You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by pq...@apache.org on 2008/04/07 18:31:24 UTC
svn commit: r645594 [24/28] - in /httpd/sandbox/amsterdam/d: ./ build/
docs/conf/ docs/conf/extra/ docs/man/ docs/manual/ docs/manual/developer/
docs/manual/faq/ docs/manual/howto/ docs/manual/misc/ docs/manual/mod/
docs/manual/platform/ docs/manual/pr...
Modified: httpd/sandbox/amsterdam/d/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/ldap/util_ldap.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/ldap/util_ldap.c (original)
+++ httpd/sandbox/amsterdam/d/modules/ldap/util_ldap.c Mon Apr 7 09:28:58 2008
@@ -66,6 +66,8 @@
apr_global_mutex_unlock(st->util_ldap_cache_lock); \
} while (0)
+static apr_status_t util_ldap_connection_remove (void *param);
+
static void util_ldap_strdup (char **str, const char *newstr)
{
if (*str) {
@@ -104,7 +106,7 @@
return DECLINED;
}
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
if (r->header_only)
return OK;
@@ -119,9 +121,9 @@
return OK;
}
-/* ------------------------------------------------------------------ */
+/* ------------------------------------------------------------------ */
/*
* Closes an LDAP connection by unlocking it. The next time
* uldap_connection_find() is called this connection will be
@@ -141,18 +143,22 @@
* we don't have to...
*/
- /* mark our connection as available for reuse */
-
+ if (!ldc->keep) {
+ util_ldap_connection_remove(ldc);
+ }
+ else {
+ /* mark our connection as available for reuse */
#if APR_HAS_THREADS
- apr_thread_mutex_unlock(ldc->lock);
+ apr_thread_mutex_unlock(ldc->lock);
#endif
+ }
}
/*
* Destroys an LDAP connection by unbinding and closing the connection to
* the LDAP server. It is used to bring the connection back to a known
- * state after an error, and during pool cleanup.
+ * state after an error.
*/
static apr_status_t uldap_connection_unbind(void *param)
{
@@ -172,12 +178,17 @@
/*
* Clean up an LDAP connection by unbinding and unlocking the connection.
+ * This cleanup does not remove the util_ldap_connection_t from the
+ * per-virtualhost list of connections, does not remove the storage
+ * for the util_ldap_connection_t or it's data, and is NOT run automatically.
*/
static apr_status_t uldap_connection_cleanup(void *param)
{
util_ldap_connection_t *ldc = param;
if (ldc) {
+ /* Release the rebind info for this connection. No more referral rebinds required. */
+ apr_ldap_rebind_remove(ldc->ldap);
/* unbind and disconnect from the LDAP server */
uldap_connection_unbind(ldc);
@@ -189,22 +200,82 @@
if (ldc->binddn) {
free((void*)ldc->binddn);
}
-
+ /* ldc->reason is allocated from r->pool */
+ if (ldc->reason) {
+ ldc->reason = NULL;
+ }
/* unlock this entry */
uldap_connection_close(ldc);
+ }
+
+ return APR_SUCCESS;
+}
+
+/*
+ * util_ldap_connection_remove frees all storage associated with the LDAP
+ * connection and removes it completely from the per-virtualhost list of
+ * connections
+ *
+ * The caller should hold the lock for this connection
+ */
+static apr_status_t util_ldap_connection_remove (void *param) {
+ util_ldap_connection_t *ldc = param, *l = NULL, *prev = NULL;
+ util_ldap_state_t *st = ldc->st;
+
+ if (!ldc) return APR_SUCCESS;
+
+ uldap_connection_unbind(ldc);
+
+#if APR_HAS_THREADS
+ apr_thread_mutex_lock(st->mutex);
+#endif
+
+ /* Remove ldc from the list */
+ for (l=st->connections; l; l=l->next) {
+ if (l == ldc) {
+ if (prev) {
+ prev->next = l->next;
+ }
+ else {
+ st->connections = l->next;
+ }
+ break;
+ }
+ prev = l;
}
+ /* Some unfortunate duplication between this method
+ * and uldap_connection_cleanup()
+ */
+ if (ldc->bindpw) {
+ free((void*)ldc->bindpw);
+ }
+ if (ldc->binddn) {
+ free((void*)ldc->binddn);
+ }
+
+#if APR_HAS_THREADS
+ apr_thread_mutex_unlock(ldc->lock);
+ apr_thread_mutex_unlock(st->mutex);
+#endif
+
+ /* Destory the pool associated with this connection */
+
+ apr_pool_destroy(ldc->pool);
+
return APR_SUCCESS;
}
static int uldap_connection_init(request_rec *r,
- util_ldap_connection_t *ldc )
+ util_ldap_connection_t *ldc)
{
int rc = 0, ldap_option = 0;
int version = LDAP_VERSION3;
apr_ldap_err_t *result = NULL;
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
struct timeval timeOut = {10,0}; /* 10 second connection timeout */
+#endif
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
@@ -221,7 +292,6 @@
APR_LDAP_NONE,
&(result));
-
if (result != NULL && result->rc) {
ldc->reason = result->reason;
}
@@ -238,6 +308,16 @@
return(result->rc);
}
+ /* Now that we have an ldap struct, add it to the referral list for rebinds. */
+ rc = apr_ldap_rebind_add(ldc->pool, ldc->ldap, ldc->binddn, ldc->bindpw);
+ if (rc != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "LDAP: Unable to add rebind cross reference entry. Out of memory?");
+ uldap_connection_unbind(ldc);
+ ldc->reason = "LDAP: Unable to add rebind cross reference entry.";
+ return(rc);
+ }
+
/* always default to LDAP V3 */
ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
@@ -267,10 +347,49 @@
ldap_option = ldc->deref;
ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &ldap_option);
+ /* Set options for rebind and referrals. */
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "LDAP: Setting referrals to %s.",
+ ((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"));
+ apr_ldap_set_option(r->pool, ldc->ldap,
+ APR_LDAP_OPT_REFERRALS,
+ (void *)((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ?
+ LDAP_OPT_ON : LDAP_OPT_OFF),
+ &(result));
+ if (result->rc != LDAP_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Unable to set LDAP_OPT_REFERRALS option to %s: %d.",
+ ((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"),
+ result->rc);
+ result->reason = "Unable to set LDAP_OPT_REFERRALS.";
+ uldap_connection_unbind(ldc);
+ return(result->rc);
+ }
+
+ if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
+ /* Referral hop limit - only if referrals are enabled */
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Setting referral hop limit to %d.",
+ ldc->ReferralHopLimit);
+ apr_ldap_set_option(r->pool, ldc->ldap,
+ APR_LDAP_OPT_REFHOPLIMIT,
+ (void *)&ldc->ReferralHopLimit,
+ &(result));
+ if (result->rc != LDAP_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Unable to set LDAP_OPT_REFHOPLIMIT option to %d: %d.",
+ ldc->ReferralHopLimit,
+ result->rc);
+ result->reason = "Unable to set LDAP_OPT_REFHOPLIMIT.";
+ uldap_connection_unbind(ldc);
+ return(result->rc);
+ }
+ }
+
/*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
#ifdef APR_LDAP_OPT_VERIFY_CERT
- apr_ldap_set_option(r->pool, ldc->ldap,
- APR_LDAP_OPT_VERIFY_CERT, &(st->verify_svr_cert), &(result));
+ apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_VERIFY_CERT,
+ &(st->verify_svr_cert), &(result));
#else
#if defined(LDAPSSL_VERIFY_SERVER)
if (st->verify_svr_cert) {
@@ -361,7 +480,7 @@
rc = ldap_simple_bind_s(ldc->ldap,
(char *)ldc->binddn,
(char *)ldc->bindpw);
- if (LDAP_SERVER_DOWN != rc) {
+ if (!AP_LDAP_IS_SERVER_DOWN(rc)) {
break;
} else if (failures == 5) {
/* attempt to init the connection once again */
@@ -448,7 +567,8 @@
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
-
+ util_ldap_config_t *dc =
+ (util_ldap_config_t *) ap_get_module_config(r->per_dir_config, &ldap_module);
#if APR_HAS_THREADS
/* mutex lock this function */
@@ -519,37 +639,43 @@
/* artificially disable cache */
/* l = NULL; */
- /* If no connection what found after the second search, we
+ /* If no connection was found after the second search, we
* must create one.
*/
if (!l) {
-
- /*
- * Add the new connection entry to the linked list. Note that we
- * don't actually establish an LDAP connection yet; that happens
- * the first time authentication is requested.
- */
- /* create the details to the pool in st */
- l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t));
- if (apr_pool_create(&l->pool, st->pool) != APR_SUCCESS) {
+ apr_pool_t *newpool;
+ if (apr_pool_create(&newpool, NULL) != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"util_ldap: Failed to create memory pool");
#if APR_HAS_THREADS
apr_thread_mutex_unlock(st->mutex);
#endif
return NULL;
-
}
+
+ /*
+ * Add the new connection entry to the linked list. Note that we
+ * don't actually establish an LDAP connection yet; that happens
+ * the first time authentication is requested.
