From: Bradley Nicholes <bnicholes@apache.org>
Date: Thu, 3 Feb 2005 00:03:37 +0000 (+0000)
Subject: Allow AuthLDAPURL to override the default connection type with an option second param... 
X-Git-Tag: 2.1.3~78
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=13050b4ff64a92075d9ad7728c8e348660fbb860;p=apache

Allow AuthLDAPURL to override the default connection type with an option second parameter of NONE, SSL or TLS | STARTTLS

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@151083 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 32642d240a..904f99a103 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -291,7 +291,7 @@ static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
     sec->frontpage_hack = 0;
 */
 
-    sec->secure = 0;
+    sec->secure = -1;   /*Initialize to unset*/
 
     sec->user_is_dn = 0;
     sec->compare_dn_on_server = 0;
@@ -803,7 +803,8 @@ static int authz_ldap_check_user_access(request_rec *r)
  */
 static const char *mod_auth_ldap_parse_url(cmd_parms *cmd, 
                                     void *config,
-                                    const char *url)
+                                    const char *url,
+                                    const char *mode)
 {
     int rc;
     apr_ldap_url_desc_t *urld;
@@ -885,24 +886,40 @@ static const char *mod_auth_ldap_parse_url(cmd_parms *cmd,
         sec->filter = "objectclass=*";
     }
 
+    if (mode) {
+        if (0 == strcasecmp("NONE", mode)) {
+            sec->secure = APR_LDAP_NONE;
+        }
+        else if (0 == strcasecmp("SSL", mode)) {
+            sec->secure = APR_LDAP_SSL;
+        }
+        else if (0 == strcasecmp("TLS", mode) || 0 == strcasecmp("STARTTLS", mode)) {
+            sec->secure = APR_LDAP_STARTTLS;
+        }
+        else {
+            return "Invalid LDAP connection mode setting: must be one of NONE, "
+                   "SSL, or TLS/STARTTLS";
+        }
+    }
+
       /* "ldaps" indicates secure ldap connections desired
       */
     if (strncasecmp(url, "ldaps", 5) == 0)
     {
-        sec->secure = 1;
+        sec->secure = APR_LDAP_SSL;
         sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
         ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
                      "LDAP: auth_ldap using SSL connections");
     }
     else
     {
-        sec->secure = 0;
         sec->port = urld->lud_port? urld->lud_port : LDAP_PORT;
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, 
                      "LDAP: auth_ldap not using SSL connections");
     }
 
     sec->have_ldap_url = 1;
+
     return NULL;
 }
 
@@ -952,7 +969,7 @@ static const char *set_charset_config(cmd_parms *cmd, void *config, const char *
 
 static const command_rec authnz_ldap_cmds[] =
 {
-    AP_INIT_TAKE1("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG, 
+    AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG, 
                   "URL to define LDAP connection. This should be an RFC 2255 complaint\n"
                   "URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n"
                   "<ul>\n"
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index 396e23df90..730da2a2b1 100644
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -274,7 +274,7 @@ LDAP_DECLARE(int) util_ldap_connection_open(request_rec *r,
                       &(result));
 
 
-        if (result != NULL) {
+        if (result != NULL && result->rc) {
             ldc->reason = result->reason;
         }
 
@@ -412,6 +412,7 @@ LDAP_DECLARE(util_ldap_connection_t *)
                                        const char *binddn, const char *bindpw,
                                        deref_options deref, int secure) {
     struct util_ldap_connection_t *l, *p; /* To traverse the linked list */
+    int secureflag = secure;
 
     util_ldap_state_t *st = 
         (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
@@ -426,6 +427,10 @@ LDAP_DECLARE(util_ldap_connection_t *)
     apr_thread_mutex_lock(st->mutex);
 #endif
 
+    if (secure < APR_LDAP_NONE) {
+        secureflag = st->secure;
+    }
+
     /* Search for an exact connection match in the list that is not
      * being used.
      */
@@ -436,7 +441,7 @@ LDAP_DECLARE(util_ldap_connection_t *)
         if ((l->port == port) && (strcmp(l->host, host) == 0) && 
             ((!l->binddn && !binddn) || (l->binddn && binddn && !strcmp(l->binddn, binddn))) && 
             ((!l->bindpw && !bindpw) || (l->bindpw && bindpw && !strcmp(l->bindpw, bindpw))) && 
-            (l->deref == deref) && (l->secure == secure) &&
+            (l->deref == deref) && (l->secure == secureflag) &&
             !compare_client_certs(st->client_certs, l->client_certs)) {
 
             break;
@@ -461,7 +466,7 @@ LDAP_DECLARE(util_ldap_connection_t *)
 
 #endif
             if ((l->port == port) && (strcmp(l->host, host) == 0) && 
-                (l->deref == deref) && (l->secure == secure) &&
+                (l->deref == deref) && (l->secure == secureflag) &&
                 !compare_client_certs(st->client_certs, l->client_certs)) {
 
                 /* the bind credentials have changed */
@@ -513,9 +518,7 @@ LDAP_DECLARE(util_ldap_connection_t *)
          * If the security setting is NONE, override it to the security
          * setting optionally supplied by the admin using LDAPTrustedMode
          */
-        l->secure = (APR_LDAP_NONE == secure) ?
-                     st->secure :
-                     secure;
+        l->secure = secureflag;
 
         /* save away a copy of the client cert list that is presently valid */
         l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);