Re: svn commit: r1914067 - in /httpd/httpd/trunk: changes-entries/ldap-optimise.txt modules/aaa/mod_authnz_ldap.c

Thu, 23 Nov 2023 03:25:54 -0800 


On 11/23/23 11:22 AM, minf...@apache.org wrote:
> Author: minfrin
> Date: Thu Nov 23 10:22:58 2023
> New Revision: 1914067
> 
> URL: http://svn.apache.org/viewvc?rev=1914067&view=rev
> Log:
> Optimise handling LDAP authorization where LDAP was not used
> previously for LDAP authentication.
> 
> Added:
>     httpd/httpd/trunk/changes-entries/ldap-optimise.txt
> Modified:
>     httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
> 

> Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1914067&r1=1914066&r2=1914067&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)

> @@ -1440,24 +1437,27 @@ static authz_status ldapsearch_check_aut
>       * the req structure needed for authorization needs to be created
>       * and populated with the userid and DN of the account in LDAP
>       */
> -
>      if (!req) {
> -        authz_status rv = AUTHZ_DENIED;
>          req = build_request_config(r);
> -        ldc = get_connection_for_authz(r, LDAP_SEARCH);
> -        if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) {
> +    }
> +    ldc = get_connection_for_authz(r, LDAP_SEARCH);
> +    if (!req->dn && r->user) {
> +        authz_status rv;
> +        if (!*r->user) {
> +            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10487)
> +                          "ldap authorize: Userid is blank, AuthType=%s",
> +                          r->ap_auth_type);
> +        }
> +        rv = get_dn_for_nonldap_authn(r, ldc);
> +        if (rv != AUTHZ_GRANTED) {
>              return rv;
>          }
> -    }
> -    else {
> -        ldc = get_connection_for_authz(r, LDAP_SEARCH);
> -    }
> -
> -    if (req->dn == NULL || !*req->dn) {
> -        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
> -                      "auth_ldap authorize: require ldap-filter: user's DN "
> -                      "has not been defined; failing authorization");
> -        return AUTHZ_DENIED;
> +        if (req->dn == NULL || !*req->dn) {
> +            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
> +                          "auth_ldap authorize: require ldap-search: user's 
> DN "
> +                          "has not been defined; failing authorization");
> +            return AUTHZ_DENIED;
> +        }

Why do we need to get the dn in case that r->user is not NULL and why is it a 
reason to fail if we don't get a dn for this user?

>      }
>  
>      require = ap_expr_str_exec(r, expr, &err);
> 
> 
> 


Regards

RĂ¼diger






















					Reply via email to