httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 21787] - LDAP authentication failure does not recover properly
Date Tue, 14 Oct 2003 04:14:05 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21787>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21787

LDAP authentication failure does not recover properly

schwoerb@uww.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |schwoerb@uww.edu
         OS/Version|Other                       |All
           Platform|PC                          |All



------- Additional Comments From schwoerb@uww.edu  2003-10-14 04:14 -------
We have also experienced the same problem.  The listed change from above does 
work at least for 2.0.47 on Windows 2003 against AD on 2003.  After 
investigating this problem further I also come to the conclusion that the 
problem does occur because in the util_ldap_cache_checkuserid function 
(util_ldap.c) it is using an existing connection for the simple bind (line 874) 
and then allowing reuse of this connection (good or bad credentials). 

IMO after determining the credential pair doesn't exist in cache and getting 
the dn using the binddn+bindpw search, a new connection should be created to 
check the users credentials.  After this has completed successfully or 
unsuccessfully this connection should be destroyed leaving the other connection 
untouched.  This allows for the binddn+bindpw pair to be used for the searches 
and compares.  This is also needed because in some environments the last 
authenticated user might not have the access to search for all users, while the 
binddn user should.

I would take a shot at coding this, but I am not good with memory cleanup.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message