When using the MS SDK, re-establish LDAP backend connections on a

return code of LDAP_UNAVAILABLE as if it were LDAP_SERVER_DOWN.

With this SDK, LDAP_UNAVAIALBLE is returned when the socket had been closed
between LDAP API calls.

PR 39095

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@607766 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index e9a5795260bc372a660c2860dd527014633fc53c..1887b7c75cda884981604cb51f80d1387aca91ef 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_ldap: Try to establish a new backend LDAP connection when the
+     Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
+     LDAP server has closed the connection due to a timeout. 
+     PR 39095 [Eric Covener]
+
   *) SECURITY: CVE-2007-6388 (cve.mitre.org)
      mod_status: Ensure refresh parameter is numeric to prevent
      a possible XSS attack caused by redirecting to other URLs. 

diff --git a/include/util_ldap.h b/include/util_ldap.h
index c994b88e9dfbb7ab38970caa343b069aa9cfe0f1..ede0c82f94c3794fa59774fdaa8457b2afef22bb 100644 (file)
--- a/include/util_ldap.h
+++ b/include/util_ldap.h
@@ -30,6 +30,13 @@
 #include "apr_time.h"
 #include "apr_ldap.h"
 
+#if APR_HAS_MICROSOFT_LDAPSDK
+#define AP_LDAP_IS_SERVER_DOWN(s)                ((s) == LDAP_SERVER_DOWN \
+                ||(s) == LDAP_UNAVAILABLE)
+#else
+#define AP_LDAP_IS_SERVER_DOWN(s)                ((s) == LDAP_SERVER_DOWN)
+#endif
+
 #if APR_HAS_SHARED_MEMORY
 #include "apr_rmm.h"
 #include "apr_shm.h"

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index a95bbaabe0440ebb5afef83f1aadef994a953d80..27702775f1013af385133c62c3a18773879e0be5 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -399,7 +399,7 @@ start_over:
     util_ldap_connection_close(ldc);
 
     /* sanity check - if server is down, retry it up to 5 times */
-    if (result == LDAP_SERVER_DOWN) {
+    if (AP_LDAP_IS_SERVER_DOWN(result)) {
         if (failures++ <= 5) {
             goto start_over;
         }

diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index ca5c6ffeb6a35208508731fe4bb49b0cba40543e..ed5d6595f36ca10b5516fb3adc7d6f9f0adb33da 100644 (file)
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -430,7 +430,7 @@ static int uldap_connection_open(request_rec *r,
         rc = ldap_simple_bind_s(ldc->ldap,
                                 (char *)ldc->binddn,
                                 (char *)ldc->bindpw);
-        if (LDAP_SERVER_DOWN != rc) {
+        if (!AP_LDAP_IS_SERVER_DOWN(rc)) {
             break;
         } else if (failures == 5) {
            /* attempt to init the connection once again */
@@ -733,10 +733,9 @@ start_over:
     }
 
     /* search for reqdn */
-    if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
+    if (AP_LDAP_IS_SERVER_DOWN(result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
                                     "(objectclass=*)", NULL, 1,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)))
     {
         ldc->reason = "DN Comparison ldap_search_ext_s() "
                       "failed with server down";
@@ -873,11 +872,10 @@ start_over:
         return result;
     }
 
-    if ((result = ldap_compare_s(ldc->ldap,
+    if (AP_LDAP_IS_SERVER_DOWN(result = ldap_compare_s(ldc->ldap,
                                  (char *)dn,
                                  (char *)attrib,
-                                 (char *)value))
-                                               == LDAP_SERVER_DOWN) {
+                                 (char *)value))) {
         /* connection failed - try again */
         ldc->reason = "ldap_compare_s() failed with server down";
         uldap_connection_unbind(ldc);
@@ -977,7 +975,7 @@ start_over:
     result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
                                (char *)"cn=*", subgroupAttrs, 0,
                                NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
-    if (result == LDAP_SERVER_DOWN) {
+    if (AP_LDAP_IS_SERVER_DOWN(result)) {
         ldc->reason = "ldap_search_ext_s() for subgroups failed with server"
                       " down";
         uldap_connection_unbind(ldc);
@@ -1443,11 +1441,10 @@ start_over:
     }
 
     /* try do the search */
-    if ((result = ldap_search_ext_s(ldc->ldap,
+    if (AP_LDAP_IS_SERVER_DOWN(result = ldap_search_ext_s(ldc->ldap,
                                     (char *)basedn, scope,
                                     (char *)filter, attrs, 0,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)))
     {
         ldc->reason = "ldap_search_ext_s() for user failed with server down";
         uldap_connection_unbind(ldc);
@@ -1501,9 +1498,9 @@ start_over:
      * fails, it means that the password is wrong (the dn obviously
      * exists, since we just retrieved it)
      */
-    if ((result = ldap_simple_bind_s(ldc->ldap,
+    if (AP_LDAP_IS_SERVER_DOWN(result = ldap_simple_bind_s(ldc->ldap,
                                      (char *)*binddn,
-                                     (char *)bindpw)) == LDAP_SERVER_DOWN) {
+                                     (char *)bindpw))) {
         ldc->reason = "ldap_simple_bind_s() to check user credentials "
                       "failed with server down";
         ldap_msgfree(res);
@@ -1692,11 +1689,10 @@ start_over:
     }
 
     /* try do the search */
-    if ((result = ldap_search_ext_s(ldc->ldap,
+    if (AP_LDAP_IS_SERVER_DOWN(result = ldap_search_ext_s(ldc->ldap,
                                     (char *)basedn, scope,
                                     (char *)filter, attrs, 0,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)))
     {
         ldc->reason = "ldap_search_ext_s() for user failed with server down";
         uldap_connection_unbind(ldc);