On Mon, Nov 20, 2023 at 1:57 PM Graham Leggett via dev <dev@httpd.apache.org> wrote: > > On 20 Nov 2023, at 12:26, Ruediger Pluem <rpl...@apache.org> wrote: > > Or we need to ensure that authn_ldap_build_filter is NULL safe and returns in > a sensible way if user == NULL. > > > This is the option we need I think - it’s possible that ldapsearch could be > used without a user.
In the proposed 2.4.x backport of ldapsearch_check_authorization() there is no call to get_dn_for_nonldap_authn() nor authn_ldap_build_filter(). The Require expression is passed directly to util_ldap_cache_getuserdn(), so what is building a filter with r->user about in the ldapsearch case finally? > > Regards, > Graham > — >