revert the LDAPConnectionTimeout and LDAPVerifyServerCert directives back to GLOBAL_ONLY since the various LDAP SDK's don't allow these settings on a per-connection basis

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@387675 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2006-03-22 00:08:05 +00:00
parent 7126d1d227
commit 23520cd701
1 changed files with 22 additions and 7 deletions
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -1707,6 +1707,11 @@ static const char *util_ldap_set_verify_srv_cert(cmd_parms *cmd,
    util_ldap_state_t *st =
    (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
                                              &ldap_module);
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+
+    if (err != NULL) {
+        return err;
+    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
                      "LDAP: SSL verify server certificate - %s",
@@ -1725,6 +1730,11 @@ static const char *util_ldap_set_connection_timeout(cmd_parms *cmd,
    util_ldap_state_t *st =
        (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
                                                  &ldap_module);
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+
+    if (err != NULL) {
+        return err;
+    }

 #ifdef LDAP_OPT_NETWORK_TIMEOUT
    st->connectionTimeout = atol(ttl);
@@ -1800,13 +1810,18 @@ static void *util_ldap_merge_config(apr_pool_t *p, void *basev,
    st->secure = (overrides->secure_set == 0) ? base->secure
                                              : overrides->secure;

-    /* LDAP connection settings can be overwritten in a virtual host */
-    st->connectionTimeout = (overrides->connectionTimeout == 10) 
-                                ? base->connectionTimeout
-                                : overrides->connectionTimeout;
-    st->verify_svr_cert = (overrides->verify_svr_cert == 1) 
-                                ? base->verify_svr_cert
-                                : overrides->verify_svr_cert;
+    /* These LDAP connection settings can not be overwritten in 
+        a virtual host. Once set in the base server, they must 
+        remain the same. None of the LDAP SDKs seem to be able
+        to handle setting the verify_svr_cert flag on a 
+        per-connection basis.  The OpenLDAP client appears to be
+        able to handle the connection timeout per-connection
+        but the Novell SDK cannot.  Allowing the timeout to
+        be set by each vhost is of little value so rather than
+        trying to make special expections for one LDAP SDK, GLOBAL_ONLY 
+        is being enforced on this setting as well. */
+    st->connectionTimeout = base->connectionTimeout;
+    st->verify_svr_cert = base->verify_svr_cert;

    return st;
 }