diff --git a/CHANGES b/CHANGES index 6244354212..e618b10836 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP + SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK + default, sans rebind authentication callback. + [Jan Kaluza ] + *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663 from ERROR to DEBUG, since these modules do not know what mod_authz_core is doing with their AUTHZ_DENIED return value. [Eric Covener] diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index a048e934bf..461e48638a 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -60,6 +60,7 @@ #endif #define AP_LDAP_HOPLIMIT_UNSET -1 +#define AP_LDAP_CHASEREFERRALS_SDKDEFAULT -1 #define AP_LDAP_CHASEREFERRALS_OFF 0 #define AP_LDAP_CHASEREFERRALS_ON 1 @@ -371,7 +372,7 @@ static int uldap_connection_init(request_rec *r, ldap_option = ldc->deref; ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &ldap_option); - if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) { + if (ldc->ChaseReferrals != AP_LDAP_CHASEREFERRALS_SDKDEFAULT) { /* Set options for rebind and referrals. */ ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, r->server, APLOGNO(01278) "LDAP: Setting referrals to %s.", @@ -391,7 +392,9 @@ static int uldap_connection_init(request_rec *r, uldap_connection_unbind(ldc); return(result->rc); } + } + if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) { if ((ldc->ReferralHopLimit != AP_LDAP_HOPLIMIT_UNSET) && ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) { /* Referral hop limit - only if referrals are enabled and a hop limit is explicitly requested */ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, APLOGNO(01280) @@ -2584,15 +2587,25 @@ static const char *util_ldap_set_connection_timeout(cmd_parms *cmd, static const char *util_ldap_set_chase_referrals(cmd_parms *cmd, void *config, - int mode) + const char *arg) { util_ldap_config_t *dc = config; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01311) - "LDAP: Setting referral chasing %s", - (mode == AP_LDAP_CHASEREFERRALS_ON) ? "ON" : "OFF"); + "LDAP: Setting referral chasing %s", arg); - dc->ChaseReferrals = mode; + if (0 == strcasecmp(arg, "on")) { + dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON; + } + else if (0 == strcasecmp(arg, "off")) { + dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_OFF; + } + else if (0 == strcasecmp(arg, "default")) { + dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_SDKDEFAULT; + } + else { + return "LDAPReferrals must be 'on', 'off', or 'default'"; + } return(NULL); } @@ -3116,9 +3129,9 @@ static const command_rec util_ldap_cmds[] = { "Specify the LDAP socket connection timeout in seconds " "(default: 10)"), - AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals, + AP_INIT_TAKE1("LDAPReferrals", util_ldap_set_chase_referrals, NULL, OR_AUTHCFG, - "Choose whether referrals are chased ['ON'|'OFF']. Default 'ON'"), + "Choose whether referrals are chased ['ON'|'OFF'|'DEFAULT']. Default 'ON'"), AP_INIT_TAKE1("LDAPReferralHopLimit", util_ldap_set_referral_hop_limit, NULL, OR_AUTHCFG,