1 files changed, 25 insertions, 5 deletions

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 53a60853..211e4f74 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -61,8 +61,8 @@ typedef struct {
     char *bindpw;                   /* Password to bind to server (can be NULL) */
     int bind_authoritative;         /* If true, will return errors when bind fails */
 
-    int user_is_dn;                 /* If true, connection->user is DN instead of userid */
-    char *remote_user_attribute;    /* If set, connection->user is this attribute instead of userid */
+    int user_is_dn;                 /* If true, r->user is replaced by DN during authn */
+    char *remote_user_attribute;    /* If set, r->user is replaced by this attribute during authn */
     int compare_dn_on_server;       /* If true, will use server to do DN compare */
 
     int have_ldap_url;              /* Set if we have found an LDAP url */
@@ -217,6 +217,7 @@ static void authn_ldap_build_filter(char *filtbuf,
     apr_size_t inbytes;
     apr_size_t outbytes;
     char *outbuf;
+    int nofilter = 0;
 
     if (sent_user != NULL) {
         user = apr_pstrdup (r->pool, sent_user);
@@ -249,7 +250,13 @@ static void authn_ldap_build_filter(char *filtbuf,
      * Create the first part of the filter, which consists of the
      * config-supplied portions.
      */
-    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
+
+    if ((nofilter = (filter && !strcasecmp(filter, "none")))) { 
+        apr_snprintf(filtbuf, FILTER_LENGTH, "(%s=", sec->attribute);
+    }
+    else { 
+        apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
+    }
 
     /*
      * Now add the client-supplied username to the filter, ensuring that any
@@ -303,8 +310,16 @@ static void authn_ldap_build_filter(char *filtbuf,
      * Append the closing parens of the filter, unless doing so would
      * overrun the buffer.
      */
-    if (q + 2 <= filtbuf_end)
-        strcat(filtbuf, "))");
+
+    if (nofilter) { 
+        if (q + 1 <= filtbuf_end)
+            strcat(filtbuf, ")");
+    } 
+    else { 
+        if (q + 2 <= filtbuf_end)
+            strcat(filtbuf, "))");
+    }
+
 }
 
 static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
@@ -545,6 +560,11 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
                       "user %s authentication failed; URI %s [%s][%s]",
                       user, r->uri, ldc->reason, ldap_err2string(result));
 
+        /* talking to a primitive LDAP server (like RACF-over-LDAP) that doesn't return specific errors */
+        if (!strcasecmp(sec->filter, "none") && LDAP_OTHER == result) { 
+            return AUTH_USER_NOT_FOUND;
+        }
+
         return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND
 #ifdef LDAP_SECURITY_ERROR
                  : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED