    mapfunc_hash = apr_hash_make(pconf);
     map_pfn_register = APR_RETRIEVE_OPTIONAL_FN(ap_register_rewrite_mapfunc);
     if (map_pfn_register) {
         map_pfn_register("tolower", rewrite_mapfunc_tolower);
@@ -4412,6 +4432,10 @@
                 return HTTP_FORBIDDEN;
             }
 
+            if (rulestatus == ACTION_NOESCAPE) {
+                apr_table_setn(r->notes, "proxy-nocanon", "1");
+            }
+
             /* make sure the QUERY_STRING and
              * PATH_INFO parts get incorporated
              */
@@ -4954,6 +4978,10 @@
      */
     static const char * const aszPre[]={ "mod_proxy.c", NULL };
 
+    /* make the hashtable before registering the function, so that
+     * other modules are prevented from accessing uninitialized memory.
+     */
+    mapfunc_hash = apr_hash_make(p);
     APR_REGISTER_OPTIONAL_FN(ap_register_rewrite_mapfunc);
 
     ap_hook_handler(handler_redirect, NULL, NULL, APR_HOOK_MIDDLE);

Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_so.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_so.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_so.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_so.c Mon Apr  7 09:28:58 2008
@@ -88,7 +88,6 @@
 #include "apr_strings.h"
 #include "apr_errno.h"
 
-#define CORE_PRIVATE
 #include "ap_config.h"
 #include "httpd.h"
 #include "http_config.h"

Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_speling.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_speling.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_speling.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_speling.c Mon Apr  7 09:28:58 2008
@@ -225,12 +225,6 @@
         return DECLINED;
     }
 
-    /* we default to reject path info (same as core handler) */
-    if ((r->used_path_info != AP_REQ_ACCEPT_PATH_INFO) &&
-        r->path_info && *r->path_info) {
-        return DECLINED;
-    }
-
     /*
      * The request should end up looking like this:
      * r->uri: /correct-url/mispelling/more

Modified: httpd/sandbox/amsterdam/d/modules/metadata/mod_ident.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/metadata/mod_ident.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/metadata/mod_ident.c (original)
+++ httpd/sandbox/amsterdam/d/modules/metadata/mod_ident.c Mon Apr  7 09:28:58 2008
@@ -243,26 +243,18 @@
 static const char *set_idcheck(cmd_parms *cmd, void *d_, int arg)
 {
     ident_config_rec *d = d_;
-    const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
 
-    if (!err) {
-        d->do_rfc1413 = arg ? 1 : 0;
-    }
-
-    return err;
+    d->do_rfc1413 = arg ? 1 : 0;
+    return NULL;
 }
 
 static const char *set_timeout(cmd_parms *cmd, void *d_, const char *arg)
 {
     ident_config_rec *d = d_;
-    const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
-
-    if (!err) {
-        d->timeout = apr_time_from_sec(atoi(arg));
-        d->timeout_unset = 0;
-    }
 
-    return err;
+    d->timeout = apr_time_from_sec(atoi(arg));
+    d->timeout_unset = 0;
+    return NULL;
 }
 
 static void *create_ident_dir_config(apr_pool_t *p, char *d)

Modified: httpd/sandbox/amsterdam/d/modules/metadata/mod_unique_id.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/metadata/mod_unique_id.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/metadata/mod_unique_id.c (original)
+++ httpd/sandbox/amsterdam/d/modules/metadata/mod_unique_id.c Mon Apr  7 09:28:58 2008
@@ -304,7 +304,7 @@
     new_unique_id.pid = cur_unique_id.pid;
     new_unique_id.counter = cur_unique_id.counter;
 
-    new_unique_id.stamp = htonl((unsigned int)r->request_time);
+    new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time));
     new_unique_id.thread_index = htonl((unsigned int)r->connection->id);
 
