On Thu, Oct 16, 2008 at 5:09 PM, <[EMAIL PROTECTED]> wrote: > NOTE: I can't test mod_authnz_ldap.c myself, so I'm not sure if it > needs similar fixes. On the one hand, a NULL r->user in the authz > handlers always generates a log message. However, it appears that > authn_ldap_build_filter() will sometimes then be called, perform no > action, which may result in a possibly uninitialized filtbuf buffer > being passed to util_ldap_cache_getuserdn(). I don't know if that > could cause problems in the LDAP cache code. If someone familiar with > LDAP authz could take a look, that would be much appreciated.
IIUC mod_authnz_ldap would follow the pattern of the modules in your commit and not mod_authz_host. Authorization in LDAP has a special path for when authentication wasn't handled by mod_authnz_ldap, but r->user still may be mappable to an DN on the LDAP server. Net, it can't do anything useful without r->user. This short-circuit should be possible well before the problematic functions you mention. -- Eric Covener [EMAIL PROTECTED]
