On Mon, Nov 20, 2023 at 2:33 PM Yann Ylavic <ylavic....@gmail.com> wrote:
>
> On Mon, Nov 20, 2023 at 1:57 PM Graham Leggett via dev
> <dev@httpd.apache.org> wrote:
> >
> > On 20 Nov 2023, at 12:26, Ruediger Pluem <rpl...@apache.org> wrote:
> >
> > Or we need to ensure that authn_ldap_build_filter is NULL safe and returns
> > in a sensible way if user == NULL.
> >
> >
> > This is the option we need I think - it’s possible that ldapsearch could be
> > used without a user.
>
> In the proposed 2.4.x backport of ldapsearch_check_authorization()
> there is no call to get_dn_for_nonldap_authn() nor
> authn_ldap_build_filter(). The Require expression is passed directly
> to util_ldap_cache_getuserdn(), so what is building a filter with
> r->user about in the ldapsearch case finally?
I mean, isn't what we need for something like the attached patch?
This would call get_dn_for_nonldap_authn() only "if we have been
authenticated by some other module than mod_auth_ldap" (per comment in
the code), and do nothing about r->user otherwise.
Again, I don't really know how mod_ldap is supposed to work so
possibly this is all irrelevant..
Regards;
Yann.
Index: modules/aaa/mod_authnz_ldap.c
===================================================================
--- modules/aaa/mod_authnz_ldap.c (revision 1913977)
+++ modules/aaa/mod_authnz_ldap.c (working copy)
@@ -1435,31 +1435,29 @@ static authz_status ldapsearch_check_authorization
return AUTHZ_DENIED;
}
+ ldc = get_connection_for_authz(r, LDAP_SEARCH);
+
/*
* If we have been authenticated by some other module than mod_auth_ldap,
* the req structure needed for authorization needs to be created
* and populated with the userid and DN of the account in LDAP
*/
-
if (!req) {
- authz_status rv = AUTHZ_DENIED;
req = build_request_config(r);
- ldc = get_connection_for_authz(r, LDAP_SEARCH);
- if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) {
- return rv;
+ if (r->user && *r->user) {
+ authz_status rv = get_dn_for_nonldap_authn(r, ldc);
+ if (rv != AUTHZ_GRANTED) {
+ return rv;
+ }
+ if (req->dn == NULL || !*req->dn) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
+ "auth_ldap authorize: require ldap-filter: user's DN "
+ "has not been defined; failing authorization");
+ return AUTHZ_DENIED;
+ }
}
}
- else {
- ldc = get_connection_for_authz(r, LDAP_SEARCH);
- }
- if (req->dn == NULL || !*req->dn) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
- "auth_ldap authorize: require ldap-filter: user's DN "
- "has not been defined; failing authorization");
- return AUTHZ_DENIED;
- }
-
require = ap_expr_str_exec(r, expr, &err);
if (err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02629)
