Now really fix mod auth ldap (#1066)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2318 152afb58-edef-0310-8abb-c4023f1b3aa9
15 years ago · cfba07cb82
parent 80a2ff3f3a
commit cfba07cb82
4 changed files with 24 additions and 31 deletions
--- a/1
+++ b/1
@ -8,6 +8,7 @@ NEWS
  * Fix base64 decoding in mod_auth (#1757, thx guido)
  * Fix mod_cgi segfault when bound to unix domain socket (#653)
  * Do not rely on ioctl FIONREAD (#673)
+  * Now really fix mod auth ldap (#1066)

 - 1.4.20 - 2008-09-30

--- a/src/http_auth.c
+++ b/src/http_auth.c
@ -700,7 +700,7 @@ static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p
 		}
 	} else if (p->conf.auth_backend == AUTH_BACKEND_LDAP) {
 #ifdef USE_LDAP
-		LDAP *ldap = NULL;
+		LDAP *ldap;
 		LDAPMessage *lm, *first;
 		char *dn;
 		int ret;
@ -745,56 +745,45 @@ static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p
 		buffer_append_string_buffer(p->ldap_filter, username);
 		buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);

+
 		/* 2. */
-		if (p->conf.ldap == NULL ||
-		    LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
-			/* try again if ldap was only temporary down */
-			if (p->conf.ldap == NULL || ret != LDAP_SERVER_DOWN ||  LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
-				if (auth_ldap_init(srv, &p->conf) != HANDLER_GO_ON)
+		if (p->anon_conf->ldap == NULL ||
+		    LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
+
+			/* try again; the ldap library sometimes fails for the first call but reconnects */
+			if (p->anon_conf->ldap == NULL || ret != LDAP_SERVER_DOWN ||
+			    LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
+
+				if (auth_ldap_init(srv, p->anon_conf) != HANDLER_GO_ON)
 					return -1;

-				ldap = p->conf.ldap; /* save temporary ldap connection (TODO: redo ldap) */
-				if (LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
+				if (p->anon_conf->ldap == NULL ||
+				    LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
 					log_error_write(srv, __FILE__, __LINE__, "sssb",
 							"ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);
-					/* destroy temporary ldap connection (TODO: redo ldap) */
-					ldap_unbind_s(ldap);
 					return -1;
 				}
 			}
 		}

-		if (NULL == (first = ldap_first_entry(p->conf.ldap, lm))) {
-			/* No matching entry is not an error */
-			/* log_error_write(srv, __FILE__, __LINE__, "s", "ldap ..."); */
+		if (NULL == (first = ldap_first_entry(p->anon_conf->ldap, lm))) {
+			log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");

 			ldap_msgfree(lm);

-			/* destroy temporary ldap connection (TODO: redo ldap) */
-			if (NULL != ldap) {
-				ldap_unbind_s(ldap);
-			}
 			return -1;
 		}

-		if (NULL == (dn = ldap_get_dn(p->conf.ldap, first))) {
-			log_error_write(srv, __FILE__, __LINE__, "s", "ldap: ldap_get_dn failed");
+		if (NULL == (dn = ldap_get_dn(p->anon_conf->ldap, first))) {
+			log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");

 			ldap_msgfree(lm);

-			/* destroy temporary ldap connection (TODO: redo ldap) */
-			if (NULL != ldap) {
-				ldap_unbind_s(ldap);
-			}
 			return -1;
 		}

 		ldap_msgfree(lm);

-		/* destroy temporary ldap connection (TODO: redo ldap) */
-		if (NULL != ldap) {
-			ldap_unbind_s(ldap);
-		}

 		/* 3. */
 		if (NULL == (ldap = ldap_init(p->conf.auth_ldap_hostname->ptr, LDAP_PORT))) {
--- a/src/http_auth.h
+++ b/src/http_auth.h
@ -63,7 +63,7 @@ typedef struct {

 	mod_auth_plugin_config **config_storage;

-	mod_auth_plugin_config conf; /* this is only used as long as no handler_ctx is setup */
+	mod_auth_plugin_config conf, *anon_conf; /* this is only used as long as no handler_ctx is setup */
 } mod_auth_plugin_data;

 int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, buffer *url, const char *realm_str);
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@ -115,7 +115,7 @@ static int mod_auth_patch_connection(server *srv, connection *con, mod_auth_plug
 	PATCH(auth_ldap_starttls);
 	PATCH(auth_ldap_allow_empty_pw);
 #ifdef USE_LDAP
-	PATCH(ldap);
+	p->anon_conf = s;
 	PATCH(ldap_filter_pre);
 	PATCH(ldap_filter_post);
 #endif
@ -149,7 +149,7 @@ static int mod_auth_patch_connection(server *srv, connection *con, mod_auth_plug
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.hostname"))) {
 				PATCH(auth_ldap_hostname);
 #ifdef USE_LDAP
-				PATCH(ldap);
+				p->anon_conf = s;
 #endif
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.base-dn"))) {
 				PATCH(auth_ldap_basedn);
@ -527,7 +527,7 @@ SETDEFAULTS_FUNC(mod_auth_set_defaults) {
 			}
 		}

-		switch(s->auth_backend) {
+		switch(s->auth_ldap_hostname->used) {
 		case AUTH_BACKEND_LDAP: {
 			handler_t ret = auth_ldap_init(srv, s);
 			if (ret == HANDLER_ERROR)
@ -554,6 +554,9 @@ handler_t auth_ldap_init(server *srv, mod_auth_plugin_config *s) {
 #endif

 	if (s->auth_ldap_hostname->used) {
+		/* free old context */
+		if (NULL != s->ldap) ldap_unbind_s(s->ldap);
+
 		if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
 			log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));