You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2011/05/21 10:13:59 UTC
svn commit: r1125646 - in /httpd/httpd/trunk: CHANGES
modules/aaa/mod_authnz_ldap.c
Author: sf
Date: Sat May 21 08:13:59 2011
New Revision: 1125646
URL: http://svn.apache.org/viewvc?rev=1125646&view=rev
Log:
Some LDAP servers (wrongly) return LDAP_CONSTRAINT_VIOLATION if a user is
locked due to too many password retries. This should not cause an internal
server error but be treated as "auth denied".
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1125646&r1=1125645&r2=1125646&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat May 21 08:13:59 2011
@@ -2,6 +2,9 @@
Changes with Apache 2.3.13
+ *) mod_authnz_ldap: If the LDAP server returns constraint violation,
+ don't treat this as an error but as "auth denied". [Stefan Fritsch]
+
*) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
Jim Jagielski]
Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1125646&r1=1125645&r2=1125646&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Sat May 21 08:13:59 2011
@@ -568,6 +568,12 @@ start_over:
: (LDAP_INSUFFICIENT_RIGHTS == result) ? AUTH_DENIED
#endif
#endif
+#ifdef LDAP_CONSTRAINT_VIOLATION
+ /* At least Sun Directory Server sends this if a user is
+ * locked. This is not covered by LDAP_SECURITY_ERROR.
+ */
+ : (LDAP_CONSTRAINT_VIOLATION == result) ? AUTH_DENIED
+#endif
: AUTH_GENERAL_ERROR;
}