Browse Source

Now really fix mod auth ldap (#1066)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2318 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.21
Stefan Bühler 13 years ago
parent
commit
cfba07cb82
  1. 1
      NEWS
  2. 43
      src/http_auth.c
  3. 2
      src/http_auth.h
  4. 9
      src/mod_auth.c

1
NEWS

@ -8,6 +8,7 @@ NEWS
* Fix base64 decoding in mod_auth (#1757, thx guido)
* Fix mod_cgi segfault when bound to unix domain socket (#653)
* Do not rely on ioctl FIONREAD (#673)
* Now really fix mod auth ldap (#1066)
- 1.4.20 - 2008-09-30

43
src/http_auth.c

@ -700,7 +700,7 @@ static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p
}
} else if (p->conf.auth_backend == AUTH_BACKEND_LDAP) {
#ifdef USE_LDAP
LDAP *ldap = NULL;
LDAP *ldap;
LDAPMessage *lm, *first;
char *dn;
int ret;
@ -745,56 +745,45 @@ static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p
buffer_append_string_buffer(p->ldap_filter, username);
buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);
/* 2. */
if (p->conf.ldap == NULL ||
LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
/* try again if ldap was only temporary down */
if (p->conf.ldap == NULL || ret != LDAP_SERVER_DOWN || LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
if (auth_ldap_init(srv, &p->conf) != HANDLER_GO_ON)
if (p->anon_conf->ldap == NULL ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
/* try again; the ldap library sometimes fails for the first call but reconnects */
if (p->anon_conf->ldap == NULL || ret != LDAP_SERVER_DOWN ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
if (auth_ldap_init(srv, p->anon_conf) != HANDLER_GO_ON)
return -1;
ldap = p->conf.ldap; /* save temporary ldap connection (TODO: redo ldap) */
if (LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
if (p->anon_conf->ldap == NULL ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
log_error_write(srv, __FILE__, __LINE__, "sssb",
"ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);
/* destroy temporary ldap connection (TODO: redo ldap) */
ldap_unbind_s(ldap);
return -1;
}
}
}
if (NULL == (first = ldap_first_entry(p->conf.ldap, lm))) {
/* No matching entry is not an error */
/* log_error_write(srv, __FILE__, __LINE__, "s", "ldap ..."); */
if (NULL == (first = ldap_first_entry(p->anon_conf->ldap, lm))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
ldap_msgfree(lm);
/* destroy temporary ldap connection (TODO: redo ldap) */
if (NULL != ldap) {
ldap_unbind_s(ldap);
}
return -1;
}
if (NULL == (dn = ldap_get_dn(p->conf.ldap, first))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: ldap_get_dn failed");
if (NULL == (dn = ldap_get_dn(p->anon_conf->ldap, first))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
ldap_msgfree(lm);
/* destroy temporary ldap connection (TODO: redo ldap) */
if (NULL != ldap) {
ldap_unbind_s(ldap);
}
return -1;
}
ldap_msgfree(lm);
/* destroy temporary ldap connection (TODO: redo ldap) */
if (NULL != ldap) {
ldap_unbind_s(ldap);
}
/* 3. */
if (NULL == (ldap = ldap_init(p->conf.auth_ldap_hostname->ptr, LDAP_PORT))) {

2
src/http_auth.h

@ -63,7 +63,7 @@ typedef struct {
mod_auth_plugin_config **config_storage;
mod_auth_plugin_config conf; /* this is only used as long as no handler_ctx is setup */
mod_auth_plugin_config conf, *anon_conf; /* this is only used as long as no handler_ctx is setup */
} mod_auth_plugin_data;
int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, buffer *url, const char *realm_str);

9
src/mod_auth.c

@ -115,7 +115,7 @@ static int mod_auth_patch_connection(server *srv, connection *con, mod_auth_plug
PATCH(auth_ldap_starttls);
PATCH(auth_ldap_allow_empty_pw);
#ifdef USE_LDAP
PATCH(ldap);
p->anon_conf = s;
PATCH(ldap_filter_pre);
PATCH(ldap_filter_post);
#endif
@ -149,7 +149,7 @@ static int mod_auth_patch_connection(server *srv, connection *con, mod_auth_plug
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.hostname"))) {
PATCH(auth_ldap_hostname);
#ifdef USE_LDAP
PATCH(ldap);
p->anon_conf = s;
#endif
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.base-dn"))) {
PATCH(auth_ldap_basedn);
@ -527,7 +527,7 @@ SETDEFAULTS_FUNC(mod_auth_set_defaults) {
}
}
switch(s->auth_backend) {
switch(s->auth_ldap_hostname->used) {
case AUTH_BACKEND_LDAP: {
handler_t ret = auth_ldap_init(srv, s);
if (ret == HANDLER_ERROR)
@ -554,6 +554,9 @@ handler_t auth_ldap_init(server *srv, mod_auth_plugin_config *s) {
#endif
if (s->auth_ldap_hostname->used) {
/* free old context */
if (NULL != s->ldap) ldap_unbind_s(s->ldap);
if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));

Loading…
Cancel
Save