On 11/20/23 4:05 PM, Yann Ylavic wrote:
> On Mon, Nov 20, 2023 at 3:46 PM Yann Ylavic <ylavic....@gmail.com> wrote:
>>
>> On Mon, Nov 20, 2023 at 2:33 PM Yann Ylavic <ylavic....@gmail.com> wrote:
>>>
>>> On Mon, Nov 20, 2023 at 1:57 PM Graham Leggett via dev
>>> <dev@httpd.apache.org> wrote:
>>>>
>>>> On 20 Nov 2023, at 12:26, Ruediger Pluem <rpl...@apache.org> wrote:
>>>>
>>>> Or we need to ensure that authn_ldap_build_filter is NULL safe and returns
>>>> in a sensible way if user == NULL.
>>>>
>>>>
>>>> This is the option we need I think - it’s possible that ldapsearch could
>>>> be used without a user.
>>>
>>> In the proposed 2.4.x backport of ldapsearch_check_authorization()
>>> there is no call to get_dn_for_nonldap_authn() nor
>>> authn_ldap_build_filter(). The Require expression is passed directly
>>> to util_ldap_cache_getuserdn(), so what is building a filter with
>>> r->user about in the ldapsearch case finally?
>>
>> I mean, isn't what we need for something like the attached patch?
>> This would call get_dn_for_nonldap_authn() only "if we have been
>> authenticated by some other module than mod_auth_ldap" (per comment in
>> the code), and do nothing about r->user otherwise.
>> Again, I don't really know how mod_ldap is supposed to work so
>> possibly this is all irrelevant..
>
> A more complete/correct patch would be this attached v2 anyway.
+1 to the stuff outside ldapsearch_check_authorization. For the stuff inside
ldapsearch_check_authorization I guess my patch
is closer to what ldapsearch intends to do do.
Regards
Rüdiger
