Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
On 1/23/2008 at 7:25 PM, in message [EMAIL PROTECTED], Paul J.
Reder [EMAIL PROTECTED] wrote:
Ruediger Pluem wrote:
On 01/23/2008 07:14 PM, [EMAIL PROTECTED] wrote:
Author: rederpj
Date: Wed Jan 23 10:14:41 2008
New Revision: 614605
URL: http://svn.apache.org/viewvc?rev=614605view=rev
Log:
This adds Apache support (taking advantage of the new APR capability)
for ldap rebind callback while chasing referrals. This allows direct
searches on LDAP servers (in particular MS Active Directory 2003+)
using referrals without the use of the global catalog.
This addresses PRs 26538, 40268, and 42557
@@ -2614,6 +2710,15 @@
Specify the LDAP socket connection timeout in seconds
(default: 10)),
+AP_INIT_FLAG(LDAPReferrals, util_ldap_set_chase_referrals,
+ NULL, OR_AUTHCFG,
+ Choose whether referrals are chased ['ON'|'OFF'].
Default ON'),
+
+AP_INIT_TAKE1(LDAPReferralHopLimit,
util_ldap_set_referral_hop_limit,
+ NULL, OR_AUTHCFG,
+ Limit the number of referral hops that LDAP can
follow.
+ (Integer value, default=5)),
+
{NULL}
};
@@ -2638,7 +2743,7 @@
module AP_MODULE_DECLARE_DATA ldap_module = {
STANDARD20_MODULE_STUFF,
- NULL,/* create dir config */
+ util_ldap_create_dir_config, /* create dir config */
NULL,/* merge dir config */
Why no merge dir config? How do you inherit your settings in this case?
Now that you ask that question it makes me realize that the better question
is
probably Should the directives be directory scoped or server scoped? The
rest
of the util_ldap directives are all server scoped. Is there any compelling
reason
that the referral directives would need to be alterable on a
directory-by-directory
(or htaccess) basis or should it be turned on/off and limited on a
server-wide scope?
I wish I had a better memory, but I vaguely recall going down this path once
before between server-merge and dir-merge (mailing list archives might remember
better than I do) . I know that when it comes to anything SSL related, not all
LDAP SDKs can handle per-directory options. Novell LDAP SDK being one of them.
So when it comes to setting options on a per-directory basis, it might get a
little tricky depending on the LDAP SDK that is being used.
Brad
Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
The referral code is enabled via set_option calls and is currently processed in relation to a newly created ldap connection. Any further directory related processing would have to support changing the options later, or provide extra criteria when selecting a connection to use. But I agree that, logically, it should be directory scoped. I'm committing the doc now (directory scoped, to match the code I committed) and I'll look at making sure the processing addresses that (via merge, etc). Graham Leggett wrote: Paul J. Reder wrote: Now that you ask that question it makes me realize that the better question is probably Should the directives be directory scoped or server scoped? The rest of the util_ldap directives are all server scoped. The cache related ones are all server scoped, as the cache is server wide. The SSL related ones are directory and/or server scoped, and it depends on the underlying toolkit as to whether directory scope works at all. Don't fall into the trap of thinking all directives have to be handled the same way. My gut feel is that the referral processing should be directory scoped, there is no guarantee that the server will only ever connect to one type of LDAP server at a time, and the admin may want different processing depending on the application. Regards, Graham -- -- Paul J. Reder --- The strength of the Constitution lies entirely in the determination of each citizen to defend it. Only if every single citizen feels duty bound to do his share in this defense are the constitutional rights secure. -- Albert Einstein
Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
Paul J. Reder wrote: Now that you ask that question it makes me realize that the better question is probably Should the directives be directory scoped or server scoped? The rest of the util_ldap directives are all server scoped. The cache related ones are all server scoped, as the cache is server wide. The SSL related ones are directory and/or server scoped, and it depends on the underlying toolkit as to whether directory scope works at all. Don't fall into the trap of thinking all directives have to be handled the same way. My gut feel is that the referral processing should be directory scoped, there is no guarantee that the server will only ever connect to one type of LDAP server at a time, and the admin may want different processing depending on the application. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
On 01/23/2008 07:14 PM, [EMAIL PROTECTED] wrote:
Author: rederpj
Date: Wed Jan 23 10:14:41 2008
New Revision: 614605
URL: http://svn.apache.org/viewvc?rev=614605view=rev
Log:
This adds Apache support (taking advantage of the new APR capability)
for ldap rebind callback while chasing referrals. This allows direct
searches on LDAP servers (in particular MS Active Directory 2003+)
using referrals without the use of the global catalog.
