From bb499a2e780006c18ddadacb76f442ee1df7293b Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Wed, 25 Jun 2014 21:58:31 +0000 Subject: [PATCH] Merge r1497371 from trunk: authnzldap: support "none" as a filter to suppress using a search filter, which is required by some mainframe security products serving native registry over LDAP. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1605618 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 9 --------- docs/manual/mod/mod_authnz_ldap.html.en | 4 +++- docs/manual/mod/mod_authnz_ldap.xml | 4 +++- modules/aaa/mod_authnz_ldap.c | 26 ++++++++++++++++++++++--- 5 files changed, 33 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index 2545574852..b00118a08d 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.4.10 + *) mod_authnz_ldap: Support primitive LDAP servers do not accept + filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special + filter "none" to be specified in AuthLDAPURL. [Eric Covener] + *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062. [Lukas Bezdicka ] diff --git a/STATUS b/STATUS index abbb475944..5769a10624 100644 --- a/STATUS +++ b/STATUS @@ -100,15 +100,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_authnz_ldap: Support primitive LDAP servers do not accept - filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special - filter "none" to be specified in AuthLDAPURL. - trunk patch: https://svn.apache.org/r1497371 - 2.4.x patch: trunk patch works other than CHANGES - +1: minfrin, covener, trawick - jailletc36: When merged, a compatibility note should be added in the doc stating when - the none keyword has been added - * event MPM: fix a race where a worker looks at a conn_rec after it might be in use by another thread or may have been freed and re-allocated. diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en index ee34beffa3..21e69f7af2 100644 --- a/docs/manual/mod/mod_authnz_ldap.html.en +++ b/docs/manual/mod/mod_authnz_ldap.html.en @@ -1346,7 +1346,9 @@ You can of course use search parameters on each of these.

will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This - should be more than sufficient for any application. + should be more than sufficient for any application. In 2.4.10 and later, + The word "none" may be used to not use any filter, which may be + required by some primitive LDAP servers.

When doing searches, the attribute, filter and username passed diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 5f697e30eb..1513bd8cb0 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -1325,7 +1325,9 @@ You can of course use search parameters on each of these.

will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This - should be more than sufficient for any application. + should be more than sufficient for any application. In 2.4.10 and later, + The word "none" may be used to not use any filter, which may be + required by some primitive LDAP servers.

When doing searches, the attribute, filter and username passed diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 77644ca88e..211e4f7485 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -217,6 +217,7 @@ static void authn_ldap_build_filter(char *filtbuf, apr_size_t inbytes; apr_size_t outbytes; char *outbuf; + int nofilter = 0; if (sent_user != NULL) { user = apr_pstrdup (r->pool, sent_user); @@ -249,7 +250,13 @@ static void authn_ldap_build_filter(char *filtbuf, * Create the first part of the filter, which consists of the * config-supplied portions. */ - apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute); + + if ((nofilter = (filter && !strcasecmp(filter, "none")))) { + apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute); + } + else { + apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute); + } /* * Now add the client-supplied username to the filter, ensuring that any @@ -303,8 +310,16 @@ static void authn_ldap_build_filter(char *filtbuf, * Append the closing parens of the filter, unless doing so would * overrun the buffer. */ - if (q + 2 <= filtbuf_end) - strcat(filtbuf, "))"); + + if (nofilter) { + if (q + 1 <= filtbuf_end) + strcat(filtbuf, ")"); + } + else { + if (q + 2 <= filtbuf_end) + strcat(filtbuf, "))"); + } + } static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d) @@ -545,6 +560,11 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, "user %s authentication failed; URI %s [%s][%s]", user, r->uri, ldc->reason, ldap_err2string(result)); + /* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific errors */ + if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) { + return AUTH_USER_NOT_FOUND; + } + return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND #ifdef LDAP_SECURITY_ERROR : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED -- 2.40.0