mod_auth_ldap is never releasing locks in mod_auth_ldap_auth_checker, so
OpenLDAP eventually runs out of filehandles. pam_ldap and nss_ldap stop
working, badness happens.
--
Scott Lamb
Call util_ldap_connection_close in every exit path from
mod_auth_ldap_auth_checker.
Index: modules/httpd-ldap/ldap-aaa/mod_auth_ldap.c
===================================================================
RCS file: /home/cvspublic/httpd-ldap/ldap-aaa/mod_auth_ldap.c,v
retrieving revision 1.4
diff -u -r1.4 mod_auth_ldap.c
--- modules/httpd-ldap/ldap-aaa/mod_auth_ldap.c 18 May 2002 05:49:38 -0000 1.4
+++ modules/httpd-ldap/ldap-aaa/mod_auth_ldap.c 18 Jul 2002 20:39:15 -0000
@@ -337,6 +337,7 @@
mod_auth_ldap_config_t *sec =
(mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config,
&auth_ldap_module);
+ int rv = HTTP_UNAUTHORIZED;
util_ldap_connection_t *ldc = NULL;
int m = r->method_number;
@@ -350,11 +351,13 @@
int method_restricted = 0;
if (!sec->enabled) {
- return DECLINED;
+ rv = DECLINED;
+ goto out;
}
if (!sec->have_ldap_url) {
- return DECLINED;
+ rv = DECLINED;
+ goto out;
}
if (sec->host) {
@@ -365,7 +368,8 @@
else {
ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: no sec->host - weird...?", getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ rv = sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ goto out;
}
/*
@@ -385,7 +389,8 @@
if (!reqs_arr) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: no requirements array", getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ rv = sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ goto out;
}
/* Loop through the requirements array until there's no elements
@@ -414,14 +419,16 @@
"[%d] auth_ldap authorise: "
"deferring authorisation to mod_auth (FP Hack)",
getpid());
- return OK;
+ rv = OK;
+ goto out;
}
else {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"successful authorisation because user "
"is valid-user", getpid());
- return OK;
+ rv = OK;
+ goto out;
}
}
else if (strcmp(w, "user") == 0) {
@@ -430,7 +437,8 @@
"[%d] auth_ldap authorise: "
"require user: user's DN has not been defined; failing
authorisation",
getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ rv = sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ goto out;
}
/*
* First do a whole-line compare, in case it's something like
@@ -442,7 +450,8 @@
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require user: authorisation successful", getpid());
- return OK;
+ rv = OK;
+ goto out;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
@@ -462,7 +471,8 @@
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require user: authorisation successful",
getpid());
- return OK;
+ rv = OK;
+ goto out;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
@@ -479,7 +489,8 @@
"[%d] auth_ldap authorise: "
"require dn: user's DN has not been defined; failing
authorisation",
getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ rv = sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ goto out;
}
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t,
sec->compare_dn_on_server);
@@ -488,7 +499,8 @@
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
"require dn: authorisation successful", getpid());
- return OK;
+ rv = OK;
+ goto out;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
@@ -507,7 +519,8 @@
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: user's DN
has not been defined; failing authorisation",
getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ rv = sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ goto out;
}
}
else {
@@ -535,7 +548,8 @@
"[%d] auth_ldap authorise: require group: "
"authorisation successful (attribute %s)
[%s][%s]",
getpid(), ent[i].name, ldc->reason,
ldap_err2string(result));
- return OK;
+ rv = OK;
+ goto out;
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
@@ -552,20 +566,27 @@
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: agreeing because non-restricted",
getpid());
- return OK;
+ rv = OK;
+ goto out;
}
if (!sec->auth_authoritative) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: declining to authorise", getpid());
return DECLINED;
+ rv = DECLINED;
+ goto out;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: authorisation denied", getpid());
ap_note_basic_auth_failure (r);
- return HTTP_UNAUTHORIZED;
+out:
+ if (ldc != NULL) {
+ util_ldap_connection_close(ldc);
+ }
+ return rv;
}
