httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40075] - unable to use ldap groups that contain DNs and usernames for AuthZ
Date Mon, 15 Jan 2007 19:55:24 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40075>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40075





------- Additional Comments From canna@umich.edu  2007-01-15 11:55 -------
Sadly, you'll never get that far.  In particular, when you get here, around line
571 in httpd-2.2.3:

        /* Search failed, log error and return failure */
        if(result != LDAP_SUCCESS) {
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                "auth_ldap authorise: User DN not found, %s", ldc->reason);
            return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
        }

you'll return.  Our proposed AuthLDAPRequireDN (off) patch allows this return to
be bypassed.  Just below this code is where the requirements array is traversed,
so if we can't get there, no requirements can be checked.  Perhaps this return
is an oversight, and there's no need for AuthLDAPRequireDN?  The comment at 547:

    /*
     * If we have been authenticated by some other module than mod_auth_ldap,
     * the req structure needed for authorization needs to be created
     * and populated with the userid and DN of the account in LDAP
     */

certainly suggests that it may be OK to rely on an external authN, but obviously
the code at 571 requires that the user exist in LDAP.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message