On Thu, Oct 16, 2008 at 5:09 PM, <chrisd@apache.org> wrote:
> NOTE: I can't test mod_authnz_ldap.c myself, so I'm not sure if it
> needs similar fixes. On the one hand, a NULL r->user in the authz
> handlers always generates a log message. However, it appears that
> authn_ldap_build_filter() will sometimes then be called, perform no
> action, which may result in a possibly uninitialized filtbuf buffer
> being passed to util_ldap_cache_getuserdn(). I don't know if that
> could cause problems in the LDAP cache code. If someone familiar with
> LDAP authz could take a look, that would be much appreciated.
IIUC mod_authnz_ldap would follow the pattern of the modules in your
commit and not mod_authz_host.
Authorization in LDAP has a special path for when authentication
wasn't handled by mod_authnz_ldap, but r->user still may be mappable
to an DN on the LDAP server. Net, it can't do anything useful without
r->user. This short-circuit should be possible well before the
problematic functions you mention.
--
Eric Covener
covener@gmail.com
|