You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/10/19 13:27:39 UTC
[Bug 59880] ldap-filter generates bad filters
https://bz.apache.org/bugzilla/show_bug.cgi?id=59880
Alex Duzsardi <al...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |alex.duzsardi@gmail.com
--- Comment #1 from Alex Duzsardi <al...@gmail.com> ---
For me it works like this
#single attribute filter
Require ldap-filter memberof=CN=Admins,CN=Users,DC=testing,DC=lan
# two attributes
Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)
Notice , there're no quotes and/or outer parentheses
User 'admin' gets access based on the later filter , and user 'tester' which is
a member of the 'Admins' group but doesn't have the mail attribute =
admin@testing.lan get's access denied
[Wed Oct 19 16:11:39.029877 2016] [authz_core:debug] [pid 3159]
mod_authz_core.c(809): [client 10.0.1.110:61615] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:11:39.029904 2016] [authz_core:debug] [pid 3159]
mod_authz_core.c(809): [client 10.0.1.110:61615] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279454 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279481 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279503 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(501): [client 10.0.1.110:61619] AH01691: auth_ldap
authenticate: using URL
ldap://10.100.30.10/DC=testing,DC=lan?samaccountname?sub
[Wed Oct 19 16:11:46.279807 2016] [ldap:debug] [pid 3160] util_ldap.c(372):
AH01278: LDAP: Setting referrals to On.
[Wed Oct 19 16:11:46.289145 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(593): [client 10.0.1.110:61619] AH01697: auth_ldap
authenticate: accepting admin
[Wed Oct 19 16:11:46.289168 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1259): [client 10.0.1.110:61619] AH01743: auth_ldap
authorize: checking filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)
[Wed Oct 19 16:11:46.300097 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1271): [client 10.0.1.110:61619] AH01744: auth_ldap
authorize: checking dn match CN=admin,CN=Users,DC=testing,DC=lan
[Wed Oct 19 16:11:46.300120 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1286): [client 10.0.1.110:61619] AH01745: auth_ldap
authorize: require ldap-filter: authorization successful
[Wed Oct 19 16:11:46.300125 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
granted
[Wed Oct 19 16:11:46.300127 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of <RequireAny>: granted
[Wed Oct 19 16:14:24.524105 2016] [authz_core:debug] [pid 3161]
mod_authz_core.c(809): [client 10.0.1.110:61677] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:14:24.524133 2016] [authz_core:debug] [pid 3161]
mod_authz_core.c(809): [client 10.0.1.110:61677] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919074 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919163 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919197 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(501): [client 10.0.1.110:61682] AH01691: auth_ldap
authenticate: using URL
ldap://10.100.30.10/DC=testing,DC=lan?samaccountname?sub
[Wed Oct 19 16:14:40.919552 2016] [ldap:debug] [pid 3162] util_ldap.c(372):
AH01278: LDAP: Setting referrals to On.
[Wed Oct 19 16:14:40.931736 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(593): [client 10.0.1.110:61682] AH01697: auth_ldap
authenticate: accepting tester
[Wed Oct 19 16:14:40.931773 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1259): [client 10.0.1.110:61682] AH01743: auth_ldap
authorize: checking filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)
[Wed Oct 19 16:14:40.940934 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1301): [client 10.0.1.110:61682] AH01747: auth_ldap
authorize: require ldap-filter: authorization failed [User not found][No such
object]
[Wed Oct 19 16:14:40.940961 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1309): [client 10.0.1.110:61682] AH01748: auth_ldap authorize
filter: authorization denied for user tester to /ldap-status
[Wed Oct 19 16:14:40.940967 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied
[Wed Oct 19 16:14:40.940970 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of <RequireAny>: denied
[Wed Oct 19 16:14:40.940973 2016] [authz_core:error] [pid 3162] [client
10.0.1.110:61682] AH01631: user tester: authorization failure for
"/ldap-status":
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org