httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject RE: Authentication Bug? (Patch?)
Date Fri, 02 Jun 2006 17:37:56 GMT
   Which LDAP client library are you linking with and what version is
it.  The problem is that your client library apparently doesn't support
the LDAP_SECURITY_ERROR macro.  This macro basically does what your
patch is doing except that it looks at the complete range of possible
security related failures.  The macro is defined as

#define LDAP_RANGE(n,x,y)	(((x) <= (n)) && ((n) <= (y)))
#define LDAP_SECURITY_ERROR(n)	LDAP_RANGE((n),0x30,0x32) /* 48-50 */

I know that both OpenLDAP and Novell LDAP support this macro.

Brad


>>> On 6/2/2006 at 11:03 AM, in message
<CF83BAA719FD2C439D25CBB1C9D1D302038B159D@HQ-MAIL4.ptcnet.ptc.com>,
"Fenlason,
Josh" <jfenlason@ptc.com> wrote:
> I made the following patch to mod_authnz_ldap.c and it fixed my
issue.
> Does any one have any comments?  Any chance this could be committed?
> Anything else I need to do?  Thanks.
> ,
> Josh.
> 
> *** mod_authnz_ldap.c   Fri Apr 21 20:53:05 2006
> --- mod_authnz_ldap.c.patch     Fri Jun 02 11:48:41 2006
> ***************
> *** 409,415 ****
>                         "[%" APR_PID_T_FMT "] auth_ldap authenticate:
"
>                         "user %s authentication failed; URI %s
> [%s][%s]",
>                         getpid(), user, r->uri, ldc->reason,
> ldap_err2string(result));
> !
>           return (LDAP_NO_SUCH_OBJECT == result) ?
AUTH_USER_NOT_FOUND
>   #ifdef LDAP_SECURITY_ERROR
>                    : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
> --- 409,417 ----
>                         "[%" APR_PID_T_FMT "] auth_ldap authenticate:
"
>                         "user %s authentication failed; URI %s
> [%s][%s]",
>                         getpid(), user, r->uri, ldc->reason,
> ldap_err2string(result));
> !         if ( LDAP_INVALID_CREDENTIALS == result ) {
> !             return AUTH_DENIED;  // user provided invalid
credentials.
> deny them so they can retry
> !         }
>           return (LDAP_NO_SUCH_OBJECT == result) ?
AUTH_USER_NOT_FOUND
>   #ifdef LDAP_SECURITY_ERROR
>                    : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
> 
> 
> 
> ________________________________
> 
> 	From: Fenlason, Josh 
> 	Sent: Friday, June 02, 2006 10:07 AM
> 	To: 'dev@httpd.apache.org'
> 	Subject: Authentication Bug?
> 	
> 	
> 	
> 	I'm trying to move to Apache 2.2.2 and I'm running into some
> authentication troubles.  
> 	When I enter the correct username/password it authenticates
> properly.  When I enter an invalid username, I get prompted up to
three
> times and it fails with a 401 like expected.  My problem is when I
> attempt to authenticate with a valid username and provide an invalid
> password.  It fails with a 500 error and this message is in the
error
> log "[3692] auth_ldap authenticate: user admin authentication
failed;
> URI / [ldap_simple_bind_s() to check user credentials
failed][Invalid
> Credentials]".  It only prompts me once.  If I don't enter the
correct
> password, it fails for the browser session.  
> 	I'm not the only one experiencing this issue, see the thread on
> the user list
>
(http://marc.theaimsgroup.com/?l=apache-httpd-users&m=114910962114624&w=

> 2).  
> 	Is there something wrong with my configuration?  If not, I can
> open a bug.  In my opinion this would be a pretty serious regression
> from Apache 2.0.x (hopefully I'm just missing something obvious
though).
> 	,
> 	Josh.
> 	 
> 	Here's my authentication configuration:
> 	 
> 	    <AuthnProviderAlias ldap test>
> 	      AuthLDAPURL ldap://localhost/ou=people
> <ldap://localhost/ou=people> 
> 	    </AuthnProviderAlias>
> 	 
> 	    <Location />
> 	      AuthzLDAPAuthoritative off
> 	      AuthName "Test"
> 	      AuthType Basic
> 	      AuthBasicProvider test
> 	      require valid-user
> 	    </Location



Mime
View raw message