+ */
+
+ /* create the details of this connection in the new pool */
+ l = apr_pcalloc(newpool, sizeof(util_ldap_connection_t));
+ l->pool = newpool;
+ l->st = st;
+
#if APR_HAS_THREADS
- apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, st->pool);
+ apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, l->pool);
apr_thread_mutex_lock(l->lock);
#endif
l->bound = 0;
- l->host = apr_pstrdup(st->pool, host);
+ l->host = apr_pstrdup(l->pool, host);
l->port = port;
l->deref = deref;
util_ldap_strdup((char**)&(l->binddn), binddn);
util_ldap_strdup((char**)&(l->bindpw), bindpw);
+ l->ChaseReferrals = dc->ChaseReferrals;
+ l->ReferralHopLimit = dc->ReferralHopLimit;
/* The security mode after parsing the URL will always be either
* APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
@@ -561,6 +687,8 @@
/* save away a copy of the client cert list that is presently valid */
l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);
+ l->keep = 1;
+
if (p) {
p->next = l;
}
@@ -658,10 +786,10 @@
}
/* search for reqdn */
- if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
- "(objectclass=*)", NULL, 1,
- NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
- == LDAP_SERVER_DOWN)
+ result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
+ "(objectclass=*)", NULL, 1,
+ NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+ if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "DN Comparison ldap_search_ext_s() "
"failed with server down";
@@ -710,9 +838,9 @@
/*
* Does an generic ldap_compare operation. It accepts a cache that it will use
* to lookup the compare in the cache. We cache two kinds of compares
- * (require group compares) and (require user compares). Each compare has a different
- * cache node: require group includes the DN; require user does not because the
- * require user cache is owned by the
+ * (require group compares) and (require user compares). Each compare has a
+ * different cache node: require group includes the DN; require user does not
+ * because the require user cache is owned by the
*
*/
static int uldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
@@ -798,11 +926,11 @@
return result;
}
- if ((result = ldap_compare_s(ldc->ldap,
- (char *)dn,
- (char *)attrib,
- (char *)value))
- == LDAP_SERVER_DOWN) {
+ result = ldap_compare_s(ldc->ldap,
+ (char *)dn,
+ (char *)attrib,
+ (char *)value);
+ if (AP_LDAP_IS_SERVER_DOWN(result)) {
/* connection failed - try again */
ldc->reason = "ldap_compare_s() failed with server down";
uldap_connection_unbind(ldc);
@@ -833,9 +961,12 @@
{
void *junk;
- junk = util_ald_cache_insert(curl->compare_cache, &the_compare_node);
+ junk = util_ald_cache_insert(curl->compare_cache,
+ &the_compare_node);
if(junk == NULL) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] cache_compare: Cache insertion failure.", getpid());
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] cache_compare: Cache"
+ " insertion failure.", getpid());
}
}
else {
@@ -860,16 +991,176 @@
return result;
}
+
+static util_compare_subgroup_t* uldap_get_subgroups(request_rec *r,
+ util_ldap_connection_t *ldc,
+ const char *url,
+ const char *dn,
+ char **subgroupAttrs,
+ apr_array_header_t *subgroupclasses)
+{
+ int failures = 0;
+ int result = LDAP_COMPARE_FALSE;
+ util_compare_subgroup_t *res = NULL;
+ LDAPMessage *sga_res, *entry;
+ struct mod_auth_ldap_groupattr_entry_t *sgc_ents;
+ apr_array_header_t *subgroups = apr_array_make(r->pool, 20, sizeof(char *));
+
+ sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
+
+ if (!subgroupAttrs) {
+ return res;
+ }
+
+start_over:
+ /*
+ * 3.B. The cache didn't have any subgrouplist yet. Go check for subgroups.
+ */
+ if (failures++ > 10) {
+ /* too many failures */
+ return res;
+ }
+
+ if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
+ /* connect failed */
+ return res;
+ }
+
+ /* try to do the search */
+ result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
+ (char *)"cn=*", subgroupAttrs, 0,
+ NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
+ if (AP_LDAP_IS_SERVER_DOWN(result)) {
+ ldc->reason = "ldap_search_ext_s() for subgroups failed with server"
+ " down";
+ uldap_connection_unbind(ldc);
+ goto start_over;
+ }
+
+ /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
+ if (result != LDAP_SUCCESS) {
+ ldc->reason = "ldap_search_ext_s() for subgroups failed";
+ return res;
+ }
+
+ entry = ldap_first_entry(ldc->ldap, sga_res);
+
+ /*
+ * Get values for the provided sub-group attributes.
+ */
+ if (subgroupAttrs) {
+ int indx = 0, tmp_sgcIndex;
+
+ while (subgroupAttrs[indx]) {
+ char **values;
+ int val_index = 0;
+
+ /* Get *all* matching "member" values from this group. */
+ values = ldap_get_values(ldc->ldap, entry, subgroupAttrs[indx]);
+
+ if (values) {
+ val_index = 0;
+ /*
+ * Now we are going to pare the subgroup members of this group
+ * to *just* the subgroups, add them to the compare_nodep, and
+ * then proceed to check the new level of subgroups.
+ */
+ while (values[val_index]) {
+ /* Check if this entry really is a group. */
+ tmp_sgcIndex = 0;
+ result = LDAP_COMPARE_FALSE;
+ while ((tmp_sgcIndex < subgroupclasses->nelts)
+ && (result != LDAP_COMPARE_TRUE)) {
+ result = uldap_cache_compare(r, ldc, url,
+ values[val_index],
+ "objectClass",
+ sgc_ents[tmp_sgcIndex].name
+ );
+
+ if (result != LDAP_COMPARE_TRUE) {
+ tmp_sgcIndex++;
+ }
+ }
+ /* It's a group, so add it to the array. */
+ if (result == LDAP_COMPARE_TRUE) {
+ char **newgrp = (char **) apr_array_push(subgroups);
+ *newgrp = apr_pstrdup(r->pool, values[val_index]);
+ }
+ val_index++;
+ }
+ ldap_value_free(values);
+ }
+ indx++;
+ }
+ }
+
+ ldap_msgfree(sga_res);
+
+ if (subgroups->nelts > 0) {
+ /* We need to fill in tmp_local_subgroups using the data from LDAP */
+ int sgindex;
+ char **group;
+ res = apr_pcalloc(r->pool, sizeof(util_compare_subgroup_t));
+ res->subgroupDNs = apr_pcalloc(r->pool,
+ sizeof(char *) * (subgroups->nelts));
+ for (sgindex = 0; (group = apr_array_pop(subgroups)); sgindex++) {
+ res->subgroupDNs[sgindex] = apr_pstrdup(r->pool, *group);
+ }
+ res->len = sgindex;
+ }
+
+ return res;
+}
+
+
/*
- * Does a recursive lookup operation to try to find a user within (cached) nested groups.
+ * Does a recursive lookup operation to try to find a user within (cached)
+ * nested groups. It accepts a cache that it will use to lookup previous
+ * compare attempts. We cache two kinds of compares (require group compares)
+ * and (require user compares). Each compare has a different cache node:
+ * require group includes the DN; require user does not because the require
+ * user cache is owned by the
*
* DON'T CALL THIS UNLESS YOU CALLED uldap_cache_compare FIRST!!!!!
+ *
+ *
+ * 1. Call uldap_cache_compare for each subgroupclass value to check the
+ * generic, user-agnostic, cached group entry. This will create a new generic
+ * cache entry if there
+ * wasn't one. If nothing returns LDAP_COMPARE_TRUE skip to step 5 since we
+ * have no groups.
+ * 2. Lock The cache and get the generic cache entry.
+ * 3. Check if there is already a subgrouplist in this generic group's cache
+ * entry.
+ * A. If there is, go to step 4.
+ * B. If there isn't:
+ * i) Use ldap_search to get the full list
+ * of subgroup "members" (which may include non-group "members").
+ * ii) Use uldap_cache_compare to strip the list down to just groups.
+ * iii) Lock and add this stripped down list to the cache of the generic
+ * group.
+ * 4. Loop through the sgl and call uldap_cache_compare (using the user info)
+ * for each
+ * subgroup to see if the subgroup contains the user and to get the subgroups
+ * added to the
+ * cache (with user-afinity, if they aren't already there).
+ * A. If the user is in the subgroup, then we'll be returning
+ * LDAP_COMPARE_TRUE.
+ * B. if the user isn't in the subgroup (LDAP_COMPARE_FALSE via
+ * uldap_cache_compare) then recursively call this function to get the
+ * sub-subgroups added...
+ * 5. Cleanup local allocations.
+ * 6. Return the final result.
*/
-static int uldap_cache_check_subgroups(request_rec *r, util_ldap_connection_t *ldc,
+
+static int uldap_cache_check_subgroups(request_rec *r,
+ util_ldap_connection_t *ldc,
const char *url, const char *dn,
const char *attrib, const char *value,
- char **subgroupAttrs, apr_array_header_t *subgroupclasses,
- int cur_subgroup_depth, int max_subgroup_depth)
+ char **subgroupAttrs,
+ apr_array_header_t *subgroupclasses,
+ int cur_subgroup_depth,
+ int max_subgroup_depth)
{
int result = LDAP_COMPARE_FALSE;
util_url_node_t *curl;
@@ -877,266 +1168,234 @@
util_compare_node_t *compare_nodep;
util_compare_node_t the_compare_node;
util_compare_subgroup_t *tmp_local_sgl = NULL;
- int failures = 0;
- LDAPMessage *sga_res, *entry;
- apr_array_header_t *subgroups = apr_array_make(r->pool, 20, sizeof(char *));
-
+ int sgl_cached_empty = 0, sgindex = 0, base_sgcIndex = 0;
+ struct mod_auth_ldap_groupattr_entry_t *sgc_ents =
+ (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
util_ldap_state_t *st = (util_ldap_state_t *)
ap_get_module_config(r->server->module_config,
&ldap_module);
/*
- * 1. Call uldap_cache_compare for each subgroupclass value to check the generic,
- * user-agnostic, cached group entry. This will create a new generic cache entry if there
- * wasn't one. If nothing returns LDAP_COMPARE_TRUE skip to step 5 since we have no groups.
