DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40075>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40075 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #19182|Imporved null DN Checking |Improved null DN Checking description| | ------- Additional Comments From [EMAIL PROTECTED] 2006-11-27 12:04 ------- (From update of attachment 19182) Reviewing uldap_cache_getuserdn() in modules/ldap/ldap_util.c, neither binddn nor retattrs is modified if an error is returned. They are both initialized to NULL as well. As for calling into util_ldap_cache_compare() with a NULL req->dn, there are 6 calls to util_ldap_cache_compare() and/or util_ldap_cache_comparedn() in the original code. The patch makes it 7. In each case, the original code and the patch check for the case where req->dn is NULL. Since the original code uses: if (req->dn == NULL || strlen(req->dn) == 0) { I'll resubmit the patch to use that stronger statement -- the original submission only checked for req->dn == NULL. Regarding using AuthzLDAPRequireDN, no, that flag can't be used because it globally changes the meaning of all values in the groupattr array. The desired functionality is to allow both DN and UID attributes to be used for membership comparison. The current code base allows for group attributes to be DNs or UIDs (basically strings), but not both at the same time. The patch allows groups attributes of both types at the same time. Another possible implementation was to make a separate groupattr array, but that method would have required quite a bit of repeated code. It was considerably simpler to add a type field to the groupattr array and utilize the existing loops over the groupattr array. I agree that the syntax is not terribly intuitive, but the functionality is not exactly basic. The earlier patch has certain advantages in that regard. However, the current patch has the advantage of leaving the old syntax entirely alone. AuthzLDAPRequireDN should not be called AuthzLDAPRequireGroupDN, as it is actually managing completely different functionality, not related to groups. The original code base required all users to have an entry in the directory. AuthzLDAPRequireDN allows users to not be in the directory. Perhaps renaming it AuthzLDAPRequireUserDN would make that more clear. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
