You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@apr.apache.org by bn...@apache.org on 2006/06/05 20:54:37 UTC

svn commit: r411890 - /apr/apr-util/trunk/include/apr_ldap_init.h

Author: bnicholes
Date: Mon Jun  5 11:54:37 2006
New Revision: 411890

URL: http://svn.apache.org/viewvc?rev=411890&view=rev
Log:
Since no all LDAP SDKs support the LDAP_SECURITY_ERROR macro, define the common macro APU_LDAP_SECURITY_ERROR.

Modified:
    apr/apr-util/trunk/include/apr_ldap_init.h

Modified: apr/apr-util/trunk/include/apr_ldap_init.h
URL: http://svn.apache.org/viewvc/apr/apr-util/trunk/include/apr_ldap_init.h?rev=411890&r1=411889&r2=411890&view=diff
==============================================================================
--- apr/apr-util/trunk/include/apr_ldap_init.h (original)
+++ apr/apr-util/trunk/include/apr_ldap_init.h Mon Jun  5 11:54:37 2006
@@ -35,6 +35,27 @@
 extern "C" {
 #endif /* __cplusplus */
 
+
+/**
+ * Macro to detect security related return values.
+ */
+#if defined(LDAP_INSUFFICIENT_ACCESS)
+#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_ACCESS
+#elif defined(LDAP_INSUFFICIENT_RIGHTS)
+#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_RIGHTS
+#endif
+
+#if defined(LDAP_SECURITY_ERROR1)
+#define APU_LDAP_SECURITY_ERROR LDAP_SECURITY_ERROR
+#else
+#define APU_LDAP_SECURITY_ERROR(n)	\
+    (LDAP_INAPPROPRIATE_AUTH == n) ? 1 \
+    : (LDAP_INVALID_CREDENTIALS == n) ? 1 \
+    : (APU_LDAP_INSUFFICIENT_ACCESS == n) ? 1 \
+    : 0
+#endif
+
+
 /**
  * APR LDAP SSL Initialise function
  *

Re: svn commit: r411890 - /apr/apr-util/trunk/include/apr_ldap_init.h

Posted by Garrett Rooney <ro...@electricjellyfish.net>.

On 6/5/06, Brad Nicholes <BN...@novell.com> wrote:

> Yeah, but I'm not sure what a reasonable default is given that the
> actual values are coming from various LDAP SDKs.  From what I have been
> able to find so far, these are the only two possible values given the
> LDAP SDKs that we support.

In that case, a #error "please add support for this LDAP SDK" seems
appropriate...

-garrett

Re: svn commit: r411890 - /apr/apr-util/trunk/include/apr_ldap_init.h

Posted by Brad Nicholes <BN...@novell.com>.

>>> On 6/5/2006 at 1:27 PM, in message
<60...@gbiv.com>, "Roy T. Fielding"
<fi...@gbiv.com> wrote:
> On Jun 5, 2006, at 11:54 AM, bnicholes@apache.org wrote:
> 
>>
====================================================================== 
>> ========
>> --- apr/apr-util/trunk/include/apr_ldap_init.h (original)
>> +++ apr/apr-util/trunk/include/apr_ldap_init.h Mon Jun  5 11:54:37 

>> 2006
>> @@ -35,6 +35,27 @@
>>  extern "C" {
>>  #endif /* __cplusplus */
>>
>> +
>> +/**
>> + * Macro to detect security related return values.
>> + */
>> +#if defined(LDAP_INSUFFICIENT_ACCESS)
>> +#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_ACCESS
>> +#elif defined(LDAP_INSUFFICIENT_RIGHTS)
>> +#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_RIGHTS
>> +#endif
> 
> Shouldn't that end with
> 
>    #else
>    #define APU_LDAP_INSUFFICIENT_ACCESS (some reasonable default)
>    #endif
> 
> It seems odd just to leave it undefined.
> 
> ....Ro

Yeah, but I'm not sure what a reasonable default is given that the
actual values are coming from various LDAP SDKs.  From what I have been
able to find so far, these are the only two possible values given the
LDAP SDKs that we support.

Brad

Re: svn commit: r411890 - /apr/apr-util/trunk/include/apr_ldap_init.h

Posted by Brad Nicholes <BN...@novell.com>.

