httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fenlason, Josh" <jfenla...@ptc.com>
Subject RE: Authentication Bug? (Patch?)
Date Mon, 05 Jun 2006 13:18:05 GMT
That's great!  Thanks. 
,
Josh.

> -----Original Message-----
> From: Brad Nicholes [mailto:BNICHOLES@novell.com] 
> Sent: Friday, June 02, 2006 5:21 PM
> To: dev@httpd.apache.org
> Subject: RE: Authentication Bug? (Patch?)
> 
>   There has already been a bug submitted on this one 
> PR#39529.  I have committed the patch in trunk and proposed 
> it for backport.
> 
> Brad
> 
> >>> On 6/2/2006 at 11:59 AM, in message
> <CF83BAA719FD2C439D25CBB1C9D1D302038B15FB@HQ-MAIL4.ptcnet.ptc.com>,
> "Fenlason,
> Josh" <jfenlason@ptc.com> wrote:
> > I'm building with iPlanet (v 5.08) on Unix and the 
> Microsoft LDAP SDK
> on
> > Windows.  iPlanet is listed as a working SDK and 5.08 is the latest
> that
> > I know of.  What about including my patch if the LDAP library
> doesn't
> > support LDAP_SECURITY_ERROR?  If LDAP_SECURITY_ERROR isn't defined,
> then
> > include my patch.  Thanks.
> > ,
> > Josh.
> > 
> >> -----Original Message-----
> >> From: Brad Nicholes [mailto:BNICHOLES@novell.com]
> >> Sent: Friday, June 02, 2006 12:38 PM
> >> To: dev@httpd.apache.org
> >> Subject: RE: Authentication Bug? (Patch?)
> >> 
> >>    Which LDAP client library are you linking with and what 
> version is 
> >> it.  The problem is that your client library apparently doesn't 
> >> support the LDAP_SECURITY_ERROR macro.
> >> This macro basically does what your patch is doing except that it 
> >> looks at the complete range of possible security related 
> failures.  
> >> The macro is defined as
> >> 
> >> #define LDAP_RANGE(n,x,y)	(((x) <= (n)) && ((n) <= (y)))
> >> #define LDAP_SECURITY_ERROR(n)	
> >> LDAP_RANGE((n),0x30,0x32) /* 48-50 */
> >> 
> >> I know that both OpenLDAP and Novell LDAP support this macro.
> >> 
> >> Brad
> >> 
> >> 
> >> >>> On 6/2/2006 at 11:03 AM, in message
> >> <CF83BAA719FD2C439D25CBB1C9D1D302038B159D@HQ-MAIL4.ptcnet.ptc.com>,
> >> "Fenlason,
> >> Josh" <jfenlason@ptc.com> wrote:
> >> > I made the following patch to mod_authnz_ldap.c and it fixed my
> >> issue.
> >> > Does any one have any comments?  Any chance this could be
> committed?
> >> > Anything else I need to do?  Thanks.
> >> > ,
> >> > Josh.
> >> > 
> >> > *** mod_authnz_ldap.c   Fri Apr 21 20:53:05 2006
> >> > --- mod_authnz_ldap.c.patch     Fri Jun 02 11:48:41 2006
> >> > ***************
> >> > *** 409,415 ****
> >> >                         "[%" APR_PID_T_FMT "] auth_ldap
> >> authenticate:
> >> "
> >> >                         "user %s authentication failed; URI %s 
> >> > [%s][%s]",
> >> >                         getpid(), user, r->uri, ldc->reason, 
> >> > ldap_err2string(result)); !
> >> >           return (LDAP_NO_SUCH_OBJECT == result) ?
> >> AUTH_USER_NOT_FOUND
> >> >   #ifdef LDAP_SECURITY_ERROR
> >> >                    : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
> >> > --- 409,417 ----
> >> >                         "[%" APR_PID_T_FMT "] auth_ldap
> >> authenticate:
> >> "
> >> >                         "user %s authentication failed; URI %s 
> >> > [%s][%s]",
> >> >                         getpid(), user, r->uri, ldc->reason, 
> >> > ldap_err2string(result));
> >> > !         if ( LDAP_INVALID_CREDENTIALS == result ) {
> >> > !             return AUTH_DENIED;  // user provided invalid
> >> credentials.
> >> > deny them so they can retry
> >> > !         }
> >> >           return (LDAP_NO_SUCH_OBJECT == result) ?
> >> AUTH_USER_NOT_FOUND
> >> >   #ifdef LDAP_SECURITY_ERROR
> >> >                    : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
> >> > 
> >> > 
> >> > 
> >> > ________________________________
> >> > 
> >> > 	From: Fenlason, Josh 
> >> > 	Sent: Friday, June 02, 2006 10:07 AM
> >> > 	To: 'dev@httpd.apache.org'
> >> > 	Subject: Authentication Bug?
> >> > 	
> >> > 	
> >> > 	
> >> > 	I'm trying to move to Apache 2.2.2 and I'm running into some 
> >> > authentication troubles.
> >> > 	When I enter the correct username/password it
> >> authenticates properly.  
> >> > When I enter an invalid username, I get prompted up to
> >> three
> >> > times and it fails with a 401 like expected.  My problem 
> is when I
> 
> >> > attempt to authenticate with a valid username and provide
> >> an invalid
> >> > password.  It fails with a 500 error and this message is in the
> >> error
> >> > log "[3692] auth_ldap authenticate: user admin authentication
> >> failed;
> >> > URI / [ldap_simple_bind_s() to check user credentials
> >> failed][Invalid
> >> > Credentials]".  It only prompts me once.  If I don't enter the
> >> correct
> >> > password, it fails for the browser session.  
> >> > 	I'm not the only one experiencing this issue, see the
> >> thread on the
> >> > user list
> >> >
> >> (http://marc.theaimsgroup.com/?l=apache-httpd-users&m=11491096
> >> 2114624&w=
> >> 
> >> > 2).  
> >> > 	Is there something wrong with my configuration?  If
> >> not, I can open a
> >> > bug.  In my opinion this would be a pretty serious 
> regression from
> 
> >> > Apache 2.0.x (hopefully I'm just missing something obvious
> >> though).
> >> > 	,
> >> > 	Josh.
> >> > 	 
> >> > 	Here's my authentication configuration:
> >> > 	 
> >> > 	    <AuthnProviderAlias ldap test>
> >> > 	      AuthLDAPURL ldap://localhost/ou=people 
> >> > <ldap://localhost/ou=people>
> >> > 	    </AuthnProviderAlias>
> >> > 	 
> >> > 	    <Location />
> >> > 	      AuthzLDAPAuthoritative off
> >> > 	      AuthName "Test"
> >> > 	      AuthType Basic
> >> > 	      AuthBasicProvider test
> >> > 	      require valid-user
> >> > 	    </Location
> >> 
> >>
> 
> 

Mime
View raw message