Re: svn commit: r1913977 - /httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Fri, 24 Nov 2023 01:45:46 -0800 

On 20 Nov 2023, at 15:10, Ruediger Pluem <rpl...@apache.org> wrote:

> Revisiting this again. I guess the below patch should fix it.
> I assume that only the checking on req != NULL is relevant.
> r->user and req->dn do not matter. But we should set req->dn to dn
> if util_ldap_cache_getuserdn found one.
> 
> BTW: get_connection_for_authz(r, LDAP_SEARCH); requires a valid req. It 
> cannot deal with req == NULL.
> 
> 
> Index: modules/aaa/mod_authnz_ldap.c
> ===================================================================
> --- modules/aaa/mod_authnz_ldap.c     (revision 1913980)
> +++ modules/aaa/mod_authnz_ldap.c     (working copy)
> @@ -1442,23 +1442,10 @@
>      */
> 
>     if (!req) {
> -        authz_status rv = AUTHZ_DENIED;
>         req = build_request_config(r);

I completely misunderstood this - I had the idea that build_request_config() 
was being removed, when it was being left behind, sorry about that.

The patch that applies to trunk looks like this, and I just tested it and it 
works:

Index: modules/aaa/mod_authnz_ldap.c
===================================================================
--- modules/aaa/mod_authnz_ldap.c       (revision 1914067)
+++ modules/aaa/mod_authnz_ldap.c       (working copy)
@@ -1441,24 +1441,6 @@
         req = build_request_config(r);
     }
     ldc = get_connection_for_authz(r, LDAP_SEARCH);
-    if (!req->dn && r->user) {
-        authz_status rv;
-        if (!*r->user) {
-            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10487)
-                          "ldap authorize: Userid is blank, AuthType=%s",
-                          r->ap_auth_type);
-        }
-        rv = get_dn_for_nonldap_authn(r, ldc);
-        if (rv != AUTHZ_GRANTED) {
-            return rv;
-        }
-        if (req->dn == NULL || !*req->dn) {
-            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
-                          "auth_ldap authorize: require ldap-search: user's DN 
"
-                          "has not been defined; failing authorization");
-            return AUTHZ_DENIED;
-        }
-    }
 
     require = ap_expr_str_exec(r, expr, &err);
     if (err) {
@@ -1482,6 +1464,7 @@
 
         /* Make sure that the filtered search returned a single dn */
         if (result == LDAP_SUCCESS && dn) {
+            req->dn = dn;
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631)
                           "auth_ldap authorize: require ldap-search: "
                           "authorization successful");

Regards,
Graham
—

Reply via email to