On 23 Nov 2023, at 11:25, Ruediger Pluem <rpl...@apache.org> wrote:
>> - if (req->dn == NULL || !*req->dn) {
>> - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
>> - "auth_ldap authorize: require ldap-filter: user's DN "
>> - "has not been defined; failing authorization");
>> - return AUTHZ_DENIED;
>> + if (req->dn == NULL || !*req->dn) {
>> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
>> + "auth_ldap authorize: require ldap-search: user's
>> DN "
>> + "has not been defined; failing authorization");
>> + return AUTHZ_DENIED;
>> + }
>
> Why do we need to get the dn in case that r->user is not NULL and why is it a
> reason to fail if we don't get a dn for this user?
This message is misleading, the DN we care about is not the DN of the user, but
rather the DN of the object returned in the ldap-search, which may or may not
bear a relation to the user.
For example the ldap-search might be doing a lookup on (sucks thumb) the issuer
of a certificate, which if it matches some LDAP object means it is allowed. The
DN will not refer to the user, but something else.
On a side note, ldap-search requires that exactly one LDAP object matches, we
might want to support many matches, or a specific number of matches.
Regards,
Graham
—
