httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 21787] - LDAP authentication failure does not recover properly
Date Tue, 04 Nov 2003 19:22:03 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21787>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21787

LDAP authentication failure does not recover properly





------- Additional Comments From ben.kibler@infores.com  2003-11-04 19:22 -------
I have also run across this same problem with mod_auth_ldap, where after an 
failed bind attempt, subsequent requests fail.  In my Apache 2.0.47 test 
environments (Windows 2000, Redhat Linux 9, HP-UX 11i) this problem is 
repeatable when connecting to a Windows 2003 AD server, but I can't get the 
problem to occur when connecting to a Sun Directory Server 5.2.

Rather than destroying the connection after a failed bind attempt, I wanted to 
keep the connection open to avoid the performance hit of reconnecting.  So, 
after a failed user/password bind in util_ldap_cache_checkuserid, I simply mark 
the connection as unbound.

$ diff util_ldap.c.orig util_ldap.c.new
884a885
>       ldc->bound = 0;

On the next call to util_ldap_connection_open, the existing code will notice 
that the connection is unbound, bind again as the BindDN user, and return a 
properly bound connection.

I agree with Bradley that only the binddn+bindpw should be used for initial 
searches.  However, rather than actually destroying user-bound connections, I 
prefer to simply mark the connection as unbound after any user-specific bind 
operation.  This avoids the overhead of establishing a new socket connections 
for every login.

Ben Kibler

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message