auth.backend.ldap.timeout = "2000000" # quoted-string; microseconds
vhostdb.ldap += ("timeout" => "2000000") # quoted-string; microseconds
Default is 2000000 microseconds (2 secs)
These values are converted to struct timeval and passed to
ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, );
ldap_set_option(ld, LDAP_OPT_TIMEOUT, ...);
if those LDAP_OPT_* values are available (both are OpenLDAP-specific).
x-ref:
"mod_auth caching"
https://redmine.lighttpd.net/issues/2805
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)
NB: request read and write chunkqueues currently point to connection
chunkqueues; per-request and per-connection chunkqueues are
not distinct from one another
con->read_queue == r->read_queue
con->write_queue == r->write_queue
NB: in the future, a separate connection config may be needed for
connection-level module hooks. Similarly, might need to have
per-request chunkqueues separate from per-connection chunkqueues.
Should probably also have a request_reset() which is distinct from
connection_reset().
convert all log_error_write() to log_error() and pass (log_error_st *)
use con->errh in preference to srv->errh (even though currently same)
avoid passing (server *) when previously used only for logging (errh)
specialized buffer_eq_icase_ssn func replace strncasecmp()
in cases where string lengths are not known to be at least
as large as the len being compared case-insensitively.
(Separate commit in case any future changes modify the
implementation to be unsafe for shorter strings, where
strncasecmp() would stop at '\0' in either string)
ldap_set_option LDAP_OPT_RESTART to handle EINTR on SIGCHLD from CGI
(ldap uses poll(), which is not restartable with sigaction SA_RESTART)
x-ref:
"mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server""
https://redmine.lighttpd.net/issues/2940
quickly clear buffer instead of buffer_string_set_length(b, 0) or
buffer_reset(b). Avoids free() of large buffers about to be reused,
or buffers that are module-scoped, persistent, and reused.
(buffer_reset() should still be used with buffers in connection *con
when the data in the buffers is supplied by external, untrusted source)
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
use ldap_set_rebind_proc() to provide auth when rebinding following
ldap referrals (instead of rebinding anonymously for ldap referrals)
x-ref:
"LDAP authentication vs. AD: problems with referrals"
https://redmine.lighttpd.net/issues/2846
For consistency with other databases, which use '?' for placeholders,
have LDAP template replace '?' with username, in addition to the
(mod_auth historic) '$' char.
If auth.backend.ldap.filter begins with ',', then concatenate
uid=<username> with the 'filter' value to form the DN instead of using
ldap_search to query LDAP for the DN for the username, applying the
provided filter.
x-ref:
"Allow User-DN to be supplied in the configuration rather than searching"
https://redmine.lighttpd.net/issues/1248
ldap filter supports substitution of multiple '$', each with username
x-ref:
"auth.backend.ldap.filter: only one/first "$" replaced with Username"
https://redmine.lighttpd.net/issues/1508
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz
x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817
create new, extensible interface for (additional) auth backends
attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)
separate auth backends from mod_auth and http_auth
mod_authn_file.c htdigest, htpasswd, plain auth backends
mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration
(mod_authn_file could be three separate modules, but no need for now)
Glenn Strauss
Mohammed Sadiq