     /* we'll use a temporal buffer to avoid uuencoding the possible internal

Modified: httpd/sandbox/amsterdam/d/modules/proxy/ajp.h
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/ajp.h?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/ajp.h (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/ajp.h Mon Apr  7 09:28:58 2008
@@ -132,7 +132,7 @@
 #define AJP_HEADER_SZ_LEN           2
 #define AJP_HEADER_SZ               6
 #define AJP_MSG_BUFFER_SZ           8192
-#define AJP_MAX_BUFFER_SZ           16384
+#define AJP_MAX_BUFFER_SZ           65536
 #define AJP13_MAX_SEND_BODY_SZ      (AJP_MAX_BUFFER_SZ - AJP_HEADER_SZ)
 #define AJP_PING_PONG_SZ            128
 

Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.c (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.c Mon Apr  7 09:28:58 2008
@@ -14,8 +14,6 @@
  * limitations under the License.
  */
 
-#define CORE_PRIVATE
-
 #include "mod_proxy.h"
 #include "mod_core.h"
 #include "apr_optional.h"
@@ -176,6 +174,15 @@
             return "KeepAlive must be On|Off";
         worker->keepalive_set = 1;
     }
+    else if (!strcasecmp(key, "disablereuse")) {
+        if (!strcasecmp(val, "on"))
+            worker->disablereuse = 1;
+        else if (!strcasecmp(val, "off"))
+            worker->disablereuse = 0;
+        else
+            return "DisableReuse must be On|Off";
+        worker->disablereuse_set = 1;
+    }
     else if (!strcasecmp(key, "route")) {
         /* Worker route.
          */
@@ -728,7 +735,8 @@
         return DECLINED;
 
     /* If host does contain a dot already, or it is "localhost", decline */
-    if (strchr(r->parsed_uri.hostname, '.') != NULL
+    if (strchr(r->parsed_uri.hostname, '.') != NULL /* has domain, or IPv4 literal */
+     || strchr(r->parsed_uri.hostname, ':') != NULL /* IPv6 literal */
      || strcasecmp(r->parsed_uri.hostname, "localhost") == 0)
         return DECLINED;    /* host name has a dot already */
 
@@ -923,12 +931,41 @@
                                                              ents[i].hostname,
                                                              ents[i].port);
 
-                    /* an error or success */
-                    if (access_status != DECLINED &&
-                        access_status != HTTP_BAD_GATEWAY) {
-                        goto cleanup;
+                    /* Did the scheme handler process the request? */
+                    if (access_status != DECLINED) {
+                        const char *cl_a;
+                        char *end;
+                        apr_off_t cl;
+
+                        /*
+                         * An fatal error or success, so no point in
+                         * retrying with a direct connection.
+                         */
+                        if (access_status != HTTP_BAD_GATEWAY) {
+                            goto cleanup;
+                        }
+                        cl_a = apr_table_get(r->headers_in, "Content-Length");
+                        if (cl_a) {
+                            apr_strtoff(&cl, cl_a, &end, 0);
+                            /*
+                             * The request body is of length > 0. We cannot
+                             * retry with a direct connection since we already
+                             * sent (parts of) the request body to the proxy
+                             * and do not have any longer.
+                             */
+                            if (cl > 0) {
+                                goto cleanup;
+                            }
+                        }
+                        /*
+                         * Transfer-Encoding was set as input header, so we had
+                         * a request body. We cannot retry with a direct
+                         * connection for the same reason as above.
+                         */
+                        if (apr_table_get(r->headers_in, "Transfer-Encoding")) {
+                            goto cleanup;
+                        }
                     }
-                    /* we failed to talk to the upstream proxy */
                 }
             }
         }
@@ -1120,6 +1157,9 @@
     new->cookie_domain_str = base->cookie_domain_str;
     new->interpolate_env = (add->interpolate_env == -1) ? base->interpolate_env
                                                         : add->interpolate_env;
+    new->ftp_directory_charset = add->ftp_directory_charset ?
+                                 add->ftp_directory_charset :
+                                 base->ftp_directory_charset;
     return new;
 }
 