- * 2. Lock The cache and get the generic cache entry.
- * 3. Check if there is already a subgrouplist in this generic group's cache entry.
- * A. If there is, go to step 4.
- * B. If there isn't:
- * i) Use ldap_search to get the full list
- * of subgroup "members" (which may include non-group "members").
- * ii) Use uldap_cache_compare to strip the list down to just groups.
- * iii) Lock and add this stripped down list to the cache of the generic group.
- * 4. Loop through the sgl and call uldap_cache_compare (using the user info) for each
- * subgroup to see if the subgroup contains the user and to get the subgroups added to the
- * cache (with user-afinity, if they aren't already there).
- * A. If the user is in the subgroup, then we'll be returning LDAP_COMPARE_TRUE.
- * B. if the user isn't in the subgroup (LDAP_COMPARE_FALSE via uldap_cache_compare) then
- * recursively call this function to get the sub-subgroups added...
- * 5. Cleanup local allocations.
- * 6. Return the final result.
- */
-
- /* Stop looking at deeper levels of nested groups if we have reached the max.
- * Since we already checked the top-level group in uldap_cache_compare, we don't
- * need to check it again here - so if max_subgroup_depth is set to 0, we won't
- * check it (i.e. that is why we check < rather than <=).
- * We'll be calling uldap_cache_compare from here to check if the user is in the
- * next level before we recurse into that next level looking for more subgroups.
- */
- if (cur_subgroup_depth < max_subgroup_depth) {
- int base_sgcIndex = 0;
- int lcl_sgl_processedFlag = 0;
- struct mod_auth_ldap_groupattr_entry_t *sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
-
- /* 1. Check the "groupiness" of the specified basedn. Stopping at the first TRUE return. */
- while ((base_sgcIndex < subgroupclasses->nelts) && (result != LDAP_COMPARE_TRUE)) {
- result = uldap_cache_compare(r, ldc, url, dn, "objectClass", sgc_ents[base_sgcIndex].name);
- if (result != LDAP_COMPARE_TRUE) {
- base_sgcIndex++;
- }
- }
+ * Stop looking at deeper levels of nested groups if we have reached the
+ * max. Since we already checked the top-level group in uldap_cache_compare,
+ * we don't need to check it again here - so if max_subgroup_depth is set
+ * to 0, we won't check it (i.e. that is why we check < rather than <=).
+ * We'll be calling uldap_cache_compare from here to check if the user is
+ * in the next level before we recurse into that next level looking for
+ * more subgroups.
+ */
+ if (cur_subgroup_depth >= max_subgroup_depth) {
+ return LDAP_COMPARE_FALSE;
+ }
+ /*
+ * 1. Check the "groupiness" of the specified basedn. Stopping at the first
+ * TRUE return.
+ */
+ while ((base_sgcIndex < subgroupclasses->nelts)
+ && (result != LDAP_COMPARE_TRUE)) {
+ result = uldap_cache_compare(r, ldc, url, dn, "objectClass",
+ sgc_ents[base_sgcIndex].name);
if (result != LDAP_COMPARE_TRUE) {
- /* The dn we were handed doesn't seem to be a group, how can we check for SUB-groups if this
- * isn't a group?!?!?!
- */
- ldc->reason = "DN failed group verification.";
- return result;
+ base_sgcIndex++;
}
+ }
- /* 2. Find previously created cache entry and check if there is already a subgrouplist. */
- LDAP_CACHE_LOCK();
- curnode.url = url;
- curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
- LDAP_CACHE_UNLOCK();
+ if (result != LDAP_COMPARE_TRUE) {
+ ldc->reason = "DN failed group verification.";
+ return result;
+ }
- if (curl && curl->compare_cache) {
- /* make a comparison to the cache */
- LDAP_CACHE_LOCK();
+ /*
+ * 2. Find previously created cache entry and check if there is already a
+ * subgrouplist.
+ */
+ LDAP_CACHE_LOCK();
+ curnode.url = url;
+ curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
+ LDAP_CACHE_UNLOCK();
- the_compare_node.dn = (char *)dn;
- the_compare_node.attrib = (char *)"objectClass";
- the_compare_node.value = (char *)sgc_ents[base_sgcIndex].name;
- the_compare_node.result = 0;
- the_compare_node.sgl_processed = 0;
- the_compare_node.subgroupList = NULL;
+ if (curl && curl->compare_cache) {
+ /* make a comparison to the cache */
+ LDAP_CACHE_LOCK();
- compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
+ the_compare_node.dn = (char *)dn;
+ the_compare_node.attrib = (char *)"objectClass";
+ the_compare_node.value = (char *)sgc_ents[base_sgcIndex].name;
+ the_compare_node.result = 0;
+ the_compare_node.sgl_processed = 0;
+ the_compare_node.subgroupList = NULL;
- if (compare_nodep == NULL) {
- /* Didn't find it. This shouldn't happen since we just called uldap_cache_compare. */
- LDAP_CACHE_UNLOCK();
- ldc->reason = "check_subgroups failed to find cached element.";
- return LDAP_COMPARE_FALSE;
- }
- else {
- /* Found the generic group entry... but the user isn't in this group or we wouldn't be here. */
- lcl_sgl_processedFlag = compare_nodep->sgl_processed;
- if(compare_nodep->sgl_processed && compare_nodep->subgroupList) {
+ compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+ &the_compare_node);
+
+ if (compare_nodep != NULL) {
+ /*
+ * Found the generic group entry... but the user isn't in this
+ * group or we wouldn't be here.
+ */
+ if (compare_nodep->sgl_processed) {
+ if (compare_nodep->subgroupList) {
/* Make a local copy of the subgroup list */
int i;
- tmp_local_sgl = apr_pcalloc(r->pool, sizeof(util_compare_subgroup_t));
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] util_ldap:"
+ " Making local copy of SGL for "
+ "group (%s)(objectClass=%s) ",
+ getpid(), dn,
+ (char *)sgc_ents[base_sgcIndex].name);
+ tmp_local_sgl = apr_pcalloc(r->pool,
+ sizeof(util_compare_subgroup_t));
tmp_local_sgl->len = compare_nodep->subgroupList->len;
- tmp_local_sgl->subgroupDNs = apr_pcalloc(r->pool, sizeof(char *) * compare_nodep->subgroupList->len);
+ tmp_local_sgl->subgroupDNs =
+ apr_pcalloc(r->pool,
+ sizeof(char *) * compare_nodep->subgroupList->len);
for (i = 0; i < compare_nodep->subgroupList->len; i++) {
- tmp_local_sgl->subgroupDNs[i] = apr_pstrdup(r->pool, compare_nodep->subgroupList->subgroupDNs[i]);
+ tmp_local_sgl->subgroupDNs[i] =
+ apr_pstrdup(r->pool,
+ compare_nodep->subgroupList->subgroupDNs[i]);
}
}
+ else {
+ sgl_cached_empty = 1;
+ }
}
- /* unlock this read lock */
- LDAP_CACHE_UNLOCK();
- }
- else {
- /* If we get here, something is wrong. Caches should have been created and
- this group entry should be found in the cache. */
- ldc->reason = "check_subgroups failed to find any caches.";
- return LDAP_COMPARE_FALSE;
}
+ LDAP_CACHE_UNLOCK();
+ }
- result = LDAP_COMPARE_FALSE;
-
- /* No cache entry had a processed SGL. Retrieve from LDAP server */
- if ((lcl_sgl_processedFlag == 0) && (!tmp_local_sgl)) {
-start_over:
- /* 3.B. The cache didn't have any subgrouplist yet. Go check for subgroups. */
- if (failures++ > 10) {
- /* too many failures */
- return result;
- }
-
- if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
- /* connect failed */
- return result;
- }
+ if (!tmp_local_sgl && !sgl_cached_empty) {
+ /* No Cached SGL, retrieve from LDAP */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] util_ldap: no cached SGL for %s,"
+ " retrieving from LDAP" , getpid(), dn);
+ tmp_local_sgl = uldap_get_subgroups(r, ldc, url, dn, subgroupAttrs,
+ subgroupclasses);
+ if (!tmp_local_sgl) {
+ /* No SGL aailable via LDAP either */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+ " util_ldap: no subgroups for %s" , getpid(), dn);
+ }
- /* try to do the search */
- result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
- (char *)"cn=*", subgroupAttrs, 0,
- NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
- if (result == LDAP_SERVER_DOWN) {
- ldc->reason = "ldap_search_ext_s() for subgroups failed with server down";
- uldap_connection_unbind(ldc);
- goto start_over;
- }
+ if (curl && curl->compare_cache) {
+ /*
+ * Find the generic group cache entry and add the sgl we just retrieved.
