httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject RE: Authentication Bug? (Patch?)
Date Fri, 02 Jun 2006 22:20:49 GMT
  There has already been a bug submitted on this one PR#39529.  I have
committed the patch in trunk and proposed it for backport.

Brad

>>> On 6/2/2006 at 11:59 AM, in message
<CF83BAA719FD2C439D25CBB1C9D1D302038B15FB@HQ-MAIL4.ptcnet.ptc.com>,
"Fenlason,
Josh" <jfenlason@ptc.com> wrote:
> I'm building with iPlanet (v 5.08) on Unix and the Microsoft LDAP SDK
on
> Windows.  iPlanet is listed as a working SDK and 5.08 is the latest
that
> I know of.  What about including my patch if the LDAP library
doesn't
> support LDAP_SECURITY_ERROR?  If LDAP_SECURITY_ERROR isn't defined,
then
> include my patch.  Thanks.
> ,
> Josh.
> 
>> -----Original Message-----
>> From: Brad Nicholes [mailto:BNICHOLES@novell.com] 
>> Sent: Friday, June 02, 2006 12:38 PM
>> To: dev@httpd.apache.org 
>> Subject: RE: Authentication Bug? (Patch?)
>> 
>>    Which LDAP client library are you linking with and what 
>> version is it.  The problem is that your client library 
>> apparently doesn't support the LDAP_SECURITY_ERROR macro.  
>> This macro basically does what your patch is doing except 
>> that it looks at the complete range of possible security 
>> related failures.  The macro is defined as
>> 
>> #define LDAP_RANGE(n,x,y)	(((x) <= (n)) && ((n) <= (y)))
>> #define LDAP_SECURITY_ERROR(n)	
>> LDAP_RANGE((n),0x30,0x32) /* 48-50 */
>> 
>> I know that both OpenLDAP and Novell LDAP support this macro.
>> 
>> Brad
>> 
>> 
>> >>> On 6/2/2006 at 11:03 AM, in message
>> <CF83BAA719FD2C439D25CBB1C9D1D302038B159D@HQ-MAIL4.ptcnet.ptc.com>,
>> "Fenlason,
>> Josh" <jfenlason@ptc.com> wrote:
>> > I made the following patch to mod_authnz_ldap.c and it fixed my
>> issue.
>> > Does any one have any comments?  Any chance this could be
committed?
>> > Anything else I need to do?  Thanks.
>> > ,
>> > Josh.
>> > 
>> > *** mod_authnz_ldap.c   Fri Apr 21 20:53:05 2006
>> > --- mod_authnz_ldap.c.patch     Fri Jun 02 11:48:41 2006
>> > ***************
>> > *** 409,415 ****
>> >                         "[%" APR_PID_T_FMT "] auth_ldap 
>> authenticate:
>> "
>> >                         "user %s authentication failed; URI %s 
>> > [%s][%s]",
>> >                         getpid(), user, r->uri, ldc->reason, 
>> > ldap_err2string(result)); !
>> >           return (LDAP_NO_SUCH_OBJECT == result) ?
>> AUTH_USER_NOT_FOUND
>> >   #ifdef LDAP_SECURITY_ERROR
>> >                    : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
>> > --- 409,417 ----
>> >                         "[%" APR_PID_T_FMT "] auth_ldap 
>> authenticate:
>> "
>> >                         "user %s authentication failed; URI %s 
>> > [%s][%s]",
>> >                         getpid(), user, r->uri, ldc->reason, 
>> > ldap_err2string(result));
>> > !         if ( LDAP_INVALID_CREDENTIALS == result ) {
>> > !             return AUTH_DENIED;  // user provided invalid
>> credentials.
>> > deny them so they can retry
>> > !         }
>> >           return (LDAP_NO_SUCH_OBJECT == result) ?
>> AUTH_USER_NOT_FOUND
>> >   #ifdef LDAP_SECURITY_ERROR
>> >                    : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
>> > 
>> > 
>> > 
>> > ________________________________
>> > 
>> > 	From: Fenlason, Josh 
>> > 	Sent: Friday, June 02, 2006 10:07 AM
>> > 	To: 'dev@httpd.apache.org'
>> > 	Subject: Authentication Bug?
>> > 	
>> > 	
>> > 	
>> > 	I'm trying to move to Apache 2.2.2 and I'm running into some 
>> > authentication troubles.
>> > 	When I enter the correct username/password it 
>> authenticates properly.  
>> > When I enter an invalid username, I get prompted up to
>> three
>> > times and it fails with a 401 like expected.  My problem is when I

>> > attempt to authenticate with a valid username and provide 
>> an invalid 
>> > password.  It fails with a 500 error and this message is in the
>> error
>> > log "[3692] auth_ldap authenticate: user admin authentication
>> failed;
>> > URI / [ldap_simple_bind_s() to check user credentials
>> failed][Invalid
>> > Credentials]".  It only prompts me once.  If I don't enter the
>> correct
>> > password, it fails for the browser session.  
>> > 	I'm not the only one experiencing this issue, see the 
>> thread on the 
>> > user list
>> >
>> (http://marc.theaimsgroup.com/?l=apache-httpd-users&m=11491096 
>> 2114624&w=
>> 
>> > 2).  
>> > 	Is there something wrong with my configuration?  If 
>> not, I can open a 
>> > bug.  In my opinion this would be a pretty serious regression from

>> > Apache 2.0.x (hopefully I'm just missing something obvious
>> though).
>> > 	,
>> > 	Josh.
>> > 	 
>> > 	Here's my authentication configuration:
>> > 	 
>> > 	    <AuthnProviderAlias ldap test>
>> > 	      AuthLDAPURL ldap://localhost/ou=people 
>> > <ldap://localhost/ou=people>
>> > 	    </AuthnProviderAlias>
>> > 	 
>> > 	    <Location />
>> > 	      AuthzLDAPAuthoritative off
>> > 	      AuthName "Test"
>> > 	      AuthType Basic
>> > 	      AuthBasicProvider test
>> > 	      require valid-user
>> > 	    </Location
>> 
>>



Mime
View raw message