You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2009/11/18 16:49:48 UTC
svn commit: r881808 - in /httpd/httpd/trunk: CHANGES
modules/aaa/mod_authnz_ldap.c
Author: covener
Date: Wed Nov 18 15:49:48 2009
New Revision: 881808
URL: http://svn.apache.org/viewvc?rev=881808&view=rev
Log:
Add AuthLDAPBindAuthoritative to allow other authentication providers a chance
to run when mod_authnz_ldap finds a user but can't verify their password.
Submitted By: Justin Erenkrantz, Joe Schaefer, Tony Stevenson
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=881808&r1=881807&r2=881808&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Nov 18 15:49:48 2009
@@ -10,6 +10,10 @@
mod_proxy_ftp: NULL pointer dereference on error paths.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
+ *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
+ try other providers in the case of an LDAP bind failure.
+ PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
+
*) Build: fix --with-module to work as documented
PR 43881 [Gez Saunders <gez.saunders virgin.net>]
Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=881808&r1=881807&r2=881808&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Wed Nov 18 15:49:48 2009
@@ -63,6 +63,7 @@
deref_options deref; /* how to handle alias dereferening */
char *binddn; /* DN to bind to server (can be NULL) */
char *bindpw; /* Password to bind to server (can be NULL) */
+ int bind_authoritative; /* If true, will return errors when bind fails */
int user_is_dn; /* If true, connection->user is DN instead of userid */
char *remote_user_attribute; /* If set, connection->user is this attribute instead of userid */
@@ -296,6 +297,7 @@
sec->host = NULL;
sec->binddn = NULL;
sec->bindpw = NULL;
+ sec->bind_authoritative = 1;
sec->deref = always;
sec->group_attrib_is_dn = 1;
sec->secure = -1; /*Initialize to unset*/
@@ -407,6 +409,14 @@
/* handle bind failure */
if (result != LDAP_SUCCESS) {
+ if (!sec->bind_authoritative) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] auth_ldap authenticate: "
+ "user %s authentication failed; URI %s [%s][%s] (not authoritative)",
+ getpid(), user, r->uri, ldc->reason, ldap_err2string(result));
+ return AUTH_USER_NOT_FOUND;
+ }
+
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: "
"user %s authentication failed; URI %s [%s][%s]",
@@ -1425,6 +1435,10 @@
(void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG,
"Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
+ AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(authn_ldap_config_t, bind_authoritative), OR_AUTHCFG,
+ "Set to 'on' to return failures when user-specific bind fails - defaults to on."),
+
AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
(void *)APR_OFFSETOF(authn_ldap_config_t, user_is_dn), OR_AUTHCFG,
"Set to 'on' to set the REMOTE_USER environment variable to be the full "