On Fri, Nov 24, 2023 at 10:45 AM Graham Leggett via dev
<dev@httpd.apache.org> wrote:
>
> I completely misunderstood this - I had the idea that build_request_config()
> was being removed, when it was being left behind, sorry about that.
> The patch that applies to trunk looks like this, and I just tested it and it
> works:
>
> Index: modules/aaa/mod_authnz_ldap.c
> ===================================================================
> --- modules/aaa/mod_authnz_ldap.c (revision 1914067)
> +++ modules/aaa/mod_authnz_ldap.c (working copy)
> @@ -1441,24 +1441,6 @@
> req = build_request_config(r);
> }
> ldc = get_connection_for_authz(r, LDAP_SEARCH);
> - if (!req->dn && r->user) {
> - authz_status rv;
> - if (!*r->user) {
> - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10487)
> - "ldap authorize: Userid is blank, AuthType=%s",
> - r->ap_auth_type);
> - }
> - rv = get_dn_for_nonldap_authn(r, ldc);
> - if (rv != AUTHZ_GRANTED) {
> - return rv;
> - }
> - if (req->dn == NULL || !*req->dn) {
> - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02636)
> - "auth_ldap authorize: require ldap-search: user's
> DN "
> - "has not been defined; failing authorization");
> - return AUTHZ_DENIED;
> - }
> - }
>
> require = ap_expr_str_exec(r, expr, &err);
> if (err) {
> @@ -1482,6 +1464,7 @@
>
> /* Make sure that the filtered search returned a single dn */
> if (result == LDAP_SUCCESS && dn) {
> + req->dn = dn;
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02631)
> "auth_ldap authorize: require ldap-search: "
> "authorization successful");
+1 this is pretty much what Rüdiger proposed earlier and it aligns
with the proposed 2.4.x backport so I understand better :)
Regards;
Yann.
