[PATCH]: LDAP Authz (was: Ldap Authorization)

2004-10-31 Thread Ryan Morgan 
I've opened an enhancement in bugzilla:
http://issues.apache.org/bugzilla/show_bug.cgi?id=31913
I have attached the patch here for review.  I'd also like to get this
committed to the 2.0 tree so people can start taking advantage of the
feature without waiting for 2.2.
Thoughts?
Index: modules/aaa/mod_authnz_ldap.c
===
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_authnz_ldap.c,v
retrieving revision 1.5
diff -u -r1.5 mod_authnz_ldap.c
--- modules/aaa/mod_authnz_ldap.c   12 Oct 2004 12:27:18 -  1.5
+++ modules/aaa/mod_authnz_ldap.c   26 Oct 2004 23:52:04 -
@@ -466,7 +466,7 @@
 register int x;
 const char *t;
-char *w;
+char *w, *value;
 int method_restricted = 0;
 /*
@@ -646,6 +646,34 @@
   "[%d] auth_ldap authorise:  
require group \"%s\": "
   "authorisation failed [%s][%s]",
   getpid(), t, ldc->reason,  
ldap_err2string(result));
+}
+}
+}
+}
+else if (strcmp(w, "ldap-attribute") == 0) {
+while (t[0]) {
+w = ap_getword(r->pool, &t, '=');
+value = ap_getword_conf(r->pool, &t);
+
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO,  
0, r,
+  "[%d] auth_ldap authorise: checking  
attribute"
+  " %s has value %s", getpid(), w, value);
+result = util_ldap_cache_compare(r, ldc, sec->url,  
req->dn,
+ w, value);
+switch(result) {
+case LDAP_COMPARE_TRUE: {
+ap_log_rerror(APLOG_MARK,  
APLOG_DEBUG|APLOG_NOERRNO,
+  0, r, "[%d] auth_ldap authorise:  
"
+  "require attribute:  
authorisation "
+  "successful", getpid());
+return OK;
+}
+default: {
+ap_log_rerror(APLOG_MARK,  
APLOG_DEBUG|APLOG_NOERRNO,
+  0, r, "[%d] auth_ldap authorise:  
"
+  "require attribute:  
authorisation "
+  "failed [%s][%s]", getpid(),
+  ldc->reason,  
ldap_err2string(result));
 }
 }
 }

On Oct 27, 2004, at 5:15 AM, Jim Jagielski wrote:
Graham Leggett wrote:
AFAIR the default attributes for "require group" can be overridden  
from
"member" and "uniqueMember" to anything you like. You are restricted  
to
comparing against the distinguished name of the user though.

If you have a patch, open an enhancement report inside Bugzilla and
upload it there so that it doesn't fall through the cracks. Extending
the support for filters in the authorisation phase is a definite win.
+1
--  
=== 

   Jim Jagielski   [|]   [EMAIL PROTECTED]   [|]
http://www.jaguNET.com/
"There 10 types of people: those who read binary and everyone  
else."

Re: nagoya using mod_cache for Eyebrowse...

2004-10-31 Thread Henning Schmiedehausen 
Thanks, that is a really big improvement!

BTW: I tried reloading a page with different language settings and this
worked fine. 

Regards
Henning


On Sat, 2004-10-30 at 20:51, Justin Erenkrantz wrote:
> I'm feeling semi-confident enough in mod_cache's current status that I've 
> deployed a current httpd-2.1 CVS snapshot to nagoya and enabled mod_cache, 
> mod_disk_cache, and mod_expires for Eyebrowse.  I've set a one-hour expiration 
> for all resources under /eyebrowse.  (Eyebrowse is behind a ProxyPass to a 
> standalone Tomcat instance, so this also tests the new proxy code.)
> 
> To my knowledge, this is the first time we've eaten our own cache food. 
> Needless to say, the ViewLists page () 
> returns *really* fast now.  ;-)  Without the cache, it takes roughly 20 
> seconds to return the resource.  With the cache active, it takes less than 1 
> second.  (And, my network's mandatory transparent proxy is now also caching 
> the representations, too: which makes my testing all the more fun.)
> 
> If all goes well with this deployment, during ApacheCon in two weeks, I'd like 
> to propose moving mod_cache out of experimental as one of the last steps 
> before starting towards a 2.2 release cycle.  -- justin
-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen  INTERMETA GmbH
[EMAIL PROTECTED]+49 9131 50 654 0   http://www.intermeta.de/

RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

What is more important to you...
   [ ] Product Security
or [ ] Quality of Sales and Marketing Support
  -- actual question from a Microsoft customer survey

[PATCH] remove ap_sock_disable_nagle() API; improve httpd's handling of nagle errors

2004-10-31 Thread Jeff Trawick 
At best, ap_sock_disable_nagle() is of limited use (just call
apr_socket_option_set and log if it fails), and at worst it hides
information (no retcode) and has no information to know
when/where/what to log.  So yank it.

Also:

Change httpd so that a connection-oriented nagle error (typically
EINVAL which means that client already dropped connection) is logged
with the client IP address and a debug log level.
We filter out not-implemented errors from platforms which don't
support TCP_NODELAY, but it is APR's job to tell us that rather than
trying to figure that out ourself.

Change httpd so that if we're disabling nagle on the listening socket
(so APR won't have to disable it on connected sockets), we consider it
a shooting offense if it fails.

perchild is expected to work as before after this change.
Index: CHANGES
===
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.1621
diff -u -r1.1621 CHANGES
--- CHANGES 29 Oct 2004 14:45:21 -  1.1621
+++ CHANGES 31 Oct 2004 15:23:38 -
@@ -2,6 +2,15 @@
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) Remove ap_sock_disable_nagle() API.  Modules should instead use
+ the APR support and decide what logging, if any, is appropriate.
+ [Jeff Trawick]
+
+  *) Log the client IP address when an error occurs disabling nagle on a
+ connection, but log at a severity of debug since this error 
+ generally means that the connection was dropped before data was
+ sent.  [Jeff Trawick]
+
   *) Add ap_log_cerror() for logging messages associated with particular
  client connections.  [Jeff Trawick]
 
Index: include/ap_mmn.h
===
RCS file: /home/cvs/httpd-2.0/include/ap_mmn.h,v
retrieving revision 1.71
diff -u -r1.71 ap_mmn.h
--- include/ap_mmn.h23 Oct 2004 22:39:53 -  1.71
+++ include/ap_mmn.h31 Oct 2004 15:23:41 -
@@ -84,14 +84,15 @@
  *  changed ap_add_module, ap_add_loaded_module,
  *  ap_setup_prelinked_modules, ap_process_resource_config
  * 20040425.1 (2.1.0-dev) Added ap_module_symbol_t and ap_prelinked_module_symbols
+ * 20041031 (2.1.0-dev) removed ap_sock_disable_nagle API
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503230UL /* "AP20" */
 
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20040425
+#define MODULE_MAGIC_NUMBER_MAJOR 20041031
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Index: include/mpm_common.h
===
RCS file: /home/cvs/httpd-2.0/include/mpm_common.h,v
retrieving revision 1.49
diff -u -r1.49 mpm_common.h
--- include/mpm_common.h15 Mar 2004 23:08:41 -  1.49
+++ include/mpm_common.h31 Oct 2004 15:23:41 -
@@ -96,19 +96,6 @@
 int ap_process_child_status(apr_proc_t *pid, apr_exit_why_e why, int status);
 #endif
 
