When checking direct group membership, interpret LDAP_NO_SUCH_ATTRIBUTE the same as

LDAP_COMPARE_FALSE and continue on to subgroup (nested group) processing. This
triggers when the group has no "direct" members but may have entries that
represent nested groups to check.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@950249 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 2a6826f10df2a14fb97c864afdff6047fc65d282..750b085981a0932617ae7335f132de924ad30be3 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -898,6 +898,7 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
                 set_request_vars(r, LDAP_AUTHZ);
                 return AUTHZ_GRANTED;
             }
+            case LDAP_NO_SUCH_ATTRIBUTE: 
             case LDAP_COMPARE_FALSE: {
                 /* nested groups need searches and compares, so grab a new handle */
                 authnz_ldap_cleanup_connection_close(ldc);