httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49632] New: mod_authnz_ldap denies users when search is performed at AD root.
Date Wed, 21 Jul 2010 19:03:58 GMT

           Summary: mod_authnz_ldap denies users when search is performed
                    at AD root.
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap

When mod_authnz_ldap is setup to search for a user at the root of an AD domain
it will fail the user because of the referrals returned in the search.

--- config ---
<Location /private>
#  SSLRequireSSL
  AuthType              Kerberos
  AuthName              "EXAMPLE Domain Login"
  KrbMethodNegotiate    On
  KrbMethodK5Passwd     On
  KrbAuthRealms         EXAMPLE.COM
  Krb5KeyTab            /etc/httpd/conf/keytab
  require valid-user

  # Strip the realm from the kerberos principle.
  MapUsernameRule (.*)@(.*) "$1"

  AuthLDAPURL           "ldap://,dc=com?sAMAccountName"
  AuthLDAPBindDN        cn=nss_ldap,ou=services,dc=example,dc=com
  AuthLDAPBindPassword  ********
  Require ldap-group    cn=Domain Admins,ou=Groups,dc=example,dc=com

--- error_log ---
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(1432): [client] kerb_authenticate_user entered with user (NULL) and auth_type
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(915): [client] Using HTTP/ as server
principal for password verification
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(655): [client] Trying to get TGT for user tmclaughlin@MEDITECH.COM
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(569): [client] Trying to verify authenticity of KDC using principal
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(994): [client] kerb_authenticate_user_krb5pwd ret=0
user=tmclaughlin@MEDITECH.COM authtype=Basic
[Wed Jul 21 14:40:34 2010] [info] [client] Applying pattern
'^(.*)@(.*)$' to user 'tmclaughlin@MEDITECH.COM', mech:'Any'
[Wed Jul 21 14:40:34 2010] [info] [client] Pattern matched
[Wed Jul 21 14:40:34 2010] [notice] [client] User name
'tmclaughlin@MEDITECH.COM' rewritten to 'tmclaughlin'
[Wed Jul 21 14:40:34 2010] [debug] mod_authnz_ldap.c(683): [client] ldap authorize: Creating LDAP req structure
[Wed Jul 21 14:40:37 2010] [debug] mod_authnz_ldap.c(695): [client] auth_ldap authorise: User DN not found, ldap_search_ext_s() for
user failed

The resulting request made by mod_authnz_ldap is for
(&(objectclass=*)(sAMAccountName=tmclaughlin)).  The search result is the
account entry in AD plus three referrals:


The attempts to search these three referrals all fail with the same LDAP error:

00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece

I've found two workarounds for this issue.  One is to change the path in
AuthLDAPURL to where all our users are stored.  This may not work for all
organizations.  The second is to set in /etc/openldap/ldap.conf "REFERRALS
off".  That unfortunately affects the behavior of everything using the openldap
libs.  The best fix would probably be to implement what looks to have been done
in mod_auth_ldap in bugzilla 26538 and add AuthLDAPFollowReferrals which would
allow toggling referral chasing in mod_authnz_ldap.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message