-#if defined(TCP_NODELAY) && !defined(MPE) && !defined(TPF)
-/**
- * Turn off the nagle algorithm for the specified socket.  The nagle algorithm
- * says that we should delay sending partial packets in the hopes of getting
- * more data.  There are bad interactions between persistent connections and
- * Nagle's algorithm that have severe performance penalties.
- * @param s The socket to disable nagle for.
- */
-void ap_sock_disable_nagle(apr_socket_t *s);
-#else
-#define ap_sock_disable_nagle(s)/* NOOP */
-#endif
-
 #ifdef HAVE_GETPWNAM
 /**
  * Convert a username to a numeric ID
Index: server/core.c
===
RCS file: /home/cvs/httpd-2.0/server/core.c,v
retrieving revision 1.290
diff -u -r1.290 core.c
--- server/core.c   29 Oct 2004 14:45:24 -  1.290
+++ server/core.c   31 Oct 2004 15:23:46 -
@@ -4544,6 +4544,7 @@
 static int core_pre_connection(conn_rec *c, void *csd)
 {
 core_net_rec *net = apr_palloc(c->pool, sizeof(*net));
+apr_status_t rv;
 
 #ifdef AP_MPM_DISABLE_NAGLE_ACCEPTED_SOCK
 /* BillS says perhaps this should be moved to the MPMs. Some OSes
@@ -4551,7 +4552,21 @@
  * accept sockets which means this call only needs to be made
  * once on the listener
  */
-ap_sock_disable_nagle(csd);
+/* The Nagle algorithm says that we should delay sending partial
+ * packets in hopes of getting more data.  We don't want to do
+ * this; we are not telnet.  There are bad interactions between
+ * persistent connections and Nagle's algorithm that have very severe
+ * performance penalties.  (Failing to disable Nagle is not much of a
+ * problem with simple HTTP.)
+ */
+rv = apr_sock

Bug report for Apache httpd-2.0 [2004/10/31]