This addresses PRs 26538, 40268, and 42557
Modified:
httpd/httpd/trunk/include/util_ldap.h
httpd/httpd/trunk/modules/ldap/util_ldap.c
Modified: httpd/httpd/trunk/include/util_ldap.h
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/include/util_ldap.h?rev=614605r1=614604r2=614605view=diff
==
--- httpd/httpd/trunk/include/util_ldap.h (original)
+++ httpd/httpd/trunk/include/util_ldap.h Wed Jan 23 10:14:41 2008
@@ -29,6 +29,7 @@
#include apr_tables.h
#include apr_time.h
#include apr_ldap.h
+#include apr_ldap_rebind.h
#if APR_HAS_MICROSOFT_LDAPSDK
#define AP_LDAP_IS_SERVER_DOWN(s)((s) == LDAP_SERVER_DOWN \
@@ -112,11 +113,18 @@
apr_array_header_t *client_certs; /* Client certificates on this
connection */
const char *reason; /* Reason for an error failure */
+int ChaseReferrals; /* [on|off] (on=1, off=0, default =
On)*/
+int ReferralHopLimit; /* # of referral hops to follow
(default = 5) */
Hm. This requires a major bump. Append it to the end of the struct and you
only need a minor bump and the whole thing becomes backportable.
struct util_ldap_connection_t *next;
struct util_ldap_state_t *st;/* The LDAP vhost config this
connection belongs to */
int keep;/* Will this connection be kept
when it's unlocked */
} util_ldap_connection_t;
+
+typedef struct util_ldap_config_t {
+int ChaseReferrals;
+int ReferralHopLimit;
+} util_ldap_config_t;
/* LDAP cache state information */
typedef struct util_ldap_state_t {
Modified: httpd/httpd/trunk/modules/ldap/util_ldap.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap.c?rev=614605r1=614604r2=614605view=diff
==
--- httpd/httpd/trunk/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/trunk/modules/ldap/util_ldap.c Wed Jan 23 10:14:41 2008
@@ -2288,6 +2340,47 @@
}
+static const char *util_ldap_set_chase_referrals(cmd_parms *cmd,
+ void *config,
+ int mode)
+{
+util_ldap_config_t *dc = config;
+
+ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd-server,
+ LDAP: Setting refferal chasing %s,
+ mode?ON:OFF);
+
+dc-ChaseReferrals = mode;
+
+return(NULL);
+}
+
+static const char *util_ldap_set_referral_hop_limit(cmd_parms *cmd,
+void *config,
+const char *hop_limit)
+{
+util_ldap_config_t *dc = config;
+
+dc-ReferralHopLimit = atol(hop_limit);
+
+ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd-server,
+ LDAP: Limit chased referrals to maximum of %d hops.,
+ dc-ReferralHopLimit);
+
+return NULL;
+}
+
+static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) {
+ util_ldap_config_t *dc =
+ (util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
+
+ dc-ChaseReferrals = 1; /* default is to turn referral chasing on. */
+ dc-ReferralHopLimit = 5; /* default is to chase a max of 5 hops. */
I would love to see #defines for these defaults (util_ldap.h) and have these
defines referred everywhere, even in the comments.
+
+ return dc;
+}
+
+
static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
{
util_ldap_state_t *st =
@@ -2638,7 +2743,7 @@
module AP_MODULE_DECLARE_DATA ldap_module = {
STANDARD20_MODULE_STUFF,
- NULL,/* create dir config */
+ util_ldap_create_dir_config, /* create dir config */
NULL,/* merge dir config */
Why no merge dir config? How do you inherit your settings in this case?
util_ldap_create_config, /* create server config */
util_ldap_merge_config, /* merge server config */
Regards
RĂ¼diger
Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c
Ruediger Pluem wrote:
On 01/23/2008 07:14 PM, [EMAIL PROTECTED] wrote:
Author: rederpj
Date: Wed Jan 23 10:14:41 2008
New Revision: 614605
URL: http://svn.apache.org/viewvc?rev=614605view=rev
Log:
This adds Apache support (taking advantage of the new APR capability)
for ldap rebind callback while chasing referrals. This allows direct
searches on LDAP servers (in particular MS Active Directory 2003+)
using referrals without the use of the global catalog.
This addresses PRs 26538, 40268, and 42557
@@ -2614,6 +2710,15 @@
Specify the LDAP socket connection timeout in seconds
(default: 10)),
+AP_INIT_FLAG(LDAPReferrals, util_ldap_set_chase_referrals,
+ NULL, OR_AUTHCFG,
+ Choose whether referrals are chased ['ON'|'OFF']. Default
ON'),
+
+AP_INIT_TAKE1(LDAPReferralHopLimit, util_ldap_set_referral_hop_limit,
+ NULL, OR_AUTHCFG,
+ Limit the number of referral hops that LDAP can follow.
+ (Integer value, default=5)),
+
{NULL}
};
@@ -2638,7 +2743,7 @@
module AP_MODULE_DECLARE_DATA ldap_module = {
STANDARD20_MODULE_STUFF,
- NULL,/* create dir config */
+ util_ldap_create_dir_config, /* create dir config */
NULL,/* merge dir config */
Why no merge dir config? How do you inherit your settings in this case?
Now that you ask that question it makes me realize that the better question is
probably Should the directives be directory scoped or server scoped? The rest
of the util_ldap directives are all server scoped. Is there any compelling
reason
that the referral directives would need to be alterable on a
directory-by-directory
(or htaccess) basis or should it be turned on/off and limited on a server-wide
scope?
util_ldap_create_config, /* create server config */
util_ldap_merge_config, /* merge server config */
Regards
RĂ¼diger
--
Paul J. Reder
---
The strength of the Constitution lies entirely in the determination of each
citizen to defend it. Only if every single citizen feels duty bound to do
his share in this defense are the constitutional rights secure.
-- Albert Einstein
