Incorporate the ap_ldap incomplete API, as there is no interest or effort
at APR to make this a complete abstraction, and it was voted 'off the island'
with APR 2.0. This will allow httpd 2.3 to build against either apr-2.0
or apr+util 1.x.
This also reverts part of r1142938, which needs to be re-done.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/revert-ap-ldap@1150172 13f79535-47bb-0310-9956-ffa450edef68
optional functions for the inter-module API:
* modules/ldap/ldap_private.h: New file, containing "real" function
declarations, copied from...
* include/ap_ldap.h.in, include/ap_ldap_url.h,
include/ap_ldap_option.h, include/ap_ldap_init.h,
include/ap_ldap_rebind.h: ... here. All declarations changed to APR
optional function declarations.
* modules/ldap/util_ldap.c (util_ldap_register_hooks): Register all
the new optional functions.
* modules/aaa/mod_authnz_ldap.c (ImportULDAPOptFn): Pick up optional
function stub for ap_ldap_url_parse.
(mod_auth_ldap_parse_url): Use it here.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1140069 13f79535-47bb-0310-9956-ffa450edef68
at APR to make this a complete abstraction, and it was voted 'off the island'
with APR 2.0. This will allow httpd 2.3 to build against either apr-2.0
or apr+util 1.x.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1129808 13f79535-47bb-0310-9956-ffa450edef68
- Move some declarations into the correct #ifdef scope.
I couldn't compile/test netware, but the changes look obvious enough.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@982016 13f79535-47bb-0310-9956-ffa450edef68
etc. causes problems because the authentication module calls
note_*_auth_failure if authentication fails. This is inappropriate if access is
later allowed because of the IP.
So, instead of calling the auth_checker hook even if authentication failed, we
introduce a new access_checker_ex hook that runs between the access_checker and
the check_user_id hooks. If an access_checker_ex functions returns OK, the
request will be allowed without authentication.
To make use of this, change mod_authz_core to walk the require blocks in the
access_checker_ex phase and deny/allow the request if the authz result does not
depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an
authz provider from an authz provider needing an authenticated user, the latter
must return the new AUTHZ_DENIED_NO_USER code.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@964156 13f79535-47bb-0310-9956-ffa450edef68
LDAP_COMPARE_FALSE and continue on to subgroup (nested group) processing. This
triggers when the group has no "direct" members but may have entries that
represent nested groups to check.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@950249 13f79535-47bb-0310-9956-ffa450edef68
can use the credentials from the authentication phase
(AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
PR 48340
Submitted by: Domenico Rotiroti, Eric Covener
Reviewed by: Eric Covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@950248 13f79535-47bb-0310-9956-ffa450edef68
to run when mod_authnz_ldap finds a user but can't verify their password.
Submitted By: Justin Erenkrantz, Joe Schaefer, Tony Stevenson
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@881808 13f79535-47bb-0310-9956-ffa450edef68
configurations which match those of the initial request. Revert to
the original behaviour (call access control hooks for internal requests
with URIs different from the initial request) if any access control hooks
or providers are not registered as permitting this optimization.
Introduce wrappers for access control hook and provider registration
which can accept additional mode and flag data.
The configuration walk optimizations were originally proposed a while
ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2);
they have been used since then in production systems and appear to be
stable and effective. They permit certain combinations of modules
and clients to function efficiently, especially when a deeply recursive
series of internal requests, such as those generated by certain WebDAV
requests, are all subject to the identical authentication and authorization
directives.
The major change from the original proposal is a cleaner mechanism for
detecting modules which may expect the old behaviour. This has been
tested successfully with Subversion's mod_authz_svn, which specifically
requires the old behaviour when performing path-based authorization based
against its own private access control configuration files.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@644525 13f79535-47bb-0310-9956-ffa450edef68
return code of LDAP_UNAVAILABLE as if it were LDAP_SERVER_DOWN.
With this SDK, LDAP_UNAVAIALBLE is returned when the socket had been closed
between LDAP API calls.
PR 39095
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@607766 13f79535-47bb-0310-9956-ffa450edef68
to authorize an authenticated user via a "require ldap-group X" directive
where the user is not in group X, but is in a subgroup contained in X.
PR 42891 [Paul J. Reder]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@560373 13f79535-47bb-0310-9956-ffa450edef68
into the environment with the name AUTHENTICATE_<COLUMN>. This brings
mod_authn_dbd behaviour in line with mod_authnz_ldap.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@466865 13f79535-47bb-0310-9956-ffa450edef68
set, REMOTE_USER will be set to this attribute, rather than the
username supplied by the user. Useful for example when you want users
to log in using an email address, but need to supply a userid instead
to the backend.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@463427 13f79535-47bb-0310-9956-ffa450edef68
