You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brad Nicholes <BN...@novell.com> on 2008/01/24 16:33:59 UTC

Re: svn commit: r614605 - in /httpd/httpd/trunk: include/util_ldap.h modules/ldap/util_ldap.c

>>> On 1/23/2008 at 7:25 PM, in message <47...@remulak.net>, "Paul J.
Reder" <re...@remulak.net> wrote:

> 
> Ruediger Pluem wrote:
>> 
>> On 01/23/2008 07:14 PM, rederpj@apache.org wrote:
>>> Author: rederpj
>>> Date: Wed Jan 23 10:14:41 2008
>>> New Revision: 614605
>>>
>>> URL: http://svn.apache.org/viewvc?rev=614605&view=rev 
>>> Log:
>>> This adds Apache support (taking advantage of the new APR capability)
>>> for ldap rebind callback while chasing referrals. This allows direct
>>> searches on LDAP servers (in particular MS Active Directory 2003+)
>>> using referrals without the use of the global catalog.
>>> This addresses PRs 26538, 40268, and 42557
> 
>  >> @@ -2614,6 +2710,15 @@
>  >>                    "Specify the LDAP socket connection timeout in seconds 
> "
>  >>                    "(default: 10)"),
>  >>
>  >> +    AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals,
>  >> +                  NULL, OR_AUTHCFG,
>  >> +                  "Choose whether referrals are chased ['ON'|'OFF'].  
> Default ON'"),
>  >> +
>  >> +    AP_INIT_TAKE1("LDAPReferralHopLimit", 
> util_ldap_set_referral_hop_limit,
>  >> +                  NULL, OR_AUTHCFG,
>  >> +                  "Limit the number of referral hops that LDAP can 
> follow. "
>  >> +                  "(Integer value, default=5)"),
>  >> +
>  >>      {NULL}
>  >>  };
> 
>>> @@ -2638,7 +2743,7 @@
>>>  
>>>  module AP_MODULE_DECLARE_DATA ldap_module = {
>>>     STANDARD20_MODULE_STUFF,
>>> -   NULL,                        /* create dir config */
>>> +   util_ldap_create_dir_config, /* create dir config */
>>>     NULL,                        /* merge dir config */
>> 
>> Why no merge dir config? How do you inherit your settings in this case?
> 
> Now that you ask that question it makes me realize that the better question 
> is
> probably "Should the directives be directory scoped or server scoped?" The 
> rest
> of the util_ldap directives are all server scoped. Is there any compelling 
> reason
> that the referral directives would need to be alterable on a 
> directory-by-directory
> (or htaccess) basis or should it be turned on/off and limited on a 
> server-wide scope?
> 

I wish I had a better memory, but I vaguely recall going down this path once before between server-merge and dir-merge (mailing list archives might remember better than I do) .  I know that when it comes to anything SSL related, not all LDAP SDKs can handle per-directory options.  Novell LDAP SDK being one of them.  So when it comes to setting options on a per-directory basis, it might get a little tricky depending on the LDAP SDK that is being used.

Brad