@@ -1834,6 +1874,15 @@
     return NULL;
 }
 
+static const char *set_ftp_directory_charset(cmd_parms *cmd, void *dconf,
+                                             const char *arg)
+{
+    proxy_dir_conf *conf = dconf;
+
+    conf->ftp_directory_charset = arg;
+    return NULL;
+}
+
 static void ap_add_per_proxy_conf(server_rec *s, ap_conf_vector_t *dir_config)
 {
     proxy_server_conf *sconf = ap_get_module_config(s->module_config,
@@ -1857,8 +1906,7 @@
     proxy_balancer *balancer = NULL;
     proxy_worker *worker = NULL;
 
-    const char *err = ap_check_cmd_context(cmd,
-                                           NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT);
+    const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
     proxy_server_conf *sconf =
     (proxy_server_conf *) ap_get_module_config(cmd->server->module_config, &proxy_module);
 
@@ -2044,6 +2092,8 @@
      "Configure Status: proxy status to one of: on | off | full"),
     AP_INIT_RAW_ARGS("ProxySet", set_proxy_param, NULL, RSRC_CONF|ACCESS_CONF,
      "A balancer or worker name with list of params"),
+    AP_INIT_TAKE1("ProxyFtpDirCharset", set_ftp_directory_charset, NULL,
+     RSRC_CONF|ACCESS_CONF, "Define the character set for proxied FTP listings"),
     {NULL}
 };
 

Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.h
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.h?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.h (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.h Mon Apr  7 09:28:58 2008
@@ -42,8 +42,6 @@
 
  */
 
-#define CORE_PRIVATE
-
 #include "apr_hooks.h"
 #include "apr.h"
 #include "apr_lib.h"
@@ -214,6 +212,7 @@
     const apr_strmatch_pattern* cookie_path_str;
     const apr_strmatch_pattern* cookie_domain_str;
     int interpolate_env;
+    const char *ftp_directory_charset;
 } proxy_dir_conf;
 
 /* if we interpolate env vars per-request, we'll need a per-request
@@ -230,7 +229,7 @@
     const char   *hostname;
     apr_port_t   port;
     int          is_ssl;
-    apr_pool_t   *pool;     /* Subpool used for creating socket */
+    apr_pool_t   *pool;     /* Subpool for hostname and addr data */
     apr_socket_t *sock;     /* Connection socket */
     apr_sockaddr_t *addr;   /* Preparsed remote address info */
     apr_uint32_t flags;     /* Conection flags */
@@ -240,6 +239,11 @@
 #if APR_HAS_THREADS
     int          inreslist; /* connection in apr_reslist? */
 #endif
+    apr_pool_t   *scpool;   /* Subpool used for socket and connection data */
+    request_rec  *r;        /* Request record of the frontend request
+                             * which the backend currently answers. */
+    int          need_flush;/* Flag to decide whether we need to flush the
+                             * filter chain or not */
 } proxy_conn_rec;
 
 typedef struct {
@@ -346,6 +350,8 @@
     char ping_timeout_set;
     int             lbset;      /* load balancer cluster set */
     char            retry_set;
+    char            disablereuse;
+    char            disablereuse_set;
 };
 
 /*
@@ -483,6 +489,8 @@
 PROXY_DECLARE(void) ap_proxy_table_unmerge(apr_pool_t *p, apr_table_t *t, char *key);
 /* DEPRECATED (will be replaced with ap_proxy_connect_backend */
 PROXY_DECLARE(int) ap_proxy_connect_to_backend(apr_socket_t **, const char *, apr_sockaddr_t *, const char *, proxy_server_conf *, server_rec *, apr_pool_t *);
+PROXY_DECLARE(apr_status_t) ap_proxy_ssl_connection_cleanup(proxy_conn_rec *conn,
+                                                            request_rec *r);
 PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c);
 PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c);
 PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c);

Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_ajp.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_ajp.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_ajp.c (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_ajp.c Mon Apr  7 09:28:58 2008
@@ -89,6 +89,37 @@
     return OK;
 }
 
+#define METHOD_NON_IDEMPOTENT       0
+#define METHOD_IDEMPOTENT           1
+#define METHOD_IDEMPOTENT_WITH_ARGS 2
+
+static int is_idempotent(request_rec *r)
+{
+    /*
+     * RFC2616 (9.1.2): GET, HEAD, PUT, DELETE, OPTIONS, TRACE are considered
+     * idempotent. Hint: HEAD requests use M_GET as method number as well.
+     */
+    switch (r->method_number) {
+        case M_GET:
+        case M_DELETE:
+        case M_PUT:
+        case M_OPTIONS:
+        case M_TRACE:
+            /*
+             * If the request has arguments it might have side-effects and thus
+             * it might be undesirable to resent it to a backend again
+             * automatically.
+             */
+            if (r->args) {
+                return METHOD_IDEMPOTENT_WITH_ARGS;
+            }
+            return METHOD_IDEMPOTENT;
+        /* Everything else is not considered idempotent. */
+        default:
+            return METHOD_NON_IDEMPOTENT;
+    }
+}
+
 /*
  * XXX: AJP Auto Flushing
  *
@@ -122,7 +153,7 @@
     apr_bucket_brigade *input_brigade;
     apr_bucket_brigade *output_brigade;
     ajp_msg_t *msg;
-    apr_size_t bufsiz;
+    apr_size_t bufsiz = 0;
     char *buff;
     apr_uint16_t size;
     const char *tenc;
@@ -161,8 +192,17 @@
                      conn->worker->hostname);
         if (status == AJP_EOVERFLOW)
             return HTTP_BAD_REQUEST;
-        else
-            return HTTP_SERVICE_UNAVAILABLE;
+        else {
+            /*
+             * This is only non fatal when the method is idempotent. In this
+             * case we can dare to retry it with a different worker if we are
+             * a balancer member.
+             */
+            if (is_idempotent(r) == METHOD_IDEMPOTENT) {
+                return HTTP_SERVICE_UNAVAILABLE;
+            }
+            return HTTP_INTERNAL_SERVER_ERROR;
+        }
     }
 
     /* allocate an AJP message to store the data of the buckets */
@@ -231,7 +271,11 @@
                              "proxy: send failed to %pI (%s)",
                              conn->worker->cp->addr,
                              conn->worker->hostname);
-                return HTTP_SERVICE_UNAVAILABLE;
+                /*
+                 * It is fatal when we failed to send a (part) of the request
+                 * body.
+                 */
+                return HTTP_INTERNAL_SERVER_ERROR;
             }
             conn->worker->s->transferred += bufsiz;
         }
@@ -249,7 +293,16 @@
                      "proxy: read response failed from %pI (%s)",
                      conn->worker->cp->addr,
                      conn->worker->hostname);
-        return HTTP_SERVICE_UNAVAILABLE;
+        /*
+         * This is only non fatal when we have not sent (parts) of a possible
+         * request body so far (we do not store it and thus cannot sent it
+         * again) and the method is idempotent. In this case we can dare to
+         * retry it with a different worker if we are a balancer member.
+         */
+        if ((bufsiz == 0) && (is_idempotent(r) == METHOD_IDEMPOTENT)) {
+            return HTTP_SERVICE_UNAVAILABLE;
+        }
+        return HTTP_INTERNAL_SERVER_ERROR;
     }
     /* parse the reponse */
     result = ajp_parse_type(r, conn->data);
@@ -533,16 +586,14 @@
                  "proxy: AJP: serving URL %s", url);
 
