From 7c9503a556b7d64fe69583a288e2c1b288c8a742 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 31 Dec 2007 19:20:25 +0000 Subject: [PATCH] When using the MS SDK, re-establish LDAP backend connections on a return code of LDAP_UNAVAILABLE as if it were LDAP_SERVER_DOWN. With this SDK, LDAP_UNAVAIALBLE is returned when the socket had been closed between LDAP API calls. PR 39095 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@607766 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ include/util_ldap.h | 7 +++++++ modules/aaa/mod_authnz_ldap.c | 2 +- modules/ldap/util_ldap.c | 28 ++++++++++++---------------- 4 files changed, 25 insertions(+), 17 deletions(-) diff --git a/CHANGES b/CHANGES index e9a5795260..1887b7c75c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,11 @@ Changes with Apache 2.3.0 [ When backported to 2.2.x, remove entry from this file ] + *) mod_ldap: Try to establish a new backend LDAP connection when the + Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the + LDAP server has closed the connection due to a timeout. + PR 39095 [Eric Covener] + *) SECURITY: CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. diff --git a/include/util_ldap.h b/include/util_ldap.h index c994b88e9d..ede0c82f94 100644 --- a/include/util_ldap.h +++ b/include/util_ldap.h @@ -30,6 +30,13 @@ #include "apr_time.h" #include "apr_ldap.h" +#if APR_HAS_MICROSOFT_LDAPSDK +#define AP_LDAP_IS_SERVER_DOWN(s) ((s) == LDAP_SERVER_DOWN \ + ||(s) == LDAP_UNAVAILABLE) +#else +#define AP_LDAP_IS_SERVER_DOWN(s) ((s) == LDAP_SERVER_DOWN) +#endif + #if APR_HAS_SHARED_MEMORY #include "apr_rmm.h" #include "apr_shm.h" diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index a95bbaabe0..27702775f1 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -399,7 +399,7 @@ start_over: util_ldap_connection_close(ldc); /* sanity check - if server is down, retry it up to 5 times */ - if (result == LDAP_SERVER_DOWN) { + if (AP_LDAP_IS_SERVER_DOWN(result)) { if (failures++ <= 5) { goto start_over; } diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index ca5c6ffeb6..ed5d6595f3 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -430,7 +430,7 @@ static int uldap_connection_open(request_rec *r, rc = ldap_simple_bind_s(ldc->ldap, (char *)ldc->binddn, (char *)ldc->bindpw); - if (LDAP_SERVER_DOWN != rc) { + if (!AP_LDAP_IS_SERVER_DOWN(rc)) { break; } else if (failures == 5) { /* attempt to init the connection once again */ @@ -733,10 +733,9 @@ start_over: } /* search for reqdn */ - if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE, + if (AP_LDAP_IS_SERVER_DOWN(result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE, "(objectclass=*)", NULL, 1, - NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)) - == LDAP_SERVER_DOWN) + NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))) { ldc->reason = "DN Comparison ldap_search_ext_s() " "failed with server down"; @@ -873,11 +872,10 @@ start_over: return result; } - if ((result = ldap_compare_s(ldc->ldap, + if (AP_LDAP_IS_SERVER_DOWN(result = ldap_compare_s(ldc->ldap, (char *)dn, (char *)attrib, - (char *)value)) - == LDAP_SERVER_DOWN) { + (char *)value))) { /* connection failed - try again */ ldc->reason = "ldap_compare_s() failed with server down"; uldap_connection_unbind(ldc); @@ -977,7 +975,7 @@ start_over: result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE, (char *)"cn=*", subgroupAttrs, 0, NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res); - if (result == LDAP_SERVER_DOWN) { + if (AP_LDAP_IS_SERVER_DOWN(result)) { ldc->reason = "ldap_search_ext_s() for subgroups failed with server" " down"; uldap_connection_unbind(ldc); @@ -1443,11 +1441,10 @@ start_over: } /* try do the search */ - if ((result = ldap_search_ext_s(ldc->ldap, + if (AP_LDAP_IS_SERVER_DOWN(result = ldap_search_ext_s(ldc->ldap, (char *)basedn, scope, (char *)filter, attrs, 0, - NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)) - == LDAP_SERVER_DOWN) + NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))) { ldc->reason = "ldap_search_ext_s() for user failed with server down"; uldap_connection_unbind(ldc); @@ -1501,9 +1498,9 @@ start_over: * fails, it means that the password is wrong (the dn obviously * exists, since we just retrieved it) */ - if ((result = ldap_simple_bind_s(ldc->ldap, + if (AP_LDAP_IS_SERVER_DOWN(result = ldap_simple_bind_s(ldc->ldap, (char *)*binddn, - (char *)bindpw)) == LDAP_SERVER_DOWN) { + (char *)bindpw))) { ldc->reason = "ldap_simple_bind_s() to check user credentials " "failed with server down"; ldap_msgfree(res); @@ -1692,11 +1689,10 @@ start_over: } /* try do the search */ - if ((result = ldap_search_ext_s(ldc->ldap, + if (AP_LDAP_IS_SERVER_DOWN(result = ldap_search_ext_s(ldc->ldap, (char *)basedn, scope, (char *)filter, attrs, 0, - NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res)) - == LDAP_SERVER_DOWN) + NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))) { ldc->reason = "ldap_search_ext_s() for user failed with server down"; uldap_connection_unbind(ldc); -- 2.40.0