The attached patches convert LDAPTrustedMode into a per-directory directive rather than a per-server. This allows the configuration to specify which mode should be applied for the associated AuthLDAPURL.
Thoughts on whether this should be the way to go or if LDAPTrustedMode should be moved up into mod_authnz_ldap as AuthLDAPTrustedMode? Brad >>> [EMAIL PROTECTED] Tuesday, February 01, 2005 3:33:19 PM >>> After testing mod_authnz_ldap and util_ldap some more, it appears that the directive LDAPTrustedMode should be pushed up into mod_authnz_ldap rather than util_ldap and become AuthLDAPTrustedMode. The reason why is because the connection type (ie. NONE, SSL, STARTTLS) is tied to the AuthLDAPUrl rather than the global connection or certificate directives that are set in util_ldap. As it stands today, the following configuration will fail: Alias /secure /webpages/secure <Directory /webpages/secure> Order deny,allow Allow from all AuthType Basic AuthName LDAP_Protected_Place AuthBasicProvider ldap AuthLDAPURL "ldap://foo.ldapserver.com/o=ctx" AuthzLDAPAuthoritative off require valid-user </Directory> Alias /othersecuredir /webpages/othersecuredir <Directory /webpages/othersecuredir> Order deny,allow Allow from all AuthType Basic AuthName LDAP_Secure_Test AuthBasicProvider ldap AuthzLDAPAuthoritative off LDAPTrustedMode STARTTLS AuthLDAPURL "ldap://other.ldapserver.com/o=ctx" require valid-user </Directory> The above configuration assumes that all connections to "foo.ldapserver.com" will be non-secure on port 389 and that all connections to "other.ldapserver.com" will be TLS connections on port 389. The problem is that the directive LDAPTrustedMode is global not per-directory. Therefore even though the configuration intended to connect to "foo.ldapserver.com" non-secure, since the global trusted mode has been set to STARTTLS, util_ldap will attempt to start tls on all connections. Since the type of connection is already determined partially by the AuthLDAPURL (ie. ldaps:// vs ldap://), changing the type to STARTTLS also needs to be in the same scope as AuthLDAPURL. There are two options, change LDAPTrustedMode to a per-directory directive within util_ldap or move LDAPTrustedMode up into mod_authnz_ldap as AuthLDAPTrustedMode. Brad
Index: util_ldap.h =================================================================== --- util_ldap.h (revision 126565) +++ util_ldap.h (working copy) @@ -117,8 +117,6 @@ int ssl_supported; apr_array_header_t *global_certs; /* Global CA certificates */ apr_array_header_t *client_certs; /* Client certificates */ - int secure; - int secure_set; #if APR_HAS_SHARED_MEMORY apr_shm_t *cache_shm;
Index: util_ldap.c =================================================================== --- util_ldap.c (revision 149421) +++ util_ldap.c (working copy) @@ -57,7 +57,14 @@ int util_ldap_handler(request_rec *r); void *util_ldap_create_config(apr_pool_t *p, server_rec *s); +typedef struct { + apr_pool_t *pool; /* Pool */ + int secure; /* APR_LDAP_NONE, APR_LDAP_SSL, APR_LDAP_STARTTLS */ + int secure_set; +} util_ldap_dir_config_t; + + /* * Some definitions to help between various versions of apache. */ @@ -416,6 +423,8 @@ util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module); + util_ldap_dir_config_t *dc = + (util_ldap_dir_config_t *)ap_get_module_config(r->per_dir_config, &ldap_module); #if APR_HAS_THREADS @@ -514,7 +523,7 @@ * setting optionally supplied by the admin using LDAPTrustedMode */ l->secure = (APR_LDAP_NONE == secure) ? - st->secure : + dc->secure : secure; /* save away a copy of the client cert list that is presently valid */ @@ -1566,31 +1575,29 @@ * - SSL (SSL encryption) * - STARTTLS (TLS encryption) */ -static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy, const char *mode) +static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *config, const char *mode) { - util_ldap_state_t *st = - (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, - &ldap_module); + util_ldap_dir_config_t *dc = config; ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "LDAP: SSL trusted mode - %s", mode); if (0 == strcasecmp("NONE", mode)) { - st->secure = APR_LDAP_NONE; + dc->secure = APR_LDAP_NONE; } else if (0 == strcasecmp("SSL", mode)) { - st->secure = APR_LDAP_SSL; + dc->secure = APR_LDAP_SSL; } else if (0 == strcasecmp("TLS", mode) || 0 == strcasecmp("STARTTLS", mode)) { - st->secure = APR_LDAP_STARTTLS; + dc->secure = APR_LDAP_STARTTLS; } else { return "Invalid LDAPTrustedMode setting: must be one of NONE, " "SSL, or TLS/STARTTLS"; } - st->secure_set = 1; + dc->secure_set = 1; return(NULL); } @@ -1619,7 +1626,18 @@ return NULL; } +static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) +{ + util_ldap_dir_config_t *dc = + (util_ldap_dir_config_t *)apr_pcalloc(p, sizeof(util_ldap_dir_config_t)); + dc->pool = p; + dc->secure = APR_LDAP_NONE; + + return dc; +} + + void *util_ldap_create_config(apr_pool_t *p, server_rec *s) { util_ldap_state_t *st = @@ -1636,8 +1654,6 @@ st->ssl_supported = 0; st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t)); st->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t)); - st->secure = APR_LDAP_NONE; - st->secure_set = 0; st->connectionTimeout = 10; return st; @@ -1660,7 +1676,6 @@ st->ssl_supported = base->ssl_supported; st->global_certs = apr_array_append(p, base->global_certs, overrides->global_certs); st->client_certs = apr_array_append(p, base->client_certs, overrides->client_certs); - st->secure = (overrides->secure_set == 0) ? base->secure : overrides->secure; return st; } @@ -1942,10 +1957,10 @@ module ldap_module = { STANDARD20_MODULE_STUFF, - NULL, /* dir config creater */ - NULL, /* dir merger --- default is to override */ - util_ldap_create_config, /* server config */ - util_ldap_merge_config, /* merge server config */ - util_ldap_cmds, /* command table */ - util_ldap_register_hooks, /* set up request processing hooks */ + util_ldap_create_dir_config, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + util_ldap_create_config, /* server config */ + util_ldap_merge_config, /* merge server config */ + util_ldap_cmds, /* command table */ + util_ldap_register_hooks, /* set up request processing hooks */ };