Changes with Apache 2.4.10
+ *) mod_authnz_ldap: Support primitive LDAP servers do not accept
+ filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
+ filter "none" to be specified in AuthLDAPURL. [Eric Covener]
+
*) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
[Lukas Bezdicka <social v3.sk>]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_authnz_ldap: Support primitive LDAP servers do not accept
- filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
- filter "none" to be specified in AuthLDAPURL.
- trunk patch: https://svn.apache.org/r1497371
- 2.4.x patch: trunk patch works other than CHANGES
- +1: minfrin, covener, trawick
- jailletc36: When merged, a compatibility note should be added in the doc stating when
- the none keyword has been added
-
* event MPM: fix a race where a worker looks at a conn_rec after it might be
in use by another thread or may have been freed and
re-allocated.
will search for all objects in the tree. Filters are
limited to approximately 8000 characters (the definition of
<code>MAX_STRING_LEN</code> in the Apache source code). This
- should be more than sufficient for any application.</dd>
+ should be more than sufficient for any application. In 2.4.10 and later,
+ The word "none" may be used to not use any filter, which may be
+ required by some primitive LDAP servers.</dd>
</dl>
<p>When doing searches, the attribute, filter and username passed
will search for all objects in the tree. Filters are
limited to approximately 8000 characters (the definition of
<code>MAX_STRING_LEN</code> in the Apache source code). This
- should be more than sufficient for any application.</dd>
+ should be more than sufficient for any application. In 2.4.10 and later,
+ The word "none" may be used to not use any filter, which may be
+ required by some primitive LDAP servers.</dd>
</dl>
<p>When doing searches, the attribute, filter and username passed
apr_size_t inbytes;
apr_size_t outbytes;
char *outbuf;
+ int nofilter = 0;
if (sent_user != NULL) {
user = apr_pstrdup (r->pool, sent_user);
* Create the first part of the filter, which consists of the
* config-supplied portions.
*/
- apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
+
+ if ((nofilter = (filter && !strcasecmp(filter, "none")))) {
+ apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute);
+ }
+ else {
+ apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
+ }
/*
* Now add the client-supplied username to the filter, ensuring that any
* Append the closing parens of the filter, unless doing so would
* overrun the buffer.
*/
- if (q + 2 <= filtbuf_end)
- strcat(filtbuf, "))");
+
+ if (nofilter) {
+ if (q + 1 <= filtbuf_end)
+ strcat(filtbuf, ")");
+ }
+ else {
+ if (q + 2 <= filtbuf_end)
+ strcat(filtbuf, "))");
+ }
+
}
static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
"user %s authentication failed; URI %s [%s][%s]",
user, r->uri, ldc->reason, ldap_err2string(result));
+ /* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific errors */
+ if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) {
+ return AUTH_USER_NOT_FOUND;
+ }
+
return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND
#ifdef LDAP_SECURITY_ERROR
: (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
projects / apache / commitdiff