From a64585b605ac0ec56cbce84b97c407f823e2821c Mon Sep 17 00:00:00 2001
From: Graham Leggett <minfrin@apache.org>
Date: Sun, 19 Nov 2023 10:45:05 +0000
Subject: [PATCH] Apply earlier fix to the ldapsearch case:

Arrange for backend LDAP connections to be returned
to the pool by a fixup hook rather than staying locked
until the end of (a potentially slow) request.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913962 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/aaa/mod_authnz_ldap.c | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 3ae77e77860..c5b874b7a54 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -1429,12 +1429,40 @@ static authz_status ldapsearch_check_authorization(request_rec *r,
         return AUTHZ_DENIED;
     }
 
-    if (sec->host) {
+    if (!sec->host) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01738)
+                      "auth_ldap authorize: no sec->host - weird...?");
+        return AUTHZ_DENIED;
+    }
+
+    /*
+     * If we have been authenticated by some other module than mod_auth_ldap,
+     * the req structure needed for authorization needs to be created
+     * and populated with the userid and DN of the account in LDAP
+     */
+
+    if (!*r->user) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01739)
+            "ldap authorize: Userid is blank, AuthType=%s",
+            r->ap_auth_type);
+    }
+
+    if (!req) {
+        authz_status rv = AUTHZ_DENIED;
+        req = build_request_config(r);
         ldc = get_connection_for_authz(r, LDAP_SEARCH);
+        if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) {
+            return rv;
+        }
     }
     else {
-        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02636)
-                      "auth_ldap authorize: no sec->host - weird...?");
+        ldc = get_connection_for_authz(r, LDAP_SEARCH);
+    }
+
+    if (req->dn == NULL || !*req->dn) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01742)
+                      "auth_ldap authorize: require ldap-filter: user's DN "
+                      "has not been defined; failing authorization");
         return AUTHZ_DENIED;
     }