2004-10-31 Thread bugzilla 
+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=CriticalMAJ=Major |
| |   |   MIN=Minor   NOR=Normal  ENH=Enhancement   |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
| 7483|Ass|Enh|2002-03-26|Add FileAction directive to assign a cgi interpret|
| 7741|Ass|Nor|2002-04-04|some directives may be placed outside of proper co|
| 7862|New|Enh|2002-04-09|suexec never log a group name.|
| 8167|New|Min|2002-04-16|--with-module does not build MODULE_DIRS correctly|
| 8483|Opn|Min|2002-04-24|apache_2.0 .msi installer breaks .log and .conf fi|
| 8500|Ass|Cri|2002-04-25|authorization user does not logged|
| 8713|New|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity|
| 8925|New|Cri|2002-05-09|Service Install (win32 .msi/.exe) fails for port i|
| 8993|Opn|Nor|2002-05-10|openssl library location(s) are hardcoded in confi|
| 9513|Opn|Nor|2002-05-30|Missing start menu items  |
| 9727|New|Min|2002-06-09|Double quotes should be flagged as T_HTTP_TOKEN_ST|
| 9945|New|Enh|2002-06-18|[PATCH] new funtionality for apache bench |
|10114|Ass|Enh|2002-06-21|Negotiation gives no weight to order, only q value|
|10154|Ass|Nor|2002-06-23|ApacheMonitor interferes with service uninstall/re|
|10775|Ass|Cri|2002-07-13|SCRIPT_NAME wrong value   |
|11035|New|Min|2002-07-22|Apache adds double entries to headers generated by|
|11294|New|Enh|2002-07-30|desired vhost_alias option|
|11427|Opn|Maj|2002-08-02|Possible Memory Leak in CGI script invocation |
|11521|New|Nor|2002-08-07|Addition of  Japanese error message   |
|11540|Opn|Nor|2002-08-07|ProxyTimeout ignored  |
|11580|Opn|Enh|2002-08-09|generate Content-Location headers |
|11660|New|Enh|2002-08-13|a New Hebrew Translation for "Test Page for Apache|
|12033|Opn|Nor|2002-08-26|Graceful restart immidiately result in [warn] long|
|12340|Opn|Nor|2002-09-05|WindowsXP proxy, child process exited with status |
|12355|Opn|Nor|2002-09-06|SSLVerifyClient directive in location make post to|
|12680|New|Enh|2002-09-16|Digest authentication with integrity protection   |
|12885|New|Enh|2002-09-20|windows 2000 build information: mod_ssl, bison, et|
|12981|New|Nor|2002-09-25|Apache Bench can't take binary post data  |
|13029|New|Nor|2002-09-26|Win32 mod_cgi failure with non-ASCII characters in|
|13101|New|Cri|2002-09-27|Using mod_ext_filter with mod_proxy and http/1.1 c|
|13272|Opn|Nor|2002-10-04|Documentation doesn't mention that SSL is not in b|
|13368|New|Maj|2002-10-07|IIS prevents Apache from starting (missing -w opti|
|13507|New|Enh|2002-10-10|capturing stderr from mod_cgi |
|13577|New|Maj|2002-10-13|mod_proxy mangles query string with mod_rewrite   |
|13599|Ass|Nor|2002-10-14|autoindex formating broken for multibyte sequences|
|13603|New|Nor|2002-10-14|incorrect DOCUMENT_URI in mod_autoindex with Heade|
|13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation  |
|13946|Opn|Nor|2002-10-24|reverse proxy errors when a document expires from |
|13986|Ass|Enh|2002-10-26|remove default MIME-type  |
|14016|Ass|Nor|2002-10-28|Problem when using mod_ext_filter with ActivePerl |
|14090|New|Maj|2002-10-30|mod_cgid always writes to main server error log   |
|14104|New|Nor|2002-10-30|not documented: must restart server to load new CR|
|14206|New|Nor|2002-11-04|DirectoryIndex circumvents -FollowSymLinks option |
|14227|New|Nor|2002-11-04|Error handling script is not started (error 500) o|
|14496|New|Enh|2002-11-13|Cannot upgrade 2.0.39 -> 2.0.43. Must uninstall fi|
|14513|Ass|Min|2002-11-13|AddDefaultCharset should apply to application/xhtm|
|14556|Opn|Nor|2002-11-14|mod_cache with mod_mem_cache enabled doesnt cash m|
|14750|New|Maj|2002-11-21|Windows 9x: apr_socket_opt_set cannot set SO_KEEPA|
|14858|New|Enh|2002-11-26|mod_cache never caches responses for requests requ|
|14922|Ass|Enh|2002-11-28| is currently hardcoded to 'apache2'  |
|14990|New|Nor|2002-12-02|2.0.43 dumps core when reading config |
|15045|Ass|Nor|

Bug report for Apache httpd-1.3 [2004/10/31]

