httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49632] New: mod_authnz_ldap denies users when search is performed at AD root.
Date Wed, 21 Jul 2010 19:03:58 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49632

           Summary: mod_authnz_ldap denies users when search is performed
                    at AD root.
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: tmclaugh@sdf.lonestar.org


When mod_authnz_ldap is setup to search for a user at the root of an AD domain
it will fail the user because of the referrals returned in the search.

--- config ---
<Location /private>
#  SSLRequireSSL
  AuthType              Kerberos
  AuthName              "EXAMPLE Domain Login"
  KrbMethodNegotiate    On
  KrbMethodK5Passwd     On
  KrbAuthRealms         EXAMPLE.COM
  Krb5KeyTab            /etc/httpd/conf/keytab
  require valid-user

  # Strip the realm from the kerberos principle.
  MapUsernameRule (.*)@(.*) "$1"

  AuthLDAPURL           "ldap://dc1.example.com
dc2.example.com/dc=example,dc=com?sAMAccountName"
  AuthLDAPBindDN        cn=nss_ldap,ou=services,dc=example,dc=com
  AuthLDAPBindPassword  ********
  Require ldap-group    cn=Domain Admins,ou=Groups,dc=example,dc=com
</Location>
---

--- error_log ---
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(1432): [client
172.30.235.107] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(915): [client
172.30.235.107] Using HTTP/corptech.meditech.com@MEDITECH.COM as server
principal for password verification
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(655): [client
172.30.235.107] Trying to get TGT for user tmclaughlin@MEDITECH.COM
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(569): [client
172.30.235.107] Trying to verify authenticity of KDC using principal
HTTP/corptech.meditech.com@MEDITECH.COM
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(994): [client
172.30.235.107] kerb_authenticate_user_krb5pwd ret=0
user=tmclaughlin@MEDITECH.COM authtype=Basic
[Wed Jul 21 14:40:34 2010] [info] [client 172.30.235.107] Applying pattern
'^(.*)@(.*)$' to user 'tmclaughlin@MEDITECH.COM', mech:'Any'
[Wed Jul 21 14:40:34 2010] [info] [client 172.30.235.107] Pattern matched
[Wed Jul 21 14:40:34 2010] [notice] [client 172.30.235.107] User name
'tmclaughlin@MEDITECH.COM' rewritten to 'tmclaughlin'
[Wed Jul 21 14:40:34 2010] [debug] mod_authnz_ldap.c(683): [client
172.30.235.107] ldap authorize: Creating LDAP req structure
[Wed Jul 21 14:40:37 2010] [debug] mod_authnz_ldap.c(695): [client
172.30.235.107] auth_ldap authorise: User DN not found, ldap_search_ext_s() for
user failed
---

The resulting request made by mod_authnz_ldap is for
(&(objectclass=*)(sAMAccountName=tmclaughlin)).  The search result is the
account entry in AD plus three referrals:

ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
ldap://example.com/CN=Configuration,DC=example,DC=com

The attempts to search these three referrals all fail with the same LDAP error:

00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece

I've found two workarounds for this issue.  One is to change the path in
AuthLDAPURL to where all our users are stored.  This may not work for all
organizations.  The second is to set in /etc/openldap/ldap.conf "REFERRALS
off".  That unfortunately affects the behavior of everything using the openldap
libs.  The best fix would probably be to implement what looks to have been done
in mod_auth_ldap in bugzilla 26538 and add AuthLDAPFollowReferrals which would
allow toggling referral chasing in mod_authnz_ldap.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message