+ */
+ LDAP_CACHE_LOCK();
- /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
- if (result != LDAP_SUCCESS) {
- ldc->reason = "ldap_search_ext_s() for subgroups failed";
- return result;
- }
+ the_compare_node.dn = (char *)dn;
+ the_compare_node.attrib = (char *)"objectClass";
+ the_compare_node.value = (char *)sgc_ents[base_sgcIndex].name;
+ the_compare_node.result = 0;
+ the_compare_node.sgl_processed = 0;
+ the_compare_node.subgroupList = NULL;
- entry = ldap_first_entry(ldc->ldap, sga_res);
+ compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+ &the_compare_node);
+ if (compare_nodep == NULL) {
/*
- * Get values for the provided sub-group attributes.
+ * The group entry we want to attach our SGL to doesn't exist.
+ * We only got here if we verified this DN was actually a group
+ * based on the objectClass, but we can't call the compare function
+ * while we already hold the cache lock -- only the insert.
*/
- if (subgroupAttrs) {
- int indx = 0, tmp_sgcIndex;
-
- while (subgroupAttrs[indx]) {
- char **values;
- int val_index = 0;
-
- /* Get *all* matching "member" values from this group. */
- values = ldap_get_values(ldc->ldap, entry, subgroupAttrs[indx]);
-
- if (values) {
- val_index = 0;
- /*
- * Now we are going to pare the subgroup members of this group to *just*
- * the subgroups, add them to the compare_nodep, and then proceed to check
- * the new level of subgroups.
- */
- while (values[val_index]) {
- /* Check if this entry really is a group. */
- tmp_sgcIndex = 0;
- result = LDAP_COMPARE_FALSE;
- while ((tmp_sgcIndex < subgroupclasses->nelts) && (result != LDAP_COMPARE_TRUE)) {
- result = uldap_cache_compare(r, ldc, url, values[val_index], "objectClass",
- sgc_ents[tmp_sgcIndex].name);
-
- if (result != LDAP_COMPARE_TRUE) {
- tmp_sgcIndex++;
- }
- }
- /* It's a group, so add it to the array. */
- if (result == LDAP_COMPARE_TRUE) {
- char **newgrp = (char **) apr_array_push(subgroups);
- *newgrp = apr_pstrdup(r->pool, values[val_index]);
- }
- val_index++;
- }
- ldap_value_free(values);
- }
- indx++;
- }
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] util_ldap: Cache entry "
+ "for %s doesn't exist",
+ getpid(), dn);
+ the_compare_node.result = LDAP_COMPARE_TRUE;
+ util_ald_cache_insert(curl->compare_cache, &the_compare_node);
+ compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+ &the_compare_node);
+ if (compare_nodep == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "[%" APR_PID_T_FMT "] util_ldap: Couldn't "
+ "retrieve group entry for %s from cache",
+ getpid(), dn);
}
+ }
- ldap_msgfree(sga_res);
-
- if (subgroups->nelts > 0) {
- /* We need to fill in tmp_local_subgroups using the data from LDAP */
- int sgindex;
- char **group;
- tmp_local_sgl = apr_pcalloc(r->pool, sizeof(util_compare_subgroup_t));
- tmp_local_sgl->subgroupDNs = apr_pcalloc(r->pool, sizeof(char *) * (subgroups->nelts));
- for (sgindex = 0; (group = apr_array_pop(subgroups)); sgindex++) {
- tmp_local_sgl->subgroupDNs[sgindex] = apr_pstrdup(r->pool, *group);
+ /*
+ * We have a valid cache entry and a locally generated SGL.
+ * Attach the SGL to the cache entry
+ */
+ if (compare_nodep && !compare_nodep->sgl_processed) {
+ if (!tmp_local_sgl) {
+ /* We looked up an SGL for a group and found it to be empty */
+ if (compare_nodep->subgroupList == NULL) {
+ compare_nodep->sgl_processed = 1;
}
- tmp_local_sgl->len = sgindex;
- }
-
- /* Find the generic group cache entry and add the sgl. */
- LDAP_CACHE_LOCK();
-
- the_compare_node.dn = (char *)dn;
- the_compare_node.attrib = (char *)"objectClass";
- the_compare_node.value = (char *)sgc_ents[base_sgcIndex].name;
- the_compare_node.result = 0;
- the_compare_node.sgl_processed = 0;
- the_compare_node.subgroupList = NULL;
-
- compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
-
- if (compare_nodep == NULL) {
- /* Didn't find it. This shouldn't happen since we just called uldap_cache_compare. */
- LDAP_CACHE_UNLOCK();
- ldc->reason = "check_subgroups failed to find the cache entry to add sub-group list to.";
- return LDAP_COMPARE_FALSE;
}
else {
- /* overwrite SGL if it was previously updated between the last
- ** two times we looked at the cache
- */
- compare_nodep->sgl_processed = 1;
- if (tmp_local_sgl) {
- compare_nodep->subgroupList = util_ald_sgl_dup(curl->compare_cache, tmp_local_sgl);
- }
- else {
- /* We didn't find a single subgroup, next time save us from looking */
- compare_nodep->subgroupList = NULL;
- }
- }
- /* unlock this read lock */
- LDAP_CACHE_UNLOCK();
- }
-
- /* tmp_local_sgl has either been created, or copied out of the cache */
- /* If tmp_local_sgl is NULL, there are no subgroups to process and we'll return false */
- result = LDAP_COMPARE_FALSE;
- if (tmp_local_sgl) {
- int sgindex = 0;
- const char *group = NULL;
- while ((result != LDAP_COMPARE_TRUE) && (sgindex < tmp_local_sgl->len)) {
- group = tmp_local_sgl->subgroupDNs[sgindex];
- /* 4. Now loop through the subgroupList and call uldap_cache_compare to check for the user. */
- result = uldap_cache_compare(r, ldc, url, group, attrib, value);
- if (result == LDAP_COMPARE_TRUE) {
- /* 4.A. We found the user in the subgroup. Return LDAP_COMPARE_TRUE. */
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] util_ldap:"
- " Found the user in a subgroup (%s) at level %d of %d. (7).",
- getpid(), group, cur_subgroup_depth+1, max_subgroup_depth);
+ util_compare_subgroup_t *sgl_copy =
+ util_ald_sgl_dup(curl->compare_cache, tmp_local_sgl);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Copying local SGL of len %d for group %s into cache",
+ tmp_local_sgl->len, dn);
+ if (sgl_copy) {
+ if (compare_nodep->subgroupList) {
+ util_ald_sgl_free(curl->compare_cache,
+ &(compare_nodep->subgroupList));
+ }
+ compare_nodep->subgroupList = sgl_copy;
+ compare_nodep->sgl_processed = 1;
}
else {
- /* 4.B. We didn't find the user in this subgroup, so recurse into it and keep looking. */
- result = uldap_cache_check_subgroups(r, ldc, url, group, attrib,
- value, subgroupAttrs, subgroupclasses,
- cur_subgroup_depth+1, max_subgroup_depth);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Copy of SGL failed to obtain shared memory, "
+ "couldn't update cache");
}
- sgindex++;
}
}
+ LDAP_CACHE_UNLOCK();
+ }
+ }
+
+ /*
+ * tmp_local_sgl has either been created, or copied out of the cache
+ * If tmp_local_sgl is NULL, there are no subgroups to process and we'll
+ * return false
+ */
+ result = LDAP_COMPARE_FALSE;
+ if (!tmp_local_sgl) {
+ return result;
+ }
+
+ while ((result != LDAP_COMPARE_TRUE) && (sgindex < tmp_local_sgl->len)) {
+ const char *group = NULL;
+ group = tmp_local_sgl->subgroupDNs[sgindex];
+ /*
+ * 4. Now loop through the subgroupList and call uldap_cache_compare
+ * to check for the user.
