Re: svn commit: r817064 - in /httpd/httpd/branches/2.2.x: STATUS modules/aaa/mod_authnz_ldap.c

Sun, 20 Sep 2009 16:34:52 -0700 


On 09/20/2009 07:50 PM, j...@apache.org wrote:
> Author: jim
> Date: Sun Sep 20 17:50:19 2009
> New Revision: 817064
> 
> URL: http://svn.apache.org/viewvc?rev=817064&view=rev
> Log:
>  * mod_ldap: Pre-scan the requirements array before doing any LDAP lookups,
>    for cases where an LDAP URL is configured but non-LDAP authn/authz is in 
>    effect. This stops us from trying to resolve file-based userids to a DN
>    when the AuthLDAPURL has been defined at a very high level.
>    PR 45946
>    Trunk patch: n/a due to authz refactoring (no provider called without 
> require-ments)
>    2.2.x version of patch: 
> http://people.apache.org/~covener/httpd-2.2.x-authnz_ldap-skipdnloookup-3.diff
>    +1: covener, minfrin, jim
> 
> 
> 
> Modified:
>     httpd/httpd/branches/2.2.x/STATUS
>     httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
> 

> Modified: httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c?rev=817064&r1=817063&r2=817064&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c (original)
> +++ httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c Sun Sep 20 
> 17:50:19 2009
> @@ -527,6 +527,29 @@
>          return DECLINED;
>      }
>  
> +    /* pre-scan for ldap-* requirements so we can get out of the way early */
> +    for(x=0; x < reqs_arr->nelts; x++) {

Why do we know that reqs_arr != NULL always?

> +        if (! (reqs[x].method_mask & (AP_METHOD_BIT << m))) {
> +            continue;
> +        }
> +
> +        t = reqs[x].requirement;
> +        w = ap_getword_white(r->pool, &t);
> +
> +        if (strncmp(w, "ldap-",5) == 0) {
> +            required_ldap = 1;
> +            break;
> +        }
> +    }
> +
> +    if (!required_ldap) {
> +        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> +                      "[%" APR_PID_T_FMT "] auth_ldap authorise: declining 
> to authorise (no ldap requirements)", getpid());
> +        return DECLINED;
> +    }
> +
> +
> +
>      if (sec->host) {
>          ldc = util_ldap_connection_find(r, sec->host, sec->port,
>                                         sec->binddn, sec->bindpw, sec->deref,
> @@ -559,12 +582,6 @@
>  #endif
>      }
>  
> -    if (!reqs_arr) {
> -        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> -                      "[%" APR_PID_T_FMT "] auth_ldap authorise: no 
> requirements array", getpid());
> -        return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
> -    }
> -

Why is this not needed any longer?

Regards

Rüdiger

Reply via email to