Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6858695D1 for ; Fri, 13 Jan 2012 19:17:15 +0000 (UTC) Received: (qmail 16678 invoked by uid 500); 13 Jan 2012 19:17:15 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 16531 invoked by uid 500); 13 Jan 2012 19:17:13 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 16508 invoked by uid 99); 13 Jan 2012 19:17:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2012 19:17:13 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2012 19:17:12 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id CFB7B23888FD; Fri, 13 Jan 2012 19:16:50 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1231255 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_authnz_ldap.c Date: Fri, 13 Jan 2012 19:16:50 -0000 To: cvs@httpd.apache.org From: covener@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120113191650.CFB7B23888FD@eris.apache.org> Author: covener Date: Fri Jan 13 19:16:50 2012 New Revision: 1231255 URL: http://svn.apache.org/viewvc?rev=1231255&view=rev Log: *) mod_authnz_ldap: Don't try a potentially expensive nested groups search before exhausting all AuthLDAPGroupAttribute checks on the current group. PR52464 Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1231255&r1=1231254&r2=1231255&view=diff ============================================================================== --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Jan 13 19:16:50 2012 @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_authnz_ldap: Don't try a potentially expensive nested groups + search before exhausting all AuthLDAPGroupAttribute checks on the + current group. PR52464 [Eric Covener] + *) mod_policy: Add a new testing module to help server administrators enforce a configurable level of protocol compliance on their servers and application servers behind theirs. [Graham Leggett] Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1231255&r1=1231254&r2=1231255&view=diff ============================================================================== --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original) +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri Jan 13 19:16:50 2012 @@ -870,6 +870,7 @@ static authz_status ldapgroup_check_auth "membership in \"%s\"", t); + /* PR52464 exhaust attrs in base group before checking subgroups */ for (i = 0; i < sec->groupattr->nelts; i++) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01714) "auth_ldap authorize: require group: testing for %s: " @@ -879,19 +880,26 @@ static authz_status ldapgroup_check_auth result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user); - switch(result) { - case LDAP_COMPARE_TRUE: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) - "auth_ldap authorize: require group: " - "authorization successful (attribute %s) " - "[%s][%d - %s]", - ent[i].name, ldc->reason, result, + if (result == LDAP_COMPARE_TRUE) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01715) + "auth_ldap authorize: require group: " + "authorization successful (attribute %s) " + "[%s][%d - %s]", + ent[i].name, ldc->reason, result, + ldap_err2string(result)); + set_request_vars(r, LDAP_AUTHZ); + return AUTHZ_GRANTED; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) + "auth_ldap authorize: require group \"%s\": " + "didn't match with attr %s [%s][%d - %s]", + t, ldc->reason, ent[i].name, result, ldap_err2string(result)); - set_request_vars(r, LDAP_AUTHZ); - return AUTHZ_GRANTED; - } - case LDAP_NO_SUCH_ATTRIBUTE: - case LDAP_COMPARE_FALSE: { + } + } + + for (i = 0; i < sec->groupattr->nelts; i++) { /* nested groups need searches and compares, so grab a new handle */ authnz_ldap_cleanup_connection_close(ldc); apr_pool_cleanup_kill(r->pool, ldc,authnz_ldap_cleanup_connection_close); @@ -911,7 +919,7 @@ static authz_status ldapgroup_check_auth sec->sgAttributes[0] ? sec->sgAttributes : default_attributes, sec->subgroupclasses, 0, sec->maxNestingDepth); - if(result == LDAP_COMPARE_TRUE) { + if (result == LDAP_COMPARE_TRUE) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01717) "auth_ldap authorise: require group " "(sub-group): authorisation successful " @@ -924,20 +932,11 @@ static authz_status ldapgroup_check_auth else { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01718) "auth_ldap authorise: require group " - "(sub-group) \"%s\": authorisation failed " + "(sub-group) \"%s\": didn't match with attr %s " "[%s][%d - %s]", - t, ldc->reason, result, + t, ldc->reason, ent[i].name, result, ldap_err2string(result)); } - break; - } - default: { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) - "auth_ldap authorize: require group \"%s\": " - "authorization failed [%s][%d - %s]", - t, ldc->reason, result, ldap_err2string(result)); - } - } } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01720)