+ */
+ result = uldap_cache_compare(r, ldc, url, group, attrib, value);
+ if (result == LDAP_COMPARE_TRUE) {
+ /*
+ * 4.A. We found the user in the subgroup. Return
+ * LDAP_COMPARE_TRUE.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+ " util_ldap: Found user %s in a subgroup (%s) at"
+ " level %d of %d.", getpid(), r->user, group,
+ cur_subgroup_depth+1, max_subgroup_depth);
+ }
+ else {
+ /*
+ * 4.B. We didn't find the user in this subgroup, so recurse into
+ * it and keep looking.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
+ " util_ldap: user %s not found in subgroup (%s) at"
+ " level %d of %d.", getpid(), r->user, group,
+ cur_subgroup_depth+1, max_subgroup_depth);
+ result = uldap_cache_check_subgroups(r, ldc, url, group, attrib,
+ value, subgroupAttrs,
+ subgroupclasses,
+ cur_subgroup_depth+1,
+ max_subgroup_depth);
+ }
+ sgindex++;
}
return result;
@@ -1203,12 +1462,10 @@
/* ...and entry is valid */
*binddn = apr_pstrdup(r->pool, search_nodep->dn);
if (attrs) {
- int i = 0, k = 0;
- while (attrs[k++]);
- *retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
- while (search_nodep->vals[i]) {
+ int i;
+ *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals);
+ for (i = 0; i < search_nodep->numvals; i++) {
(*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
- i++;
}
}
LDAP_CACHE_UNLOCK();
@@ -1236,11 +1493,11 @@
}
/* try do the search */
- if ((result = ldap_search_ext_s(ldc->ldap,
- (char *)basedn, scope,
- (char *)filter, attrs, 0,
- NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
- == LDAP_SERVER_DOWN)
+ result = ldap_search_ext_s(ldc->ldap,
+ (char *)basedn, scope,
+ (char *)filter, attrs, 0,
+ NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+ if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "ldap_search_ext_s() for user failed with server down";
uldap_connection_unbind(ldc);
@@ -1294,9 +1551,10 @@
* fails, it means that the password is wrong (the dn obviously
* exists, since we just retrieved it)
*/
- if ((result = ldap_simple_bind_s(ldc->ldap,
- (char *)*binddn,
- (char *)bindpw)) == LDAP_SERVER_DOWN) {
+ result = ldap_simple_bind_s(ldc->ldap,
+ (char *)*binddn,
+ (char *)bindpw);
+ if (AP_LDAP_IS_SERVER_DOWN(result)) {
ldc->reason = "ldap_simple_bind_s() to check user credentials "
"failed with server down";
ldap_msgfree(res);
@@ -1451,12 +1709,10 @@
/* ...and entry is valid */
*binddn = apr_pstrdup(r->pool, search_nodep->dn);
if (attrs) {
- int i = 0, k = 0;
- while (attrs[k++]);
- *retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
- while (search_nodep->vals[i]) {
+ int i;
+ *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals);
+ for (i = 0; i < search_nodep->numvals; i++) {
(*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
- i++;
}
}
LDAP_CACHE_UNLOCK();
@@ -1484,11 +1740,11 @@
}
/* try do the search */
- if ((result = ldap_search_ext_s(ldc->ldap,
- (char *)basedn, scope,
- (char *)filter, attrs, 0,
- NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
- == LDAP_SERVER_DOWN)
+ result = ldap_search_ext_s(ldc->ldap,
+ (char *)basedn, scope,
+ (char *)filter, attrs, 0,
+ NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+ if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "ldap_search_ext_s() for user failed with server down";
uldap_connection_unbind(ldc);
@@ -1674,8 +1930,8 @@
st->search_cache_ttl = atol(ttl) * 1000000;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap cache: Setting cache TTL to %ld microseconds.",
- getpid(), st->search_cache_ttl);
+ "[%" APR_PID_T_FMT "] ldap cache: Setting cache TTL to %ld"
+ " microseconds.", getpid(), st->search_cache_ttl);
return NULL;
}
@@ -1698,8 +1954,8 @@
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap cache: Setting search cache size to %ld entries.",
- getpid(), st->search_cache_size);
+ "[%" APR_PID_T_FMT "] ldap cache: Setting search cache size"
+ " to %ld entries.", getpid(), st->search_cache_size);
return NULL;
}
@@ -1719,8 +1975,8 @@
st->compare_cache_ttl = atol(ttl) * 1000000;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache TTL to %ld microseconds.",
- getpid(), st->compare_cache_ttl);
+ "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache TTL"
+ " to %ld microseconds.", getpid(), st->compare_cache_ttl);
return NULL;
}
@@ -1743,8 +1999,8 @@
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache size to %ld "
- "entries.", getpid(), st->compare_cache_size);
+ "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache size"
+ " to %ld entries.", getpid(), st->compare_cache_size);
return NULL;
}
@@ -2052,9 +2308,11 @@
void *dummy,
const char *ttl)
{
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
+#endif
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (err != NULL) {
@@ -2065,11 +2323,11 @@
st->connectionTimeout = atol(ttl);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
- "[%" APR_PID_T_FMT "] ldap connection: Setting connection timeout to "
- "%ld seconds.", getpid(), st->connectionTimeout);
+ "[%" APR_PID_T_FMT "] ldap connection: Setting connection"
+ " timeout to %ld seconds.", getpid(), st->connectionTimeout);
#else
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
- "LDAP: Connection timout option not supported by the "
+ "LDAP: Connection timeout option not supported by the "
"LDAP SDK in use." );
#endif
@@ -2077,6 +2335,48 @@
}
+static const char *util_ldap_set_chase_referrals(cmd_parms *cmd,
+ void *config,
+ int mode)
+{
+ util_ldap_config_t *dc = config;
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+ "LDAP: Setting refferal chasing %s",
+ (mode == AP_LDAP_CHASEREFERRALS_ON) ? "ON" : "OFF");
+
+ dc->ChaseReferrals = mode;
+
+ return(NULL);
+}
+
+static const char *util_ldap_set_referral_hop_limit(cmd_parms *cmd,
+ void *config,
+ const char *hop_limit)
+{
+ util_ldap_config_t *dc = config;
+
+ dc->ReferralHopLimit = atol(hop_limit);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+ "LDAP: Limit chased referrals to maximum of %d hops.",
+ dc->ReferralHopLimit);
+
+ return NULL;
+}
+
+static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) {
+ util_ldap_config_t *dc =
+ (util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
+
+ /* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */
+ dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
+ dc->ReferralHopLimit = AP_LDAP_DEFAULT_HOPLIMIT;
+
+ return dc;
+}
+
+
static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
{
util_ldap_state_t *st =
@@ -2105,6 +2405,9 @@
st->connectionTimeout = 10;
st->verify_svr_cert = 1;
+ /* Initialize the rebind callback's cross reference list. */
+ apr_ldap_rebind_init (p);
+
return st;
}
@@ -2369,23 +2672,25 @@
AP_INIT_TAKE23("LDAPTrustedGlobalCert", util_ldap_set_trusted_global_cert,
NULL, RSRC_CONF,
- "Takes three args; the file and/or directory containing "
- "the trusted CA certificates (and global client certs "
- "for Netware) used to validate the LDAP server. Second "
- "arg is the cert type for the first arg, one of CA_DER, "
- "CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, "
- "CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. "
- "Third arg is an optional passphrase if applicable."),
+ "Takes three arguments; the first argument is the cert "
+ "type of the second argument, one of CA_DER, CA_BASE64, "
+ "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
+ "CERT_NICKNAME, KEY_DER, or KEY_BASE64. The second argument "
+ "specifes the file and/or directory containing the trusted CA "
+ "certificates (and global client certs for Netware) used to "
+ "validate the LDAP server. The third argument is an optional "
+ "passphrase if applicable."),
AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert,
NULL, RSRC_CONF,
- "Takes three args; the file and/or directory containing "
- "the client certificate, or certificate ID used to "
- "validate this LDAP client. Second arg is the cert type "
- "for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, "
- "CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
- "CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an "
- "optional passphrase if applicable."),
+ "Takes three arguments: the first argument is the certificate "
+ "type of the second argument, one of CA_DER, CA_BASE64, "
+ "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
+ "CERT_NICKNAME, KEY_DER, or KEY_BASE64. The second argument "
+ "specifies the file and/or directory containing the client "
+ "certificate, or certificate ID used to validate this LDAP "
+ "client. The third argument is an optional passphrase if "
+ "applicable."),
AP_INIT_TAKE1("LDAPTrustedMode", util_ldap_set_trusted_mode,
NULL, RSRC_CONF,
@@ -2394,14 +2699,24 @@
AP_INIT_FLAG("LDAPVerifyServerCert", util_ldap_set_verify_srv_cert,
NULL, RSRC_CONF,
- "Set to 'ON' requires that the server certificate be verified "
- "before a secure LDAP connection can be establish. Default 'ON'"),
+ "Set to 'ON' requires that the server certificate be verified"
+ " before a secure LDAP connection can be establish. Default"
+ " 'ON'"),
AP_INIT_TAKE1("LDAPConnectionTimeout", util_ldap_set_connection_timeout,
NULL, RSRC_CONF,
"Specify the LDAP socket connection timeout in seconds "
"(default: 10)"),
+ AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals,
+ NULL, OR_AUTHCFG,
+ "Choose whether referrals are chased ['ON'|'OFF']. Default 'ON'"),
+
+ AP_INIT_TAKE1("LDAPReferralHopLimit", util_ldap_set_referral_hop_limit,
+ NULL, OR_AUTHCFG,
