httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cove...@apache.org
Subject svn commit: r1231255 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_authnz_ldap.c
Date Fri, 13 Jan 2012 19:16:50 GMT
Author: covener
Date: Fri Jan 13 19:16:50 2012
New Revision: 1231255

URL: http://svn.apache.org/viewvc?rev=1231255&view=rev
Log:
  *) mod_authnz_ldap: Don't try a potentially expensive nested groups
     search before exhausting all AuthLDAPGroupAttribute checks on the
     current group. PR52464


Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1231255&r1=1231254&r2=1231255&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Jan 13 19:16:50 2012
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_authnz_ldap: Don't try a potentially expensive nested groups
+     search before exhausting all AuthLDAPGroupAttribute checks on the
+     current group. PR52464 [Eric Covener]
+
   *) mod_policy: Add a new testing module to help server administrators
      enforce a configurable level of protocol compliance on their
      servers and application servers behind theirs. [Graham Leggett]

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1231255&r1=1231254&r2=1231255&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri Jan 13 19:16:50 2012
@@ -870,6 +870,7 @@ static authz_status ldapgroup_check_auth
                   "membership in \"%s\"",
                   t);
 
+    /* PR52464 exhaust attrs in base group before checking subgroups */
     for (i = 0; i < sec->groupattr->nelts; i++) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714)
                       "auth_ldap authorize: require group: testing for %s: "
@@ -879,19 +880,26 @@ static authz_status ldapgroup_check_auth
 
         result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
                              sec->group_attrib_is_dn ? req->dn : req->user);
-        switch(result) {
-            case LDAP_COMPARE_TRUE: {
-                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715)
-                              "auth_ldap authorize: require group: "
-                              "authorization successful (attribute %s) "
-                              "[%s][%d - %s]",
-                              ent[i].name, ldc->reason, result,
+        if (result == LDAP_COMPARE_TRUE) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715)
+                          "auth_ldap authorize: require group: "
+                          "authorization successful (attribute %s) "
+                          "[%s][%d - %s]",
+                          ent[i].name, ldc->reason, result,
+                          ldap_err2string(result));
+            set_request_vars(r, LDAP_AUTHZ);
+            return AUTHZ_GRANTED;
+        }
+        else { 
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719)
+                              "auth_ldap authorize: require group \"%s\": "
+                              "didn't match with attr %s [%s][%d - %s]",
+                              t, ldc->reason, ent[i].name, result, 
                               ldap_err2string(result));
-                set_request_vars(r, LDAP_AUTHZ);
-                return AUTHZ_GRANTED;
-            }
-            case LDAP_NO_SUCH_ATTRIBUTE:
-            case LDAP_COMPARE_FALSE: {
+        }
+    }
+    
+    for (i = 0; i < sec->groupattr->nelts; i++) {
                 /* nested groups need searches and compares, so grab a new handle */
                 authnz_ldap_cleanup_connection_close(ldc);
                 apr_pool_cleanup_kill(r->pool, ldc,authnz_ldap_cleanup_connection_close);
@@ -911,7 +919,7 @@ static authz_status ldapgroup_check_auth
                                                          sec->sgAttributes[0] ? sec->sgAttributes
: default_attributes,
                                                          sec->subgroupclasses,
                                                          0, sec->maxNestingDepth);
-                if(result == LDAP_COMPARE_TRUE) {
+                if (result == LDAP_COMPARE_TRUE) {
                     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717)
                                   "auth_ldap authorise: require group "
                                   "(sub-group): authorisation successful "
@@ -924,20 +932,11 @@ static authz_status ldapgroup_check_auth
                 else {
                     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718)
                                   "auth_ldap authorise: require group "
-                                  "(sub-group) \"%s\": authorisation failed "
+                                  "(sub-group) \"%s\": didn't match with attr %s "
                                   "[%s][%d - %s]",
-                                  t, ldc->reason, result,
+                                  t, ldc->reason, ent[i].name, result, 
                                   ldap_err2string(result));
                 }
-                break;
-            }
-            default: {
-                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719)
-                              "auth_ldap authorize: require group \"%s\": "
-                              "authorization failed [%s][%d - %s]",
-                              t, ldc->reason, result, ldap_err2string(result));
-            }
-        }
     }
 
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720)



Mime
View raw message