You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/10/19 13:27:39 UTC

[Bug 59880] ldap-filter generates bad filters

https://bz.apache.org/bugzilla/show_bug.cgi?id=59880

Alex Duzsardi <al...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alex.duzsardi@gmail.com

--- Comment #1 from Alex Duzsardi <al...@gmail.com> ---
For me it works like this

#single attribute filter
Require ldap-filter memberof=CN=Admins,CN=Users,DC=testing,DC=lan

# two attributes 
Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)

Notice , there're no quotes and/or outer parentheses 
User 'admin' gets access based on the later filter , and user 'tester' which is
a member of the 'Admins' group but doesn't have the mail attribute =
admin@testing.lan get's access denied


[Wed Oct 19 16:11:39.029877 2016] [authz_core:debug] [pid 3159]
mod_authz_core.c(809): [client 10.0.1.110:61615] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:11:39.029904 2016] [authz_core:debug] [pid 3159]
mod_authz_core.c(809): [client 10.0.1.110:61615] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279454 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279481 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279503 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(501): [client 10.0.1.110:61619] AH01691: auth_ldap
authenticate: using URL
ldap://10.100.30.10/DC=testing,DC=lan?samaccountname?sub
[Wed Oct 19 16:11:46.279807 2016] [ldap:debug] [pid 3160] util_ldap.c(372):
AH01278: LDAP: Setting referrals to On.
[Wed Oct 19 16:11:46.289145 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(593): [client 10.0.1.110:61619] AH01697: auth_ldap
authenticate: accepting admin
[Wed Oct 19 16:11:46.289168 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1259): [client 10.0.1.110:61619] AH01743: auth_ldap
authorize: checking filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)
[Wed Oct 19 16:11:46.300097 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1271): [client 10.0.1.110:61619] AH01744: auth_ldap
authorize: checking dn match CN=admin,CN=Users,DC=testing,DC=lan
[Wed Oct 19 16:11:46.300120 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1286): [client 10.0.1.110:61619] AH01745: auth_ldap
authorize: require ldap-filter: authorization successful
[Wed Oct 19 16:11:46.300125 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
granted
[Wed Oct 19 16:11:46.300127 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of <RequireAny>: granted
[Wed Oct 19 16:14:24.524105 2016] [authz_core:debug] [pid 3161]
mod_authz_core.c(809): [client 10.0.1.110:61677] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:14:24.524133 2016] [authz_core:debug] [pid 3161]
mod_authz_core.c(809): [client 10.0.1.110:61677] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919074 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919163 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919197 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(501): [client 10.0.1.110:61682] AH01691: auth_ldap
authenticate: using URL
ldap://10.100.30.10/DC=testing,DC=lan?samaccountname?sub
[Wed Oct 19 16:14:40.919552 2016] [ldap:debug] [pid 3162] util_ldap.c(372):
AH01278: LDAP: Setting referrals to On.
[Wed Oct 19 16:14:40.931736 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(593): [client 10.0.1.110:61682] AH01697: auth_ldap
authenticate: accepting tester
[Wed Oct 19 16:14:40.931773 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1259): [client 10.0.1.110:61682] AH01743: auth_ldap
authorize: checking filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)
[Wed Oct 19 16:14:40.940934 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1301): [client 10.0.1.110:61682] AH01747: auth_ldap
authorize: require ldap-filter: authorization failed [User not found][No such
object]
[Wed Oct 19 16:14:40.940961 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1309): [client 10.0.1.110:61682] AH01748: auth_ldap authorize
filter: authorization denied for user tester to /ldap-status
[Wed Oct 19 16:14:40.940967 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied
[Wed Oct 19 16:14:40.940970 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of <RequireAny>: denied
[Wed Oct 19 16:14:40.940973 2016] [authz_core:error] [pid 3162] [client
10.0.1.110:61682] AH01631: user tester: authorization failure for
"/ldap-status":

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org