httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: LDAPTrustedMode has the wrong scope...
Date Wed, 02 Feb 2005 01:07:45 GMT
The attached patches convert LDAPTrustedMode into a per-directory
directive rather than a per-server.  This allows the configuration to
specify which mode should be applied for the associated AuthLDAPURL.  

Thoughts on whether this should be the way to go or if LDAPTrustedMode
should be moved up into mod_authnz_ldap as AuthLDAPTrustedMode?

Brad

>>> BNICHOLES@novell.com Tuesday, February 01, 2005 3:33:19 PM >>>
    After testing mod_authnz_ldap and util_ldap some more, it appears
that the directive LDAPTrustedMode should be pushed up into
mod_authnz_ldap rather than util_ldap and become AuthLDAPTrustedMode. 
The reason why is because the connection type (ie. NONE, SSL,
STARTTLS)
is tied to the AuthLDAPUrl rather than the global connection or
certificate directives that are set in util_ldap.  As it stands today,
the following configuration will fail: 

Alias /secure /webpages/secure
<Directory /webpages/secure>
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthName LDAP_Protected_Place
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://foo.ldapserver.com/o=ctx"
    AuthzLDAPAuthoritative off
    require valid-user
</Directory>

Alias /othersecuredir /webpages/othersecuredir
<Directory /webpages/othersecuredir>
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthName LDAP_Secure_Test
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off

    LDAPTrustedMode STARTTLS
    AuthLDAPURL "ldap://other.ldapserver.com/o=ctx"
    require valid-user
</Directory>


The above configuration assumes that all connections to
"foo.ldapserver.com" will be non-secure on port 389 and that all
connections to "other.ldapserver.com" will be TLS connections on port
389.  The problem is that the directive LDAPTrustedMode is global not
per-directory.  Therefore even though the configuration intended to
connect to "foo.ldapserver.com" non-secure, since the global trusted
mode has been set to STARTTLS, util_ldap will attempt to start tls on
all connections.  

Since the type of connection is already determined partially by the
AuthLDAPURL (ie. ldaps:// vs ldap://), changing the type to STARTTLS
also needs to be in the same scope as AuthLDAPURL.  There are two
options, change LDAPTrustedMode to a per-directory directive within
util_ldap or move LDAPTrustedMode up into mod_authnz_ldap as
AuthLDAPTrustedMode.

Brad


Mime
View raw message