httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49293] New: Require ldap-filter does not work as expected
Date Fri, 14 May 2010 18:44:36 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49293

           Summary: Require ldap-filter does not work as expected
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: robin.cordier@gmail.com


Hello,

there is my first bug report, and I'm not a sysadmin expert, but this looks
like a bug.

My schema looks like:
dn: uid=robin,ou=users,dc=xxx,dc=xxx
cn: Robin
sn: Cordier
uid: robin
uidNumber: 20001
objectClass: cnUser
objectClass: cnSettings
userPassword: MyPass


dn: cnConf=WebAdmin,uid=robin,ou=users,dc=xxx,dc=xxx
cnConf: WebAdmin
allow: TRUE
uid: robin
description: Administration web
permission: admin
objectClass: cnWeb


When I try to authentificate an user, I can see this message:
auth_ldap authorise: require ldap-filter: authorisation failed [DN Comparison
FALSE (checked on server)][Compare False]

My .htaccess is:
AuthLDAPURL
ldap://ldap.cordier.im/ou=users,dc=cordier,dc=im??sub?(&(objectClass=cnUser)(uid=*))
AuthType Basic
AuthName "Athentification requise."
AuthBasicProvider ldap
AuthUserFile /dev/null
Require ldap-filter &(&(objectClass=cnWeb)(allow=TRUE)(permission=admin))

The ldap log returns:
conn=74 op=16 SRCH base="ou=users,dc=xxx,dc=xxx" scope=2 deref=3
filter="(&(&(objectClass=cnPerm)(level<=10))(uid=robin))" <=
bdb_inequality_candidates: (level) not indexed
conn=74 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=74 op=17 SRCH base="cnConf=WebAdmin,uid=robin,ou=users,dc=xxx,dc=xxx"
scope=0 deref=3 filter="(objectClass=*)"
conn=74 op=17 SEARCH RESULT tag=101 err=0 nentries=1 text=


So, if I understand well, ldap find my DN, but, authnz-ldap forbid the access
because it is not the same DN. Is it normal, or an undocumented feature?

Thanks :)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message