On 23 Nov 2023, at 11:25, Ruediger Pluem <rpl...@apache.org> wrote: >> - if (req->dn == NULL || !*req->dn) { >> - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636) >> - "auth_ldap authorize: require ldap-filter: user's DN " >> - "has not been defined; failing authorization"); >> - return AUTHZ_DENIED; >> + if (req->dn == NULL || !*req->dn) { >> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636) >> + "auth_ldap authorize: require ldap-search: user's >> DN " >> + "has not been defined; failing authorization"); >> + return AUTHZ_DENIED; >> + } > > Why do we need to get the dn in case that r->user is not NULL and why is it a > reason to fail if we don't get a dn for this user?
This message is misleading, the DN we care about is not the DN of the user, but rather the DN of the object returned in the ldap-search, which may or may not bear a relation to the user. For example the ldap-search might be doing a lookup on (sucks thumb) the issuer of a certificate, which if it matches some LDAP object means it is allowed. The DN will not refer to the user, but something else. On a side note, ldap-search requires that exactly one LDAP object matches, we might want to support many matches, or a specific number of matches. Regards, Graham —