Re: svn commit: r1913962 - /httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Mon, 20 Nov 2023 02:46:58 -0800 

On Sun, Nov 19, 2023 at 11:45 AM <minf...@apache.org> wrote:
>
> Author: minfrin
> Date: Sun Nov 19 10:45:05 2023
> New Revision: 1913962
>
> URL: http://svn.apache.org/viewvc?rev=1913962&view=rev
> Log:
> Apply earlier fix to the ldapsearch case:
>
> Arrange for backend LDAP connections to be returned
> to the pool by a fixup hook rather than staying locked
> until the end of (a potentially slow) request.

It seems that this commit aligns the checks/setup of ldapsearch with
the ones of ldapfilter, but nothing about LDAP connections
recycling/reuse?

>
> --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
> +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Sun Nov 19 10:45:05 2023
> @@ -1429,12 +1429,40 @@ static authz_status ldapsearch_check_aut
>          return AUTHZ_DENIED;
>      }
>
> -    if (sec->host) {
> +    if (!sec->host) {
> +        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738)
> +                      "auth_ldap authorize: no sec->host - weird...?");
> +        return AUTHZ_DENIED;
> +    }
> +
> +    /*
> +     * If we have been authenticated by some other module than mod_auth_ldap,
> +     * the req structure needed for authorization needs to be created
> +     * and populated with the userid and DN of the account in LDAP
> +     */
> +
> +    if (!*r->user) {
> +        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739)
> +            "ldap authorize: Userid is blank, AuthType=%s",
> +            r->ap_auth_type);
> +    }

In ldapfilter_check_authorization() we bail out early if r->user is
NULL but not here in ldapsearch_check_authorization(), can't it
happen?

> +
> +    if (!req) {
> +        authz_status rv = AUTHZ_DENIED;
> +        req = build_request_config(r);
>          ldc = get_connection_for_authz(r, LDAP_SEARCH);
> +        if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) {
> +            return rv;
> +        }
>      }
>      else {
> -        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02636)
> -                      "auth_ldap authorize: no sec->host - weird...?");
> +        ldc = get_connection_for_authz(r, LDAP_SEARCH);
> +    }
> +
> +    if (req->dn == NULL || !*req->dn) {
> +        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742)
> +                      "auth_ldap authorize: require ldap-filter: user's DN "
> +                      "has not been defined; failing authorization");
>          return AUTHZ_DENIED;
>      }

Regards;
Yann.

Reply via email to