Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
The referral code is enabled via set_option calls and is currently processed in relation to a newly created ldap connection. Any further directory related processing would have to support changing the options later, or provide extra criteria when selecting a connection to use. But I agree that, logically, it should be directory scoped. I'm committing the doc now (directory scoped, to match the code I committed) and I'll look at making sure the processing addresses that (via merge, etc). Graham Leggett wrote: Paul J. Reder wrote: Now that you ask that question it makes me realize that the better question is probably "Should the directives be directory scoped or server scoped?" The rest of the util_ldap directives are all server scoped. The cache related ones are all server scoped, as the cache is server wide. The SSL related ones are directory and/or server scoped, and it depends on the underlying toolkit as to whether directory scope works at all. Don't fall into the trap of thinking all directives have to be handled the same way. My gut feel is that the referral processing should be directory scoped, there is no guarantee that the server will only ever connect to one type of LDAP server at a time, and the admin may want different processing depending on the application. Regards, Graham -- -- Paul J. Reder --- "The strength of the Constitution lies entirely in the determination of each citizen to defend it. Only if every single citizen feels duty bound to do his share in this defense are the constitutional rights secure." -- Albert Einstein
Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
Paul J. Reder wrote: Now that you ask that question it makes me realize that the better question is probably "Should the directives be directory scoped or server scoped?" The rest of the util_ldap directives are all server scoped. The cache related ones are all server scoped, as the cache is server wide. The SSL related ones are directory and/or server scoped, and it depends on the underlying toolkit as to whether directory scope works at all. Don't fall into the trap of thinking all directives have to be handled the same way. My gut feel is that the referral processing should be directory scoped, there is no guarantee that the server will only ever connect to one type of LDAP server at a time, and the admin may want different processing depending on the application. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
>>> On 1/23/2008 at 7:25 PM, in message <[EMAIL PROTECTED]>, "Paul J. Reder" <[EMAIL PROTECTED]> wrote: > > Ruediger Pluem wrote: >> >> On 01/23/2008 07:14 PM, [EMAIL PROTECTED] wrote: >>> Author: rederpj >>> Date: Wed Jan 23 10:14:41 2008 >>> New Revision: 614605 >>> >>> URL: http://svn.apache.org/viewvc?rev=614605&view=rev >>> Log: >>> This adds Apache support (taking advantage of the new APR capability) >>> for ldap rebind callback while chasing referrals. This allows direct >>> searches on LDAP servers (in particular MS Active Directory 2003+) >>> using referrals without the use of the global catalog. >>> This addresses PRs 26538, 40268, and 42557 > > >> @@ -2614,6 +2710,15 @@ > >>"Specify the LDAP socket connection timeout in seconds > " > >>"(default: 10)"), > >> > >> +AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals, > >> + NULL, OR_AUTHCFG, > >> + "Choose whether referrals are chased ['ON'|'OFF']. > Default ON'"), > >> + > >> +AP_INIT_TAKE1("LDAPReferralHopLimit", > util_ldap_set_referral_hop_limit, > >> + NULL, OR_AUTHCFG, > >> + "Limit the number of referral hops that LDAP can > follow. " > >> + "(Integer value, default=5)"), > >> + > >> {NULL} > >> }; > >>> @@ -2638,7 +2743,7 @@ >>> >>> module AP_MODULE_DECLARE_DATA ldap_module = { >>> STANDARD20_MODULE_STUFF, >>> - NULL,/* create dir config */ >>> + util_ldap_create_dir_config, /* create dir config */ >>> NULL,/* merge dir config */ >> >> Why no merge dir config? How do you inherit your settings in this case? > > Now that you ask that question it makes me realize that the better question > is > probably "Should the directives be directory scoped or server scoped?" The > rest > of the util_ldap directives are all server scoped. Is there any compelling > reason > that the referral directives would need to be alterable on a > directory-by-directory > (or htaccess) basis or should it be turned on/off and limited on a > server-wide scope? > I wish I had a better memory, but I vaguely recall going down this path once before between server-merge and dir-merge (mailing list archives might remember better than I do) . I know that when it comes to anything SSL related, not all LDAP SDKs can handle per-directory options. Novell LDAP SDK being one of them. So when it comes to setting options on a per-directory basis, it might get a little tricky depending on the LDAP SDK that is being used. Brad
Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
