httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49293] New: Require ldap-filter does not work as expected
Date Fri, 14 May 2010 18:44:36 GMT

           Summary: Require ldap-filter does not work as expected
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap


there is my first bug report, and I'm not a sysadmin expert, but this looks
like a bug.

My schema looks like:
dn: uid=robin,ou=users,dc=xxx,dc=xxx
cn: Robin
sn: Cordier
uid: robin
uidNumber: 20001
objectClass: cnUser
objectClass: cnSettings
userPassword: MyPass

dn: cnConf=WebAdmin,uid=robin,ou=users,dc=xxx,dc=xxx
cnConf: WebAdmin
allow: TRUE
uid: robin
description: Administration web
permission: admin
objectClass: cnWeb

When I try to authentificate an user, I can see this message:
auth_ldap authorise: require ldap-filter: authorisation failed [DN Comparison
FALSE (checked on server)][Compare False]

My .htaccess is:
AuthType Basic
AuthName "Athentification requise."
AuthBasicProvider ldap
AuthUserFile /dev/null
Require ldap-filter &(&(objectClass=cnWeb)(allow=TRUE)(permission=admin))

The ldap log returns:
conn=74 op=16 SRCH base="ou=users,dc=xxx,dc=xxx" scope=2 deref=3
filter="(&(&(objectClass=cnPerm)(level<=10))(uid=robin))" <=
bdb_inequality_candidates: (level) not indexed
conn=74 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=74 op=17 SRCH base="cnConf=WebAdmin,uid=robin,ou=users,dc=xxx,dc=xxx"
scope=0 deref=3 filter="(objectClass=*)"
conn=74 op=17 SEARCH RESULT tag=101 err=0 nentries=1 text=

So, if I understand well, ldap find my DN, but, authnz-ldap forbid the access
because it is not the same DN. Is it normal, or an undocumented feature?

Thanks :)

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message