>>> On 6/5/2006 at 4:21 PM, in message <44...@rowe-clan.net>,
"William A.
Rowe, Jr." <wr...@rowe-clan.net> wrote:
> Roy T. Fielding wrote:
>> On Jun 5, 2006, at 11:54 AM, bnicholes@apache.org wrote:
>> 
>>> +/**
>>> + * Macro to detect security related return values.
>>> + */
>>> +#if defined(LDAP_INSUFFICIENT_ACCESS)
>>> +#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_ACCESS
>>> +#elif defined(LDAP_INSUFFICIENT_RIGHTS)
>>> +#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_RIGHTS
>>> +#endif
>> 
>> Shouldn't that end with
>> 
>>   #else
>>   #define APU_LDAP_INSUFFICIENT_ACCESS (some reasonable default)
>>   #endif
>> 
>> It seems odd just to leave it undefined.
> 
> Actually, aren't we leaving out the possiblity that both symbols
exist
> with slightly different meanings?
> 
> #if defined(LDAP_INSUFFICIENT_RIGHTS) and
defined(LDAP_INSUFFICIENT_RIGHTS)
> #define APU_LDAP_INSUFFICIENT_ACCESS(rc) ((rc ==
LDAP_INSUFFICIENT_ACCESS) \
>                                         || (rc ==
LDAP_INSUFFICIENT_RIGHTS)
> 
> 
> We made these mistakes before in httpd which is why apr_errno.h is
now
> the way it is.
> 
> Bil

Yes, that is a possibility but in this case with the small number of
LDAP SDKs that we support, I haven't found any evidence that it is
nothing more that a remote possibility.  But I have found evidence that
they are two distinct #defines that share the same meaning.

Brad

Re: svn commit: r411890 - /apr/apr-util/trunk/include/apr_ldap_init.h

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Roy T. Fielding wrote:
> On Jun 5, 2006, at 11:54 AM, bnicholes@apache.org wrote:
> 
>> +/**
>> + * Macro to detect security related return values.
>> + */
>> +#if defined(LDAP_INSUFFICIENT_ACCESS)
>> +#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_ACCESS
>> +#elif defined(LDAP_INSUFFICIENT_RIGHTS)
>> +#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_RIGHTS
>> +#endif
> 
> Shouldn't that end with
> 
>   #else
>   #define APU_LDAP_INSUFFICIENT_ACCESS (some reasonable default)
>   #endif
> 
> It seems odd just to leave it undefined.

Actually, aren't we leaving out the possiblity that both symbols exist
with slightly different meanings?

#if defined(LDAP_INSUFFICIENT_RIGHTS) and defined(LDAP_INSUFFICIENT_RIGHTS)
#define APU_LDAP_INSUFFICIENT_ACCESS(rc) ((rc == LDAP_INSUFFICIENT_ACCESS) \
                                        || (rc == LDAP_INSUFFICIENT_RIGHTS)


We made these mistakes before in httpd which is why apr_errno.h is now
the way it is.

Bill

Re: svn commit: r411890 - /apr/apr-util/trunk/include/apr_ldap_init.h

Posted by "Roy T. Fielding" <fi...@gbiv.com>.

On Jun 5, 2006, at 11:54 AM, bnicholes@apache.org wrote:

> ====================================================================== 
> ========
> --- apr/apr-util/trunk/include/apr_ldap_init.h (original)
> +++ apr/apr-util/trunk/include/apr_ldap_init.h Mon Jun  5 11:54:37  
> 2006
> @@ -35,6 +35,27 @@
>  extern "C" {
>  #endif /* __cplusplus */
>
> +
> +/**
> + * Macro to detect security related return values.
> + */
> +#if defined(LDAP_INSUFFICIENT_ACCESS)
> +#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_ACCESS
> +#elif defined(LDAP_INSUFFICIENT_RIGHTS)
> +#define APU_LDAP_INSUFFICIENT_ACCESS LDAP_INSUFFICIENT_RIGHTS
> +#endif

Shouldn't that end with

   #else
   #define APU_LDAP_INSUFFICIENT_ACCESS (some reasonable default)
   #endif

It seems odd just to leave it undefined.

....Roy