Ruediger Pluem wrote: On 01/23/2008 07:14 PM, [EMAIL PROTECTED] wrote: Author: rederpj Date: Wed Jan 23 10:14:41 2008 New Revision: 614605 URL: http://svn.apache.org/viewvc?rev=614605&view=rev Log: This adds Apache support (taking advantage of the new APR capability) for ldap rebind callback while chasing referrals. This allows direct searches on LDAP servers (in particular MS Active Directory 2003+) using referrals without the use of the global catalog. This addresses PRs 26538, 40268, and 42557 >> @@ -2614,6 +2710,15 @@ >>"Specify the LDAP socket connection timeout in seconds " >>"(default: 10)"), >> >> +AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals, >> + NULL, OR_AUTHCFG, >> + "Choose whether referrals are chased ['ON'|'OFF']. Default ON'"), >> + >> +AP_INIT_TAKE1("LDAPReferralHopLimit", util_ldap_set_referral_hop_limit, >> + NULL, OR_AUTHCFG, >> + "Limit the number of referral hops that LDAP can follow. " >> + "(Integer value, default=5)"), >> + >> {NULL} >> }; @@ -2638,7 +2743,7 @@ module AP_MODULE_DECLARE_DATA ldap_module = { STANDARD20_MODULE_STUFF, - NULL,/* create dir config */ + util_ldap_create_dir_config, /* create dir config */ NULL,/* merge dir config */ Why no merge dir config? How do you inherit your settings in this case? Now that you ask that question it makes me realize that the better question is probably "Should the directives be directory scoped or server scoped?" The rest of the util_ldap directives are all server scoped. Is there any compelling reason that the referral directives would need to be alterable on a directory-by-directory (or htaccess) basis or should it be turned on/off and limited on a server-wide scope? util_ldap_create_config, /* create server config */ util_ldap_merge_config, /* merge server config */ Regards RĂ¼diger -- Paul J. Reder --- "The strength of the Constitution lies entirely in the determination of each citizen to defend it. Only if every single citizen feels duty bound to do his share in this defense are the constitutional rights secure." -- Albert Einstein
Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
On 01/23/2008 07:14 PM, [EMAIL PROTECTED] wrote: > Author: rederpj > Date: Wed Jan 23 10:14:41 2008 > New Revision: 614605 > > URL: http://svn.apache.org/viewvc?rev=614605&view=rev > Log: > This adds Apache support (taking advantage of the new APR capability) > for ldap rebind callback while chasing referrals. This allows direct > searches on LDAP servers (in particular MS Active Directory 2003+) > using referrals without the use of the global catalog. > This addresses PRs 26538, 40268, and 42557 > > > Modified: > httpd/httpd/trunk/include/util_ldap.h > httpd/httpd/trunk/modules/ldap/util_ldap.c > > Modified: httpd/httpd/trunk/include/util_ldap.h > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/include/util_ldap.h?rev=614605&r1=614604&r2=614605&view=diff > == > --- httpd/httpd/trunk/include/util_ldap.h (original) > +++ httpd/httpd/trunk/include/util_ldap.h Wed Jan 23 10:14:41 2008 > @@ -29,6 +29,7 @@ > #include "apr_tables.h" > #include "apr_time.h" > #include "apr_ldap.h" > +#include "apr_ldap_rebind.h" > > #if APR_HAS_MICROSOFT_LDAPSDK > #define AP_LDAP_IS_SERVER_DOWN(s)((s) == LDAP_SERVER_DOWN \ > @@ -112,11 +113,18 @@ > apr_array_header_t *client_certs; /* Client certificates on this > connection */ > > const char *reason; /* Reason for an error failure */ > +int ChaseReferrals; /* [on|off] (on=1, off=0, default = > On)*/ > +int ReferralHopLimit; /* # of referral hops to follow > (default = 5) */ Hm. This requires a major bump. Append it to the end of the struct and you only need a minor bump and the whole thing becomes backportable. > > struct util_ldap_connection_t *next; > struct util_ldap_state_t *st;/* The LDAP vhost config this > connection belongs to */ > int keep;/* Will this connection be kept > when it's unlocked */ > } util_ldap_connection_t; > + > +typedef struct util_ldap_config_t { > +int ChaseReferrals; > +int ReferralHopLimit; > +} util_ldap_config_t; > > /* LDAP cache state information */ > typedef struct util_ldap_state_t { > > Modified: httpd/httpd/trunk/modules/ldap/util_ldap.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap.c?rev=614605&r1=614604&r2=614605&view=diff > == > --- httpd/httpd/trunk/modules/ldap/util_ldap.c (original) > +++ httpd/httpd/trunk/modules/ldap/util_ldap.c Wed Jan 23 10:14:41 2008 > @@ -2288,6 +2340,47 @@ > } > > > +static const char *util_ldap_set_chase_referrals(cmd_parms *cmd, > + void *config, > + int mode) > +{ > +util_ldap_config_t *dc = config; > + > +ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, > + "LDAP: Setting refferal chasing %s", > + mode?"ON":"OFF"); > + > +dc->ChaseReferrals = mode; > + > +return(NULL); > +} > + > +static const char *util_ldap_set_referral_hop_limit(cmd_parms *cmd, > +void *config, > +const char *hop_limit) > +{ > +util_ldap_config_t *dc = config; > + > +dc->ReferralHopLimit = atol(hop_limit); > + > +ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, > + "LDAP: Limit chased referrals to maximum of %d hops.", > + dc->ReferralHopLimit); > + > +return NULL; > +} > + > +static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) { > + util_ldap_config_t *dc = > + (util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t)); > + > + dc->ChaseReferrals = 1; /* default is to turn referral chasing on. */ > + dc->ReferralHopLimit = 5; /* default is to chase a max of 5 hops. */ I would love to see #defines for these defaults (util_ldap.h) and have these defines referred everywhere, even in the comments. > + > + return dc; > +} > + > + > static void *util_ldap_create_config(apr_pool_t *p, server_rec *s) > { > util_ldap_state_t *st = > @@ -2638,7 +2743,7 @@ > > module AP_MODULE_DECLARE_DATA ldap_module = { > STANDARD20_MODULE_STUFF, > - NULL,/* create dir config */ > + util_ldap_create_dir_config, /* create dir config */ > NULL,/* merge dir config */ Why no merge dir config? How do you inherit your settings in this case? > util_ldap_create_config, /* create server config */ > util_ldap_merge_config, /* merge server config */ > Regards RĂ¼diger