https://issues.apache.org/bugzilla/show_bug.cgi?id=45393
--- Comment #2 from Dan Stusynski <[EMAIL PROTECTED]> 2008-07-17 13:18:05 PST
---
The additional bug 41435 seems the same as this one I reported (not sure if
that is what you were referring to). I tried to decide on a way to modify
mod_authnz_ldap.c authn_ldap_build_filter() function to handle this situation
but I don't see a way that one can build a valid MS LDAP filter that is 1)
valid for syntax and 2) that isn't guaranteed to return any users. Simply using
objectclass=* wouldn't work for the use case of 1 LDAP user, nor would the
attempt to have a uid=null (a null string) since that gets translated to a
literal uid when searching LDAP (as opposed to '\0' or similar C
representation).
I'm left thinking that just modifying util_ldap.c as the original poster in
that bug mentioned is a decent option while adding a check that the requests
user isn't blank (so we only gobble the FILTER_ERROR when a username is blank).
For example:
/* MS LDAP SDK returns a FILTER ERROR when searching for "attr="
attribute=nothing). Check the result error and user length from the request
and return invalid instead of 500. */
#if APR_HAS_MICROSOFT_LDAPSDK
if ( (result == LDAP_FILTER_ERROR) && (strlen(r->user) <= 0) )
{
ldc->reason = "ldap_search_ext_s() to search for user failed";
ldap_msgfree(res);
uldap_connection_unbind(ldc);
return LDAP_INVALID_CREDENTIALS;
}
#endif
Place this just after the ldap_search_ext_s() ldap call and before the all
encompassing if (result != LDAP_SUCCESS) statement.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
