Skip to content

Commit ad0cbd7

Browse files
minfrinminfrin
committed
mod_authnz_ldap.c: Make sure the authentication variables are set in
all cases where another module is the source of the authentication, and that authenticated user is looked up in LDAP. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909928 13f79535-47bb-0310-9956-ffa450edef68
1 parent b70dd5f commit ad0cbd7

File tree

2 files changed

+20
-0
lines changed

2 files changed

+20
-0
lines changed

CHANGES

+4
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
-*- coding: utf-8 -*-
22
Changes with Apache 2.5.1
33

4+
*) mod_authnz_ldap.c: Make sure the authentication variables are set in
5+
all cases where another module is the source of the authentication,
6+
and that authenticated user is looked up in LDAP. [Graham Leggett]
7+
48
*) mod_autht_jwt: New module to handle RFC 7519 JWT tokens within
59
bearer tokens, both as part of the aaa framework, and as a way to
610
generate tokens and pass them to backend servers and services.

modules/aaa/mod_authnz_ldap.c

+16
Original file line numberDiff line numberDiff line change
@@ -688,6 +688,7 @@ static authz_status get_dn_for_nonldap_authn(request_rec *r, util_ldap_connectio
688688
authn_ldap_config_t *sec =
689689
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
690690
const char *dn = NULL;
691+
int remote_user_attribute_set = 0;
691692

692693
/* Build the username filter */
693694
if (APR_SUCCESS != authn_ldap_build_filter(filtbuf, r, r->user, NULL, sec)) {
@@ -710,6 +711,21 @@ static authz_status get_dn_for_nonldap_authn(request_rec *r, util_ldap_connectio
710711

711712
req->dn = apr_pstrdup(r->pool, dn);
712713
req->user = r->user;
714+
715+
/* add environment variables */
716+
remote_user_attribute_set = set_request_vars(r, LDAP_AUTHN, req->vals);
717+
718+
/* sanity check */
719+
if (sec->remote_user_attribute && !remote_user_attribute_set) {
720+
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10450)
721+
"auth_ldap non-ldap authenticate: "
722+
"REMOTE_USER was to be set with attribute '%s', "
723+
"but this attribute was not requested for in the "
724+
"LDAP query for the user. REMOTE_USER will fall "
725+
"back to username or DN as appropriate.",
726+
sec->remote_user_attribute);
727+
}
728+
713729
return AUTHZ_GRANTED;
714730
}
715731

0 commit comments

Comments
 (0)