From 67f3df7be50c8ad58f789e0eb8c0bb30449bfd96 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Tue, 1 Jun 2010 21:26:28 +0000
Subject: When checking direct group membership, interpret
 LDAP_NO_SUCH_ATTRIBUTE the same as LDAP_COMPARE_FALSE and continue on to
 subgroup (nested group) processing. This triggers when the group has no
 "direct" members but may have entries that represent nested groups to check.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@950249 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/aaa/mod_authnz_ldap.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'modules/aaa/mod_authnz_ldap.c')

diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 2a6826f10d..750b085981 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -898,6 +898,7 @@ static authz_status ldapgroup_check_authorization(request_rec *r,
                 set_request_vars(r, LDAP_AUTHZ);
                 return AUTHZ_GRANTED;
             }
+            case LDAP_NO_SUCH_ATTRIBUTE: 
             case LDAP_COMPARE_FALSE: {
                 /* nested groups need searches and compares, so grab a new handle */
                 authnz_ldap_cleanup_connection_close(ldc);
-- 
cgit v1.2.3