From: Eric Covener <covener@apache.org>
Date: Sat, 11 Oct 2014 21:18:45 +0000 (+0000)
Subject: Merge r1613682 from trunk:
X-Git-Tag: 2.4.11~254
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9feef83d2440706bea9b82f803d9b016a1c5feda;p=apache

Merge r1613682 from trunk:

In 2.4.10, AuthLDAPBindDN might not be used for some LDAP searches, causing
LDAP authz failures if AuthLDAPBindDN was able to search through more of
LDAP than web users.




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1631119 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 741d42d362..a7d33c6c5e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@ Changes with Apache 2.4.11
      mod_cache: Avoid a crash when Content-Type has an empty value.
      PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
 
+  *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
+     the wrong credentials when a backend connection is reused.
+     [Eric Covener]
+
   *) mod_macro: Add missing APLOGNO for some Warning log messages.
      [Christophe Jaillet]
 
diff --git a/STATUS b/STATUS
index d1bdaf6e90..76dcb7e3ec 100644
--- a/STATUS
+++ b/STATUS
@@ -102,12 +102,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ldap: 2.4.10 regression: Some authorization searches won't use AuthLDAPBindDN
-     which can lead to LDAP authz failurs if AuthLDAPBindDN had extra access. 
-     trunk patch: http://svn.apache.org/r1613682
-     2.4.x patch: trunk works + CHANGES referencing 2.4.10 regression
-     +1: covener, jim, rjung
-
    * mod_dav: set r->status_line in dav_error_response.
      It's used as argument in next ap_rvputs call. PR 55426.
      trunk patch: http://svn.apache.org/r1527509
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index 0cc51c40ae..7440d9eb9d 100644
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -1824,7 +1824,7 @@ start_over:
          * combination, which might be reused unintentionally next time this
          * connection is used from the connection pool.
          */
-        ldc->must_rebind = 0;
+        ldc->must_rebind = 1;
         ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, "LDC %pp used for authn, must be rebound", ldc);
     }