+ "Limit the number of referral hops that LDAP can follow. "
+ "(Integer value, default=" AP_LDAP_DEFAULT_HOPLIMIT_STR ")"),
+
{NULL}
};
@@ -2426,7 +2741,7 @@
module AP_MODULE_DECLARE_DATA ldap_module = {
STANDARD20_MODULE_STUFF,
- NULL, /* create dir config */
+ util_ldap_create_dir_config, /* create dir config */
NULL, /* merge dir config */
util_ldap_create_config, /* create server config */
util_ldap_merge_config, /* merge server config */
Modified: httpd/sandbox/amsterdam/d/modules/ldap/util_ldap_cache_mgr.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/ldap/util_ldap_cache_mgr.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/ldap/util_ldap_cache_mgr.c (original)
+++ httpd/sandbox/amsterdam/d/modules/ldap/util_ldap_cache_mgr.c Mon Apr 7 09:28:58 2008
@@ -145,14 +145,32 @@
int i = 0;
util_compare_subgroup_t *sgl_out = NULL;
- if (!sgl_in) return NULL;
+ if (!sgl_in) {
+ return NULL;
+ }
sgl_out = (util_compare_subgroup_t *) util_ald_alloc(cache, sizeof(util_compare_subgroup_t));
- sgl_out->subgroupDNs = util_ald_alloc(cache, sizeof(char *) * sgl_in->len);
- sgl_out->len = sgl_in->len;
-
- for (i = 0; i < sgl_in->len; i++) {
- sgl_out->subgroupDNs[i] = util_ald_strdup(cache, sgl_in->subgroupDNs[i]);
+ if (sgl_out) {
+ sgl_out->subgroupDNs = util_ald_alloc(cache, sizeof(char *) * sgl_in->len);
+ if (sgl_out->subgroupDNs) {
+ for (i = 0; i < sgl_in->len; i++) {
+ sgl_out->subgroupDNs[i] = util_ald_strdup(cache, sgl_in->subgroupDNs[i]);
+ if (!sgl_out->subgroupDNs[i]) {
+ /* We ran out of SHM, delete the strings we allocated for the SGL */
+ for (i = (i - 1); i >= 0; i--) {
+ util_ald_free(cache, sgl_out->subgroupDNs[i]);
+ }
+ util_ald_free(cache, sgl_out->subgroupDNs);
+ util_ald_free(cache, sgl_out);
+ sgl_out = NULL;
+ break;
+ }
+ }
+ /* We were able to allocate new strings for all the subgroups */
+ if (sgl_out != NULL) {
+ sgl_out->len = sgl_in->len;
+ }
+ }
}
return sgl_out;
Modified: httpd/sandbox/amsterdam/d/modules/loggers/mod_log_forensic.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/loggers/mod_log_forensic.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/loggers/mod_log_forensic.c (original)
+++ httpd/sandbox/amsterdam/d/modules/loggers/mod_log_forensic.c Mon Apr 7 09:28:58 2008
@@ -195,8 +195,8 @@
if (!(id = apr_table_get(r->subprocess_env, "UNIQUE_ID"))) {
/* we make the assumption that we can't go through all the PIDs in
under 1 second */
- id = apr_psprintf(r->pool, "%x:%lx:%x", getpid(), time(NULL),
- apr_atomic_inc32(&next_id));
+ id = apr_psprintf(r->pool, "%" APR_PID_T_FMT ":%lx:%x", getpid(),
+ time(NULL), apr_atomic_inc32(&next_id));
}
ap_set_module_config(r->request_config, &log_forensic_module, (char *)id);
Modified: httpd/sandbox/amsterdam/d/modules/loggers/mod_logio.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/loggers/mod_logio.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/loggers/mod_logio.c (original)
+++ httpd/sandbox/amsterdam/d/modules/loggers/mod_logio.c Mon Apr 7 09:28:58 2008
@@ -66,6 +66,16 @@
}
/*
+ * Optional function for modules to adjust bytes_in
+ */
+
+static void ap_logio_add_bytes_in(conn_rec *c, apr_off_t bytes){
+ logio_config_t *cf = ap_get_module_config(c->conn_config, &logio_module);
+
+ cf->bytes_in += bytes;
+}
+
+/*
* Format items...
*/
@@ -162,6 +172,7 @@
AP_FTYPE_NETWORK - 1);
APR_REGISTER_OPTIONAL_FN(ap_logio_add_bytes_out);
+ APR_REGISTER_OPTIONAL_FN(ap_logio_add_bytes_in);
}
module AP_MODULE_DECLARE_DATA logio_module =
Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_dir.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_dir.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_dir.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_dir.c Mon Apr 7 09:28:58 2008
@@ -176,7 +176,7 @@
name_ptr = apr_pstrcat(r->pool, name_ptr, "?", r->args, NULL);
}
- rr = ap_sub_req_lookup_uri(name_ptr, r, NULL);
+ rr = ap_sub_req_lookup_uri(name_ptr, r, r->output_filters);
/* The sub request lookup is very liberal, and the core map_to_storage
* handler will almost always result in HTTP_OK as /foo/index.html
Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_imagemap.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_imagemap.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_imagemap.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_imagemap.c Mon Apr 7 09:28:58 2008
@@ -479,13 +479,16 @@
static void menu_header(request_rec *r, char *menu)
{
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
- ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
- "</title>\n</head><body>\n", NULL);
+ ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
+ ap_escape_html(r->pool, r->uri),
+ "</title>\n</head><body>\n", NULL);
if (!strcasecmp(menu, "formatted")) {
- ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr />\n\n", NULL);
+ ap_rvputs(r, "<h1>Menu for ",
+ ap_escape_html(r->pool, r->uri),
+ "</h1>\n<hr />\n\n", NULL);
}
return;
Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_negotiation.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_negotiation.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_negotiation.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_negotiation.c Mon Apr 7 09:28:58 2008
@@ -1165,8 +1165,10 @@
/* Double check, we still don't multi-resolve non-ordinary files
*/
- if (sub_req->finfo.filetype != APR_REG)
+ if (sub_req->finfo.filetype != APR_REG) {
+ /* XXX sub req not destroyed -- may be a bug/unintentional ? */
continue;
+ }
/* If it has a handler, we'll pretend it's a CGI script,
* since that's a good indication of the sort of thing it
@@ -2712,7 +2714,7 @@
if (!variant->sub_req) {
int status;
- sub_req = ap_sub_req_lookup_file(variant->file_name, r, NULL);
+ sub_req = ap_sub_req_lookup_file(variant->file_name, r, r->output_filters);
status = sub_req->status;
if (status != HTTP_OK &&
@@ -3122,7 +3124,7 @@
* a sub_req structure yet. Get one now.
*/
- sub_req = ap_sub_req_lookup_file(best->file_name, r, NULL);
+ sub_req = ap_sub_req_lookup_file(best->file_name, r, r->output_filters);
if (sub_req->status != HTTP_OK) {
res = sub_req->status;
ap_destroy_sub_req(sub_req);
Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_rewrite.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_rewrite.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_rewrite.c Mon Apr 7 09:28:58 2008
@@ -235,6 +235,8 @@
char *);
char **argv; /* argv of the external rewrite map */
const char *dbdq; /* SQL SELECT statement for rewritemap */
+ const char *checkfile2; /* filename to check for map existence
+ NULL if only one file */
} rewritemap_entry;
/* special pattern types for RewriteCond */
@@ -1612,6 +1614,21 @@
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
"mod_rewrite: can't access DBM RewriteMap file %s",
s->checkfile);
+ }
+ else if(s->checkfile2 != NULL) {
+ apr_finfo_t st2;
+
+ rv = apr_stat(&st2, s->checkfile2, APR_FINFO_MIN, r->pool);
+ if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "mod_rewrite: can't access DBM RewriteMap "
+ "file %s", s->checkfile2);
+ }
+ else if(st2.mtime > st.mtime) {
+ st.mtime = st2.mtime;
+ }
+ }
+ if(rv != APR_SUCCESS) {
rewritelog((r, 1, NULL,
"can't open DBM RewriteMap file, see error log"));
return NULL;
@@ -2927,6 +2944,7 @@
newmap->type = MAPTYPE_TXT;
newmap->datafile = fname;
newmap->checkfile = fname;
+ newmap->checkfile2= NULL;
newmap->cachename = apr_psprintf(cmd->pool, "%pp:%s",
(void *)cmd->server, a1);
}
@@ -2939,11 +2957,11 @@
newmap->type = MAPTYPE_RND;
newmap->datafile = fname;
newmap->checkfile = fname;
+ newmap->checkfile2= NULL;
newmap->cachename = apr_psprintf(cmd->pool, "%pp:%s",
(void *)cmd->server, a1);
}
else if (strncasecmp(a2, "dbm", 3) == 0) {
- const char *ignored_fname;
apr_status_t rv;
newmap->type = MAPTYPE_DBM;
@@ -2978,7 +2996,7 @@
rv = apr_dbm_get_usednames_ex(cmd->pool, newmap->dbmtype,
newmap->datafile, &newmap->checkfile,
- &ignored_fname);
+ &newmap->checkfile2);
if (rv != APR_SUCCESS) {
return apr_pstrcat(cmd->pool, "RewriteMap: dbm type ",
newmap->dbmtype, " is invalid", NULL);
@@ -3015,12 +3033,14 @@
newmap->type = MAPTYPE_PRG;
newmap->datafile = NULL;
newmap->checkfile = newmap->argv[0];
+ newmap->checkfile2= NULL;
newmap->cachename = NULL;
}
else if (strncasecmp(a2, "int:", 4) == 0) {
newmap->type = MAPTYPE_INT;
newmap->datafile = NULL;
newmap->checkfile = NULL;
+ newmap->checkfile2= NULL;
newmap->cachename = NULL;
newmap->func = (char *(*)(request_rec *,char *))
apr_hash_get(mapfunc_hash, a2+4, strlen(a2+4));
@@ -3038,6 +3058,7 @@
newmap->type = MAPTYPE_TXT;
newmap->datafile = fname;
newmap->checkfile = fname;
+ newmap->checkfile2= NULL;
newmap->cachename = apr_psprintf(cmd->pool, "%pp:%s",
(void *)cmd->server, a1);
}
@@ -4157,7 +4178,6 @@
APR_OPTIONAL_FN_TYPE(ap_register_rewrite_mapfunc) *map_pfn_register;
/* register int: rewritemap handlers */
- mapfunc_hash = apr_hash_make(pconf);
map_pfn_register = APR_RETRIEVE_OPTIONAL_FN(ap_register_rewrite_mapfunc);
if (map_pfn_register) {
map_pfn_register("tolower", rewrite_mapfunc_tolower);
@@ -4412,6 +4432,10 @@
return HTTP_FORBIDDEN;
}
+ if (rulestatus == ACTION_NOESCAPE) {
+ apr_table_setn(r->notes, "proxy-nocanon", "1");
+ }
+
/* make sure the QUERY_STRING and
* PATH_INFO parts get incorporated
*/
@@ -4954,6 +4978,10 @@
*/
static const char * const aszPre[]={ "mod_proxy.c", NULL };
+ /* make the hashtable before registering the function, so that
+ * other modules are prevented from accessing uninitialized memory.
