On 11/20/23 4:19 PM, Graham Leggett via dev wrote:
> On 20 Nov 2023, at 15:10, Ruediger Pluem <rpl...@apache.org> wrote:
>
>> Revisiting this again. I guess the below patch should fix it.
>> I assume that only the checking on req != NULL is relevant.
>> r->user and req->dn do not matter. But we should set req->dn to dn
>> if util_ldap_cache_getuserdn found one.
>>
>> BTW: get_connection_for_authz(r, LDAP_SEARCH); requires a valid req. It
>> cannot deal with req == NULL.
>>
>>
>> Index: modules/aaa/mod_authnz_ldap.c
>> ===================================================================
>> --- modules/aaa/mod_authnz_ldap.c (revision 1913980)
>> +++ modules/aaa/mod_authnz_ldap.c (working copy)
>> @@ -1442,23 +1442,10 @@
>> */
>>
>> if (!req) {
>> - authz_status rv = AUTHZ_DENIED;
>> req = build_request_config(r);
>> - ldc = get_connection_for_authz(r, LDAP_SEARCH);
>> - if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) {
>> - return rv;
>> - }
>> }
>> - else {
>> - ldc = get_connection_for_authz(r, LDAP_SEARCH);
>> - }
>>
>> - if (req->dn == NULL || !*req->dn) {
>> - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
>> - "auth_ldap authorize: require ldap-filter: user's DN "
>> - "has not been defined; failing authorization");
>> - return AUTHZ_DENIED;
>> - }
>> + ldc = get_connection_for_authz(r, LDAP_SEARCH);
>
> Unfortunately removing this makes it impossible to use ldapsearch for authz
> only, as the setup process normally done in the authn phase never happens.
Removing what exactly? I currently cannot follow.
Regards
RĂ¼diger
