Some LDAP servers (wrongly) return LDAP_CONSTRAINT_VIOLATION if a user is

locked due to too many password retries. This should not cause an internal
server error but be treated as "auth denied".

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1125646 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 13b38b65fbc452a0910f228ac8fc1073dcb2e8ea..744e92c09d89560a26e2123f53394ae2a32cb675 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.3.13
 
+  *) mod_authnz_ldap: If the LDAP server returns constraint violation,
+     don't treat this as an error but as "auth denied". [Stefan Fritsch]
+
   *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
      for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
      Jim Jagielski]

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 8c1e6c569675ce826d611a2f9ea0b92858960513..42501e524538dfff01da80b5924a41af4b04d8a2 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -567,6 +567,12 @@ start_over:
 #ifdef LDAP_INSUFFICIENT_RIGHTS
                  : (LDAP_INSUFFICIENT_RIGHTS == result) ? AUTH_DENIED
 #endif
+#endif
+#ifdef LDAP_CONSTRAINT_VIOLATION
+    /* At least Sun Directory Server sends this if a user is
+     * locked. This is not covered by LDAP_SECURITY_ERROR.
+     */
+                 : (LDAP_CONSTRAINT_VIOLATION == result) ? AUTH_DENIED
 #endif
                  : AUTH_GENERAL_ERROR;
     }