+ */
+ mapfunc_hash = apr_hash_make(p);
APR_REGISTER_OPTIONAL_FN(ap_register_rewrite_mapfunc);
ap_hook_handler(handler_redirect, NULL, NULL, APR_HOOK_MIDDLE);
Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_so.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_so.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_so.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_so.c Mon Apr 7 09:28:58 2008
@@ -88,7 +88,6 @@
#include "apr_strings.h"
#include "apr_errno.h"
-#define CORE_PRIVATE
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
Modified: httpd/sandbox/amsterdam/d/modules/mappers/mod_speling.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/mappers/mod_speling.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/mappers/mod_speling.c (original)
+++ httpd/sandbox/amsterdam/d/modules/mappers/mod_speling.c Mon Apr 7 09:28:58 2008
@@ -225,12 +225,6 @@
return DECLINED;
}
- /* we default to reject path info (same as core handler) */
- if ((r->used_path_info != AP_REQ_ACCEPT_PATH_INFO) &&
- r->path_info && *r->path_info) {
- return DECLINED;
- }
-
/*
* The request should end up looking like this:
* r->uri: /correct-url/mispelling/more
Modified: httpd/sandbox/amsterdam/d/modules/metadata/mod_ident.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/metadata/mod_ident.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/metadata/mod_ident.c (original)
+++ httpd/sandbox/amsterdam/d/modules/metadata/mod_ident.c Mon Apr 7 09:28:58 2008
@@ -243,26 +243,18 @@
static const char *set_idcheck(cmd_parms *cmd, void *d_, int arg)
{
ident_config_rec *d = d_;
- const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
- if (!err) {
- d->do_rfc1413 = arg ? 1 : 0;
- }
-
- return err;
+ d->do_rfc1413 = arg ? 1 : 0;
+ return NULL;
}
static const char *set_timeout(cmd_parms *cmd, void *d_, const char *arg)
{
ident_config_rec *d = d_;
- const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
-
- if (!err) {
- d->timeout = apr_time_from_sec(atoi(arg));
- d->timeout_unset = 0;
- }
- return err;
+ d->timeout = apr_time_from_sec(atoi(arg));
+ d->timeout_unset = 0;
+ return NULL;
}
static void *create_ident_dir_config(apr_pool_t *p, char *d)
Modified: httpd/sandbox/amsterdam/d/modules/metadata/mod_unique_id.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/metadata/mod_unique_id.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/metadata/mod_unique_id.c (original)
+++ httpd/sandbox/amsterdam/d/modules/metadata/mod_unique_id.c Mon Apr 7 09:28:58 2008
@@ -304,7 +304,7 @@
new_unique_id.pid = cur_unique_id.pid;
new_unique_id.counter = cur_unique_id.counter;
- new_unique_id.stamp = htonl((unsigned int)r->request_time);
+ new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time));
new_unique_id.thread_index = htonl((unsigned int)r->connection->id);
/* we'll use a temporal buffer to avoid uuencoding the possible internal
Modified: httpd/sandbox/amsterdam/d/modules/proxy/ajp.h
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/ajp.h?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/ajp.h (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/ajp.h Mon Apr 7 09:28:58 2008
@@ -132,7 +132,7 @@
#define AJP_HEADER_SZ_LEN 2
#define AJP_HEADER_SZ 6
#define AJP_MSG_BUFFER_SZ 8192
-#define AJP_MAX_BUFFER_SZ 16384
+#define AJP_MAX_BUFFER_SZ 65536
#define AJP13_MAX_SEND_BODY_SZ (AJP_MAX_BUFFER_SZ - AJP_HEADER_SZ)
#define AJP_PING_PONG_SZ 128
Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.c (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.c Mon Apr 7 09:28:58 2008
@@ -14,8 +14,6 @@
* limitations under the License.
*/
-#define CORE_PRIVATE
-
#include "mod_proxy.h"
#include "mod_core.h"
#include "apr_optional.h"
@@ -176,6 +174,15 @@
return "KeepAlive must be On|Off";
worker->keepalive_set = 1;
}
+ else if (!strcasecmp(key, "disablereuse")) {
+ if (!strcasecmp(val, "on"))
+ worker->disablereuse = 1;
+ else if (!strcasecmp(val, "off"))
+ worker->disablereuse = 0;
+ else
+ return "DisableReuse must be On|Off";
+ worker->disablereuse_set = 1;
+ }
else if (!strcasecmp(key, "route")) {
/* Worker route.
*/
@@ -728,7 +735,8 @@
return DECLINED;
/* If host does contain a dot already, or it is "localhost", decline */
- if (strchr(r->parsed_uri.hostname, '.') != NULL
+ if (strchr(r->parsed_uri.hostname, '.') != NULL /* has domain, or IPv4 literal */
+ || strchr(r->parsed_uri.hostname, ':') != NULL /* IPv6 literal */
|| strcasecmp(r->parsed_uri.hostname, "localhost") == 0)
return DECLINED; /* host name has a dot already */
@@ -923,12 +931,41 @@
ents[i].hostname,
ents[i].port);
- /* an error or success */
- if (access_status != DECLINED &&
- access_status != HTTP_BAD_GATEWAY) {
- goto cleanup;
+ /* Did the scheme handler process the request? */
+ if (access_status != DECLINED) {
+ const char *cl_a;
+ char *end;
+ apr_off_t cl;
+
+ /*
+ * An fatal error or success, so no point in
+ * retrying with a direct connection.
+ */
+ if (access_status != HTTP_BAD_GATEWAY) {
+ goto cleanup;
+ }
+ cl_a = apr_table_get(r->headers_in, "Content-Length");
+ if (cl_a) {
+ apr_strtoff(&cl, cl_a, &end, 0);
+ /*
+ * The request body is of length > 0. We cannot
+ * retry with a direct connection since we already
+ * sent (parts of) the request body to the proxy
+ * and do not have any longer.
+ */
+ if (cl > 0) {
+ goto cleanup;
+ }
+ }
+ /*
+ * Transfer-Encoding was set as input header, so we had
+ * a request body. We cannot retry with a direct
+ * connection for the same reason as above.
+ */
+ if (apr_table_get(r->headers_in, "Transfer-Encoding")) {
+ goto cleanup;
+ }
}
- /* we failed to talk to the upstream proxy */
}
}
}
@@ -1120,6 +1157,9 @@
new->cookie_domain_str = base->cookie_domain_str;
new->interpolate_env = (add->interpolate_env == -1) ? base->interpolate_env
: add->interpolate_env;
+ new->ftp_directory_charset = add->ftp_directory_charset ?
