You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2023/05/19 10:29:03 UTC

svn commit: r1909928 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_authnz_ldap.c

Author: minfrin
Date: Fri May 19 10:29:02 2023
New Revision: 1909928

URL: http://svn.apache.org/viewvc?rev=1909928&view=rev
Log:
mod_authnz_ldap.c: Make sure the authentication variables are set in
all cases where another module is the source of the authentication,
and that authenticated user is looked up in LDAP.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1909928&r1=1909927&r2=1909928&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri May 19 10:29:02 2023
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_authnz_ldap.c: Make sure the authentication variables are set in
+     all cases where another module is the source of the authentication,
+     and that authenticated user is looked up in LDAP. [Graham Leggett]
+
   *) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within
      bearer tokens, both as part of the aaa framework, and as a way to
      generate tokens and pass them to backend servers and services.

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1909928&r1=1909927&r2=1909928&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Fri May 19 10:29:02 2023
@@ -688,6 +688,7 @@ static authz_status get_dn_for_nonldap_a
     authn_ldap_config_t *sec =
         (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
     const char *dn = NULL;
+    int remote_user_attribute_set = 0;
 
     /* Build the username filter */
     if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) {
@@ -710,6 +711,21 @@ static authz_status get_dn_for_nonldap_a
 
     req->dn = apr_pstrdup(r->pool, dn);
     req->user = r->user;
+
+    /* add environment variables */
+    remote_user_attribute_set = set_request_vars(r, LDAP_AUTHN, req->vals);
+
+    /* sanity check */
+    if (sec->remote_user_attribute && !remote_user_attribute_set) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10450)
+                  "auth_ldap non-ldap authenticate: "
+                  "REMOTE_USER was to be set with attribute '%s', "
+                  "but this attribute was not requested for in the "
+                  "LDAP query for the user. REMOTE_USER will fall "
+                  "back to username or DN as appropriate.",
+                  sec->remote_user_attribute);
+    }
+
     return AUTHZ_GRANTED;
 }