On Fri, Nov 24, 2023 at 10:45 AM Graham Leggett via dev <dev@httpd.apache.org> wrote: > > I completely misunderstood this - I had the idea that build_request_config() > was being removed, when it was being left behind, sorry about that. > The patch that applies to trunk looks like this, and I just tested it and it > works: > > Index: modules/aaa/mod_authnz_ldap.c > =================================================================== > --- modules/aaa/mod_authnz_ldap.c (revision 1914067) > +++ modules/aaa/mod_authnz_ldap.c (working copy) > @@ -1441,24 +1441,6 @@ > req = build_request_config(r); > } > ldc = get_connection_for_authz(r, LDAP_SEARCH); > - if (!req->dn && r->user) { > - authz_status rv; > - if (!*r->user) { > - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10487) > - "ldap authorize: Userid is blank, AuthType=%s", > - r->ap_auth_type); > - } > - rv = get_dn_for_nonldap_authn(r, ldc); > - if (rv != AUTHZ_GRANTED) { > - return rv; > - } > - if (req->dn == NULL || !*req->dn) { > - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636) > - "auth_ldap authorize: require ldap-search: user's > DN " > - "has not been defined; failing authorization"); > - return AUTHZ_DENIED; > - } > - } > > require = ap_expr_str_exec(r, expr, &err); > if (err) { > @@ -1482,6 +1464,7 @@ > > /* Make sure that the filtered search returned a single dn */ > if (result == LDAP_SUCCESS && dn) { > + req->dn = dn; > ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631) > "auth_ldap authorize: require ldap-search: " > "authorization successful");
+1 this is pretty much what Rüdiger proposed earlier and it aligns with the proposed 2.4.x backport so I understand better :) Regards; Yann.