On 20 Nov 2023, at 15:10, Ruediger Pluem <rpl...@apache.org> wrote:
> Revisiting this again. I guess the below patch should fix it.
> I assume that only the checking on req != NULL is relevant.
> r->user and req->dn do not matter. But we should set req->dn to dn
> if util_ldap_cache_getuserdn found one.
>
> BTW: get_connection_for_authz(r, LDAP_SEARCH); requires a valid req. It
> cannot deal with req == NULL.
>
>
> Index: modules/aaa/mod_authnz_ldap.c
> ===================================================================
> --- modules/aaa/mod_authnz_ldap.c (revision 1913980)
> +++ modules/aaa/mod_authnz_ldap.c (working copy)
> @@ -1442,23 +1442,10 @@
> */
>
> if (!req) {
> - authz_status rv = AUTHZ_DENIED;
> req = build_request_config(r);
> - ldc = get_connection_for_authz(r, LDAP_SEARCH);
> - if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) {
> - return rv;
> - }
> }
> - else {
> - ldc = get_connection_for_authz(r, LDAP_SEARCH);
> - }
>
> - if (req->dn == NULL || !*req->dn) {
> - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
> - "auth_ldap authorize: require ldap-filter: user's DN "
> - "has not been defined; failing authorization");
> - return AUTHZ_DENIED;
> - }
> + ldc = get_connection_for_authz(r, LDAP_SEARCH);
Unfortunately removing this makes it impossible to use ldapsearch for authz
only, as the setup process normally done in the authn phase never happens.
The typical use case for ldapsearch is without authn, because you’re allowing
someone in based on something other than a user login, for example a property
of the SSL connection, or an IP address, etc.
Regards,
Graham
—
