httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject LDAPTrustedMode has the wrong scope...
Date Tue, 01 Feb 2005 22:33:19 GMT
    After testing mod_authnz_ldap and util_ldap some more, it appears
that the directive LDAPTrustedMode should be pushed up into
mod_authnz_ldap rather than util_ldap and become AuthLDAPTrustedMode. 
The reason why is because the connection type (ie. NONE, SSL, STARTTLS)
is tied to the AuthLDAPUrl rather than the global connection or
certificate directives that are set in util_ldap.  As it stands today,
the following configuration will fail: 

Alias /secure /webpages/secure
<Directory /webpages/secure>
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthName LDAP_Protected_Place
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://foo.ldapserver.com/o=ctx"
    AuthzLDAPAuthoritative off
    require valid-user
</Directory>

Alias /othersecuredir /webpages/othersecuredir
<Directory /webpages/othersecuredir>
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthName LDAP_Secure_Test
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off

    LDAPTrustedMode STARTTLS
    AuthLDAPURL "ldap://other.ldapserver.com/o=ctx"
    require valid-user
</Directory>


The above configuration assumes that all connections to
"foo.ldapserver.com" will be non-secure on port 389 and that all
connections to "other.ldapserver.com" will be TLS connections on port
389.  The problem is that the directive LDAPTrustedMode is global not
per-directory.  Therefore even though the configuration intended to
connect to "foo.ldapserver.com" non-secure, since the global trusted
mode has been set to STARTTLS, util_ldap will attempt to start tls on
all connections.  

Since the type of connection is already determined partially by the
AuthLDAPURL (ie. ldaps:// vs ldap://), changing the type to STARTTLS
also needs to be in the same scope as AuthLDAPURL.  There are two
options, change LDAPTrustedMode to a per-directory directive within
util_ldap or move LDAPTrustedMode up into mod_authnz_ldap as
AuthLDAPTrustedMode.

Brad


Mime
View raw message