From dev-return-53551-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Fri Jun 02 17:59:33 2006
Return-Path: <dev-return-53551-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 37627 invoked from network); 2 Jun 2006 17:59:32 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 2 Jun 2006 17:59:32 -0000
Received: (qmail 16573 invoked by uid 500); 2 Jun 2006 17:59:28 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 16497 invoked by uid 500); 2 Jun 2006 17:59:28 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 16486 invoked by uid 99); 2 Jun 2006 17:59:28 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Jun 2006 10:59:28 -0700
X-ASF-Spam-Status: No, hits=0.5 required=10.0
	tests=DNS_FROM_RFC_ABUSE
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [12.11.148.122] (HELO relay2.ptc.com) (12.11.148.122)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Jun 2006 10:59:26 -0700
Received: from hq-ex3fe3.ptcnet.ptc.com ([132.253.201.67])
  by relay2.ptc.com with ESMTP; 02 Jun 2006 13:59:05 -0400
X-IronPort-AV: i="4.05,204,1146456000"; 
   d="scan'208"; a="139323224:sNHT17434292"
Received: from HQ-MAIL4.ptcnet.ptc.com ([132.253.202.95]) by hq-ex3fe3.ptcnet.ptc.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Fri, 2 Jun 2006 13:59:02 -0400
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Authentication Bug? (Patch?)
Date: Fri, 2 Jun 2006 13:59:01 -0400
Message-ID: <CF83BAA719FD2C439D25CBB1C9D1D302038B15FB@HQ-MAIL4.ptcnet.ptc.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-topic: Authentication Bug? (Patch?)
Thread-index: AcaGa18VjxbfEhGLS4WnH51jDx1DcgAAEWjg
From: "Fenlason, Josh" <jfenlason@ptc.com>
To: <dev@httpd.apache.org>
X-OriginalArrivalTime: 02 Jun 2006 17:59:02.0169 (UTC) FILETIME=[3B0A4090:01C6866E]
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

I'm building with iPlanet (v 5.08) on Unix and the Microsoft LDAP SDK on
Windows.  iPlanet is listed as a working SDK and 5.08 is the latest that
I know of.  What about including my patch if the LDAP library doesn't
support LDAP_SECURITY_ERROR?  If LDAP_SECURITY_ERROR isn't defined, then
include my patch.  Thanks.
,
Josh.

> -----Original Message-----
> From: Brad Nicholes [mailto:BNICHOLES@novell.com]=20
> Sent: Friday, June 02, 2006 12:38 PM
> To: dev@httpd.apache.org
> Subject: RE: Authentication Bug? (Patch?)
>=20
>    Which LDAP client library are you linking with and what=20
> version is it.  The problem is that your client library=20
> apparently doesn't support the LDAP_SECURITY_ERROR macro. =20
> This macro basically does what your patch is doing except=20
> that it looks at the complete range of possible security=20
> related failures.  The macro is defined as
>=20
> #define LDAP_RANGE(n,x,y)	(((x) <=3D (n)) && ((n) <=3D (y)))
> #define LDAP_SECURITY_ERROR(n)=09
> LDAP_RANGE((n),0x30,0x32) /* 48-50 */
>=20
> I know that both OpenLDAP and Novell LDAP support this macro.
>=20
> Brad
>=20
>=20
> >>> On 6/2/2006 at 11:03 AM, in message
> <CF83BAA719FD2C439D25CBB1C9D1D302038B159D@HQ-MAIL4.ptcnet.ptc.com>,
> "Fenlason,
> Josh" <jfenlason@ptc.com> wrote:
> > I made the following patch to mod_authnz_ldap.c and it fixed my
> issue.
> > Does any one have any comments?  Any chance this could be committed?
> > Anything else I need to do?  Thanks.
> > ,
> > Josh.
> >=20
> > *** mod_authnz_ldap.c   Fri Apr 21 20:53:05 2006
> > --- mod_authnz_ldap.c.patch     Fri Jun 02 11:48:41 2006
> > ***************
> > *** 409,415 ****
> >                         "[%" APR_PID_T_FMT "] auth_ldap=20
> authenticate:
> "
> >                         "user %s authentication failed; URI %s=20
> > [%s][%s]",
> >                         getpid(), user, r->uri, ldc->reason,=20
> > ldap_err2string(result)); !
> >           return (LDAP_NO_SUCH_OBJECT =3D=3D result) ?
> AUTH_USER_NOT_FOUND
> >   #ifdef LDAP_SECURITY_ERROR
> >                    : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
> > --- 409,417 ----
> >                         "[%" APR_PID_T_FMT "] auth_ldap=20
> authenticate:
> "
> >                         "user %s authentication failed; URI %s=20
> > [%s][%s]",
> >                         getpid(), user, r->uri, ldc->reason,=20
> > ldap_err2string(result));
> > !         if ( LDAP_INVALID_CREDENTIALS =3D=3D result ) {
> > !             return AUTH_DENIED;  // user provided invalid
> credentials.
> > deny them so they can retry
> > !         }
> >           return (LDAP_NO_SUCH_OBJECT =3D=3D result) ?
> AUTH_USER_NOT_FOUND
> >   #ifdef LDAP_SECURITY_ERROR
> >                    : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
> >=20
> >=20
> >=20
> > ________________________________
> >=20
> > 	From: Fenlason, Josh=20
> > 	Sent: Friday, June 02, 2006 10:07 AM
> > 	To: 'dev@httpd.apache.org'
> > 	Subject: Authentication Bug?
> > =09
> > =09
> > =09
> > 	I'm trying to move to Apache 2.2.2 and I'm running into some=20
> > authentication troubles.
> > 	When I enter the correct username/password it=20
> authenticates properly. =20
> > When I enter an invalid username, I get prompted up to
> three
> > times and it fails with a 401 like expected.  My problem is when I=20
> > attempt to authenticate with a valid username and provide=20
> an invalid=20
> > password.  It fails with a 500 error and this message is in the
> error
> > log "[3692] auth_ldap authenticate: user admin authentication
> failed;
> > URI / [ldap_simple_bind_s() to check user credentials
> failed][Invalid
> > Credentials]".  It only prompts me once.  If I don't enter the
> correct
> > password, it fails for the browser session. =20
> > 	I'm not the only one experiencing this issue, see the=20
> thread on the=20
> > user list
> >
> (http://marc.theaimsgroup.com/?l=3Dapache-httpd-users&m=3D11491096
> 2114624&w=3D
>=20
> > 2). =20
> > 	Is there something wrong with my configuration?  If=20
> not, I can open a=20
> > bug.  In my opinion this would be a pretty serious regression from=20
> > Apache 2.0.x (hopefully I'm just missing something obvious
> though).
> > 	,
> > 	Josh.
> > 	=20
> > 	Here's my authentication configuration:
> > 	=20
> > 	    <AuthnProviderAlias ldap test>
> > 	      AuthLDAPURL ldap://localhost/ou=3Dpeople=20
> > <ldap://localhost/ou=3Dpeople>
> > 	    </AuthnProviderAlias>
> > 	=20
> > 	    <Location />
> > 	      AuthzLDAPAuthoritative off
> > 	      AuthName "Test"
> > 	      AuthType Basic
> > 	      AuthBasicProvider test
> > 	      require valid-user
> > 	    </Location
>=20
>=20