From 9feef83d2440706bea9b82f803d9b016a1c5feda Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Sat, 11 Oct 2014 21:18:45 +0000 Subject: [PATCH] Merge r1613682 from trunk: In 2.4.10, AuthLDAPBindDN might not be used for some LDAP searches, causing LDAP authz failures if AuthLDAPBindDN was able to search through more of LDAP than web users. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1631119 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 6 ------ modules/ldap/util_ldap.c | 2 +- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 741d42d362..a7d33c6c5e 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,10 @@ Changes with Apache 2.4.11 mod_cache: Avoid a crash when Content-Type has an empty value. PR 56924. [Mark Montague , Jan Kaluza] + *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with + the wrong credentials when a backend connection is reused. + [Eric Covener] + *) mod_macro: Add missing APLOGNO for some Warning log messages. [Christophe Jaillet] diff --git a/STATUS b/STATUS index d1bdaf6e90..76dcb7e3ec 100644 --- a/STATUS +++ b/STATUS @@ -102,12 +102,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ldap: 2.4.10 regression: Some authorization searches won't use AuthLDAPBindDN - which can lead to LDAP authz failurs if AuthLDAPBindDN had extra access. - trunk patch: http://svn.apache.org/r1613682 - 2.4.x patch: trunk works + CHANGES referencing 2.4.10 regression - +1: covener, jim, rjung - * mod_dav: set r->status_line in dav_error_response. It's used as argument in next ap_rvputs call. PR 55426. trunk patch: http://svn.apache.org/r1527509 diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index 0cc51c40ae..7440d9eb9d 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -1824,7 +1824,7 @@ start_over: * combination, which might be reused unintentionally next time this * connection is used from the connection pool. */ - ldc->must_rebind = 0; + ldc->must_rebind = 1; ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, "LDC %pp used for authn, must be rebound", ldc); } -- 2.40.0