     /* create space for state information */
-    if (!backend) {
-        status = ap_proxy_acquire_connection(scheme, &backend, worker,
-                                             r->server);
-        if (status != OK) {
-            if (backend) {
-                backend->close = 1;
-                ap_proxy_release_connection(scheme, backend, r->server);
-            }
-            return status;
+    status = ap_proxy_acquire_connection(scheme, &backend, worker,
+                                         r->server);
+    if (status != OK) {
+        if (backend) {
+            backend->close = 1;
+            ap_proxy_release_connection(scheme, backend, r->server);
         }
+        return status;
     }
 
     backend->is_ssl = 0;

Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_balancer.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_balancer.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_balancer.c Mon Apr  7 09:28:58 2008
@@ -16,18 +16,12 @@
 
 /* Load balancer module for Apache proxy */
 
-#define CORE_PRIVATE
-
 #include "mod_proxy.h"
 #include "scoreboard.h"
 #include "ap_mpm.h"
 #include "apr_version.h"
 #include "apr_hooks.h"
 
-#if APR_HAVE_UNISTD_H
-#include <unistd.h> /* for getpid() */
-#endif
-
 module AP_MODULE_DECLARE_DATA proxy_balancer_module;
 
 static int proxy_balancer_canon(request_rec *r, char *url)
@@ -675,7 +669,7 @@
         proxy_worker *ws;
 
         ws = ap_proxy_get_worker(r->pool, conf, name);
-        if (ws) {
+        if (bsel && ws) {
             worker = (proxy_worker *)bsel->workers->elts;
             for (n = 0; n < bsel->workers->nelts; n++) {
                 if (strcasecmp(worker->name, ws->name) == 0) {
@@ -757,7 +751,7 @@
         ap_rputs("</httpd:manager>", r);
     }
     else {
-        ap_set_content_type(r, "text/html");
+        ap_set_content_type(r, "text/html; charset=ISO-8859-1");
         ap_rputs(DOCTYPE_HTML_3_2
                  "<html><head><title>Balancer Manager</title></head>\n", r);
         ap_rputs("<body><h1>Load Balancer Manager for ", r);
@@ -807,8 +801,10 @@
                           ap_escape_uri(r->pool, worker->name),
                           "\">", NULL);
                 ap_rvputs(r, worker->name, "</a></td>", NULL);
-                ap_rvputs(r, "<td>", worker->s->route, NULL);
-                ap_rvputs(r, "</td><td>", worker->s->redirect, NULL);
+                ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route),
+                          NULL);
+                ap_rvputs(r, "</td><td>",
+                          ap_escape_html(r->pool, worker->s->redirect), NULL);
                 ap_rprintf(r, "</td><td>%d</td>", worker->s->lbfactor);
                 ap_rprintf(r, "<td>%d</td><td>", worker->s->lbset);
                 if (worker->s->status & PROXY_WORKER_DISABLED)
@@ -846,10 +842,12 @@
             ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r);
             ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbset);
             ap_rputs("<tr><td>Route:</td><td><input name=\"wr\" type=text ", r);
-            ap_rvputs(r, "value=\"", wsel->s->route, NULL);
+            ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->route),
+                      NULL);
             ap_rputs("\"></td></tr>\n", r);
             ap_rputs("<tr><td>Route Redirect:</td><td><input name=\"rr\" type=text ", r);
-            ap_rvputs(r, "value=\"", wsel->s->redirect, NULL);
+            ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->redirect),
+                      NULL);
             ap_rputs("\"></td></tr>\n", r);
             ap_rputs("<tr><td>Status:</td><td>Disabled: <input name=\"dw\" value=\"Disable\" type=radio", r);
             if (wsel->s->status & PROXY_WORKER_DISABLED)

Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_connect.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_connect.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_connect.c (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_connect.c Mon Apr  7 09:28:58 2008
@@ -16,8 +16,6 @@
 
 /* CONNECT method for Apache proxy */
 
-#define CORE_PRIVATE
-
 #include "mod_proxy.h"
 #include "apr_poll.h"
 



Mime
View raw message