The referenced commit added two OR_ALL directives to util_ldap: LDAPTrustedClientCert LDAPTrustedMode
However, that module has no per-directory config struct; all configuration is stored in per-server structs.
Consequently, as far as I can see, the OR_ALL directives are unworkable. In particular, LDAPTrustedClientCert, if invoked in an .htaccess file, will:
a) store a pointer to request-pool-allocated strings in a config-pool-allocated array
b) tromp on changes being made in another thread reading an .htaccess file in the same vhost.
Even if it were not for that, it seems odd to me that the configuration merge function appends the parent array of client certs to the current array of client certs; I think that is counter to the idea that a directory might have its own local collection of client certs. (Accumulating the global certs seems more reasonable.)
As it stands, if my analysis is correct, the use of LDAPTrustedClientCert in an .htaccess file would probably cause a child to segfault; in a threaded mpm, the consequences would be even more serious. Until a more thorough review is done, it would probably be a good idea to change the directives to RSRC_CONF, or disable them altogether.
I am going to change these to RSRC_CONF right now. It is just completely broken to attempt to use the OR_ALL context.
Ping to Graham? Can you please take a look at this?
-Paul