+ add->ftp_directory_charset :
+ base->ftp_directory_charset;
return new;
}
@@ -1834,6 +1874,15 @@
return NULL;
}
+static const char *set_ftp_directory_charset(cmd_parms *cmd, void *dconf,
+ const char *arg)
+{
+ proxy_dir_conf *conf = dconf;
+
+ conf->ftp_directory_charset = arg;
+ return NULL;
+}
+
static void ap_add_per_proxy_conf(server_rec *s, ap_conf_vector_t *dir_config)
{
proxy_server_conf *sconf = ap_get_module_config(s->module_config,
@@ -1857,8 +1906,7 @@
proxy_balancer *balancer = NULL;
proxy_worker *worker = NULL;
- const char *err = ap_check_cmd_context(cmd,
- NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT);
+ const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
proxy_server_conf *sconf =
(proxy_server_conf *) ap_get_module_config(cmd->server->module_config, &proxy_module);
@@ -2044,6 +2092,8 @@
"Configure Status: proxy status to one of: on | off | full"),
AP_INIT_RAW_ARGS("ProxySet", set_proxy_param, NULL, RSRC_CONF|ACCESS_CONF,
"A balancer or worker name with list of params"),
+ AP_INIT_TAKE1("ProxyFtpDirCharset", set_ftp_directory_charset, NULL,
+ RSRC_CONF|ACCESS_CONF, "Define the character set for proxied FTP listings"),
{NULL}
};
Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.h
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.h?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.h (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy.h Mon Apr 7 09:28:58 2008
@@ -42,8 +42,6 @@
*/
-#define CORE_PRIVATE
-
#include "apr_hooks.h"
#include "apr.h"
#include "apr_lib.h"
@@ -214,6 +212,7 @@
const apr_strmatch_pattern* cookie_path_str;
const apr_strmatch_pattern* cookie_domain_str;
int interpolate_env;
+ const char *ftp_directory_charset;
} proxy_dir_conf;
/* if we interpolate env vars per-request, we'll need a per-request
@@ -230,7 +229,7 @@
const char *hostname;
apr_port_t port;
int is_ssl;
- apr_pool_t *pool; /* Subpool used for creating socket */
+ apr_pool_t *pool; /* Subpool for hostname and addr data */
apr_socket_t *sock; /* Connection socket */
apr_sockaddr_t *addr; /* Preparsed remote address info */
apr_uint32_t flags; /* Conection flags */
@@ -240,6 +239,11 @@
#if APR_HAS_THREADS
int inreslist; /* connection in apr_reslist? */
#endif
+ apr_pool_t *scpool; /* Subpool used for socket and connection data */
+ request_rec *r; /* Request record of the frontend request
+ * which the backend currently answers. */
+ int need_flush;/* Flag to decide whether we need to flush the
+ * filter chain or not */
} proxy_conn_rec;
typedef struct {
@@ -346,6 +350,8 @@
char ping_timeout_set;
int lbset; /* load balancer cluster set */
char retry_set;
+ char disablereuse;
+ char disablereuse_set;
};
/*
@@ -483,6 +489,8 @@
PROXY_DECLARE(void) ap_proxy_table_unmerge(apr_pool_t *p, apr_table_t *t, char *key);
/* DEPRECATED (will be replaced with ap_proxy_connect_backend */
PROXY_DECLARE(int) ap_proxy_connect_to_backend(apr_socket_t **, const char *, apr_sockaddr_t *, const char *, proxy_server_conf *, server_rec *, apr_pool_t *);
+PROXY_DECLARE(apr_status_t) ap_proxy_ssl_connection_cleanup(proxy_conn_rec *conn,
+ request_rec *r);
PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c);
PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c);
PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c);
Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_ajp.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_ajp.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_ajp.c (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_ajp.c Mon Apr 7 09:28:58 2008
@@ -89,6 +89,37 @@
return OK;
}
+#define METHOD_NON_IDEMPOTENT 0
+#define METHOD_IDEMPOTENT 1
+#define METHOD_IDEMPOTENT_WITH_ARGS 2
+
+static int is_idempotent(request_rec *r)
+{
+ /*
+ * RFC2616 (9.1.2): GET, HEAD, PUT, DELETE, OPTIONS, TRACE are considered
+ * idempotent. Hint: HEAD requests use M_GET as method number as well.
+ */
+ switch (r->method_number) {
+ case M_GET:
+ case M_DELETE:
+ case M_PUT:
+ case M_OPTIONS:
+ case M_TRACE:
+ /*
+ * If the request has arguments it might have side-effects and thus
+ * it might be undesirable to resent it to a backend again
+ * automatically.
+ */
+ if (r->args) {
+ return METHOD_IDEMPOTENT_WITH_ARGS;
+ }
+ return METHOD_IDEMPOTENT;
+ /* Everything else is not considered idempotent. */
+ default:
+ return METHOD_NON_IDEMPOTENT;
+ }
+}
+
/*
* XXX: AJP Auto Flushing
*
@@ -122,7 +153,7 @@
apr_bucket_brigade *input_brigade;
apr_bucket_brigade *output_brigade;
ajp_msg_t *msg;
- apr_size_t bufsiz;
+ apr_size_t bufsiz = 0;
char *buff;
apr_uint16_t size;
const char *tenc;
@@ -161,8 +192,17 @@
conn->worker->hostname);
if (status == AJP_EOVERFLOW)
return HTTP_BAD_REQUEST;
- else
- return HTTP_SERVICE_UNAVAILABLE;
+ else {
+ /*
+ * This is only non fatal when the method is idempotent. In this
+ * case we can dare to retry it with a different worker if we are
+ * a balancer member.
+ */
+ if (is_idempotent(r) == METHOD_IDEMPOTENT) {
+ return HTTP_SERVICE_UNAVAILABLE;
+ }
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
}
/* allocate an AJP message to store the data of the buckets */
@@ -231,7 +271,11 @@
"proxy: send failed to %pI (%s)",
conn->worker->cp->addr,
conn->worker->hostname);
- return HTTP_SERVICE_UNAVAILABLE;
+ /*
+ * It is fatal when we failed to send a (part) of the request
+ * body.
+ */
+ return HTTP_INTERNAL_SERVER_ERROR;
}
conn->worker->s->transferred += bufsiz;
}
@@ -249,7 +293,16 @@
"proxy: read response failed from %pI (%s)",
conn->worker->cp->addr,
conn->worker->hostname);
- return HTTP_SERVICE_UNAVAILABLE;
+ /*
+ * This is only non fatal when we have not sent (parts) of a possible
+ * request body so far (we do not store it and thus cannot sent it
+ * again) and the method is idempotent. In this case we can dare to
+ * retry it with a different worker if we are a balancer member.
+ */
+ if ((bufsiz == 0) && (is_idempotent(r) == METHOD_IDEMPOTENT)) {
+ return HTTP_SERVICE_UNAVAILABLE;
+ }
+ return HTTP_INTERNAL_SERVER_ERROR;
}
/* parse the reponse */
result = ajp_parse_type(r, conn->data);
@@ -533,16 +586,14 @@
"proxy: AJP: serving URL %s", url);
/* create space for state information */
- if (!backend) {
- status = ap_proxy_acquire_connection(scheme, &backend, worker,
- r->server);
- if (status != OK) {
- if (backend) {
- backend->close = 1;
- ap_proxy_release_connection(scheme, backend, r->server);
- }
- return status;
+ status = ap_proxy_acquire_connection(scheme, &backend, worker,
+ r->server);
+ if (status != OK) {
+ if (backend) {
+ backend->close = 1;
+ ap_proxy_release_connection(scheme, backend, r->server);
}
+ return status;
}
backend->is_ssl = 0;
Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_balancer.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_balancer.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_balancer.c Mon Apr 7 09:28:58 2008
@@ -16,18 +16,12 @@
/* Load balancer module for Apache proxy */
-#define CORE_PRIVATE
-
#include "mod_proxy.h"
#include "scoreboard.h"
#include "ap_mpm.h"
#include "apr_version.h"
#include "apr_hooks.h"
-#if APR_HAVE_UNISTD_H
-#include <unistd.h> /* for getpid() */
-#endif
-
module AP_MODULE_DECLARE_DATA proxy_balancer_module;
static int proxy_balancer_canon(request_rec *r, char *url)
@@ -675,7 +669,7 @@
proxy_worker *ws;
ws = ap_proxy_get_worker(r->pool, conf, name);
- if (ws) {
+ if (bsel && ws) {
worker = (proxy_worker *)bsel->workers->elts;
for (n = 0; n < bsel->workers->nelts; n++) {
if (strcasecmp(worker->name, ws->name) == 0) {
@@ -757,7 +751,7 @@
ap_rputs("</httpd:manager>", r);
}
else {
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
ap_rputs(DOCTYPE_HTML_3_2
"<html><head><title>Balancer Manager</title></head>\n", r);
ap_rputs("<body><h1>Load Balancer Manager for ", r);
@@ -807,8 +801,10 @@
ap_escape_uri(r->pool, worker->name),
"\">", NULL);
ap_rvputs(r, worker->name, "</a></td>", NULL);
- ap_rvputs(r, "<td>", worker->s->route, NULL);
- ap_rvputs(r, "</td><td>", worker->s->redirect, NULL);
+ ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route),
+ NULL);
+ ap_rvputs(r, "</td><td>",
+ ap_escape_html(r->pool, worker->s->redirect), NULL);
ap_rprintf(r, "</td><td>%d</td>", worker->s->lbfactor);
ap_rprintf(r, "<td>%d</td><td>", worker->s->lbset);
if (worker->s->status & PROXY_WORKER_DISABLED)
@@ -846,10 +842,12 @@
ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r);
ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbset);
ap_rputs("<tr><td>Route:</td><td><input name=\"wr\" type=text ", r);
- ap_rvputs(r, "value=\"", wsel->s->route, NULL);
+ ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->route),
+ NULL);
ap_rputs("\"></td></tr>\n", r);
ap_rputs("<tr><td>Route Redirect:</td><td><input name=\"rr\" type=text ", r);
- ap_rvputs(r, "value=\"", wsel->s->redirect, NULL);
+ ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->redirect),
+ NULL);
ap_rputs("\"></td></tr>\n", r);
ap_rputs("<tr><td>Status:</td><td>Disabled: <input name=\"dw\" value=\"Disable\" type=radio", r);
if (wsel->s->status & PROXY_WORKER_DISABLED)
Modified: httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_connect.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_connect.c?rev=645594&r1=645593&r2=645594&view=diff
==============================================================================
--- httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_connect.c (original)
+++ httpd/sandbox/amsterdam/d/modules/proxy/mod_proxy_connect.c Mon Apr 7 09:28:58 2008
@@ -16,8 +16,6 @@
/* CONNECT method for Apache proxy */
-#define CORE_PRIVATE
-
#include "mod_proxy.h"
#include "apr_poll.h"