From: Eric Covener
MAX_STRING_LEN
in the Apache source code). This
- should be more than sufficient for any application.
+ should be more than sufficient for any application. In 2.4.10 and later,
+ The word "none" may be used to not use any filter, which may be
+ required by some primitive LDAP servers.
When doing searches, the attribute, filter and username passed diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 5f697e30eb..1513bd8cb0 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -1325,7 +1325,9 @@ You can of course use search parameters on each of these.
will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition ofMAX_STRING_LEN
in the Apache source code). This
- should be more than sufficient for any application.
+ should be more than sufficient for any application. In 2.4.10 and later,
+ The word "none" may be used to not use any filter, which may be
+ required by some primitive LDAP servers.
When doing searches, the attribute, filter and username passed diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 77644ca88e..211e4f7485 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -217,6 +217,7 @@ static void authn_ldap_build_filter(char *filtbuf, apr_size_t inbytes; apr_size_t outbytes; char *outbuf; + int nofilter = 0; if (sent_user != NULL) { user = apr_pstrdup (r->pool, sent_user); @@ -249,7 +250,13 @@ static void authn_ldap_build_filter(char *filtbuf, * Create the first part of the filter, which consists of the * config-supplied portions. */ - apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute); + + if ((nofilter = (filter && !strcasecmp(filter, "none")))) { + apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute); + } + else { + apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute); + } /* * Now add the client-supplied username to the filter, ensuring that any @@ -303,8 +310,16 @@ static void authn_ldap_build_filter(char *filtbuf, * Append the closing parens of the filter, unless doing so would * overrun the buffer. */ - if (q + 2 <= filtbuf_end) - strcat(filtbuf, "))"); + + if (nofilter) { + if (q + 1 <= filtbuf_end) + strcat(filtbuf, ")"); + } + else { + if (q + 2 <= filtbuf_end) + strcat(filtbuf, "))"); + } + } static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d) @@ -545,6 +560,11 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, "user %s authentication failed; URI %s [%s][%s]", user, r->uri, ldc->reason, ldap_err2string(result)); + /* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific errors */ + if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) { + return AUTH_USER_NOT_FOUND; + } + return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND #ifdef LDAP_SECURITY_ERROR : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED