On 20 Nov 2023, at 15:10, Ruediger Pluem <rpl...@apache.org> wrote: > Revisiting this again. I guess the below patch should fix it. > I assume that only the checking on req != NULL is relevant. > r->user and req->dn do not matter. But we should set req->dn to dn > if util_ldap_cache_getuserdn found one. > > BTW: get_connection_for_authz(r, LDAP_SEARCH); requires a valid req. It > cannot deal with req == NULL. > > > Index: modules/aaa/mod_authnz_ldap.c > =================================================================== > --- modules/aaa/mod_authnz_ldap.c (revision 1913980) > +++ modules/aaa/mod_authnz_ldap.c (working copy) > @@ -1442,23 +1442,10 @@ > */ > > if (!req) { > - authz_status rv = AUTHZ_DENIED; > req = build_request_config(r);
I completely misunderstood this - I had the idea that build_request_config() was being removed, when it was being left behind, sorry about that. The patch that applies to trunk looks like this, and I just tested it and it works: Index: modules/aaa/mod_authnz_ldap.c =================================================================== --- modules/aaa/mod_authnz_ldap.c (revision 1914067) +++ modules/aaa/mod_authnz_ldap.c (working copy) @@ -1441,24 +1441,6 @@ req = build_request_config(r); } ldc = get_connection_for_authz(r, LDAP_SEARCH); - if (!req->dn && r->user) { - authz_status rv; - if (!*r->user) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10487) - "ldap authorize: Userid is blank, AuthType=%s", - r->ap_auth_type); - } - rv = get_dn_for_nonldap_authn(r, ldc); - if (rv != AUTHZ_GRANTED) { - return rv; - } - if (req->dn == NULL || !*req->dn) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636) - "auth_ldap authorize: require ldap-search: user's DN " - "has not been defined; failing authorization"); - return AUTHZ_DENIED; - } - } require = ap_expr_str_exec(r, expr, &err); if (err) { @@ -1482,6 +1464,7 @@ /* Make sure that the filtered search returned a single dn */ if (result == LDAP_SUCCESS && dn) { + req->dn = dn; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631) "auth_ldap authorize: require ldap-search: " "authorization successful"); Regards, Graham —