2004-10-31 Thread bugzilla 
+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=CriticalMAJ=Major |
| |   |   MIN=Minor   NOR=Normal  ENH=Enhancement   |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
| 7982|New|Maj|2002-04-11|mod_rewrite URL string empty when passed unicoded |
| 8311|Opn|Nor|2002-04-19|error in PUT directive gives confusing error messa|
| 8329|New|Nor|2002-04-20|mime_magic gives 500 and no error_log on Microsoft|
| 8372|Ass|Nor|2002-04-22|Threadsaftey issue in Rewrite's cache [Win32/OS2/N|
| 8849|New|Nor|2002-05-07|make install errors as root on NFS shares |
| 8882|New|Enh|2002-05-07|[PATCH] mod_rewrite communicates with external rew|
| 9037|New|Min|2002-05-13|Slow performance when acessing an unresolved IP ad|
| 9126|New|Blk|2002-05-15|68k-next-openstep v. 4.0  |
| 9726|New|Min|2002-06-09|Double quotes should be flagged as T_HTTP_TOKEN_ST|
| 9894|New|Maj|2002-06-16|getline sub in support progs collides with existin|
| |New|Nor|2002-06-19|Incorrect default manualdir value with layout.|
|10038|New|Min|2002-06-20|ab benchmaker hangs on 10K https URLs with keepali|
|10073|New|Maj|2002-06-20|upgrade from 1.3.24 to 1.3.26 breaks include direc|
|10169|New|Nor|2002-06-24|Apache seg faults due to attempt to access out of |
|10178|New|Maj|2002-06-24|Proxy server cuts off begining of buffer when spec|
|10195|New|Nor|2002-06-24|Configure script erroneously detects system Expat |
|10199|New|Nor|2002-06-24|Configure can't handle directory names with unders|
|10243|New|Maj|2002-06-26|CGI scripts not getting POST data |
|10354|New|Nor|2002-06-30|ErrorDocument(.htaccess) fails when passed URL wit|
|10470|New|Cri|2002-07-04|proxy module will not correctly serve mixed case f|
|10666|New|Enh|2002-07-10|line-end comment error message missing file name  |
|10744|New|Nor|2002-07-12|suexec might fail to open log file|
|10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i|
|10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc|
|10939|New|Maj|2002-07-18|directory listing errors  |
|11020|New|Maj|2002-07-21|APXS only recognise tests made by ./configure |
|11236|New|Min|2002-07-27|Possible Log exhaustion bug?  |
|11265|New|Blk|2002-07-29|mod_rewrite fails to encode special characters|
|11765|New|Nor|2002-08-16|.apaci.install.tmp installs in existing httpd.conf|
|11986|New|Nor|2002-08-23|Restart hangs when piping logs on rotation log pro|
|11993|Opn|Cri|2002-08-23|PDFs served through ProxyPass show up blank   |
|12096|New|Nor|2002-08-27|apxs does not handle binary dists installed at non|
|12391|New|Maj|2002-09-07|DBM_LIB should be blank for OS X 10.2 |
|12551|New|Nor|2002-09-11|mod_proxy fails to shutdown when client cancels   |
|12574|New|Nor|2002-09-12|Broken images comes from mod_proxy when caching ww|
|12583|New|Nor|2002-09-12|First piped log process do not handle SIGTERM |
|12598|New|Maj|2002-09-12|Apache hanging in Keepalive State |
|13120|New|Cri|2002-09-29|CGI procs defunctioning   |
|13188|New|Nor|2002-10-02|does not configure correctly for hppa64-hp-hpux11.|
|13274|Ass|Nor|2002-10-04|Subsequent requests are destroyed by the request e|
|13607|Opn|Enh|2002-10-14|Catch-all enhancement for vhost_alias?|
|13687|New|Min|2002-10-16|Leave Debug symbol on Darwin  |
|13822|New|Maj|2002-10-21|Problem while running Perl modules accessing CGI::|
|14095|Opn|Nor|2002-10-30|Change default Content-Type (DefaultType) in defau|
|14250|New|Maj|2002-11-05|Alternate UserDirs don't work intermittantly  |
|14443|New|Maj|2002-11-11|Keep-Alive randomly causes TCP RSTs   |
|14448|Opn|Cri|2002-11-11|Apache WebServer not starting if installed on Comp|
|14518|Opn|Nor|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite|
|14647|New|Nor|2002-11-18|apachectl doesn't sufficiently check for previousl|
|14670|New|Cri|2002-11-19|Apache didn't deallocate unused memory|
|14748|New|Nor|2002-11-21|Configure Can't find DBM on Mac OS X  |
|14972|

Re: nagoya using mod_cache for Eyebrowse...

2004-10-31 Thread Graham Leggett 
Justin Erenkrantz wrote:
To my knowledge, this is the first time we've eaten our own cache food. 
Needless to say, the ViewLists page 
() returns *really* fast now.  ;-)  
Without the cache, it takes roughly 20 seconds to return the resource.  
With the cache active, it takes less than 1 second.  (And, my network's 
mandatory transparent proxy is now also caching the representations, 
too: which makes my testing all the more fun.)
This is excellent news :)
If all goes well with this deployment, during ApacheCon in two weeks, 
I'd like to propose moving mod_cache out of experimental as one of the 
last steps before starting towards a 2.2 release cycle.  -- justin
+1 :)
Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

:

2004-10-31 Thread Coopercc 

:)