You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/07/14 20:07:37 UTC
DO NOT REPLY [Bug 45393] New: Apache returns 500 Error when no LDAP
credentials are supplied
https://issues.apache.org/bugzilla/show_bug.cgi?id=45393
Summary: Apache returns 500 Error when no LDAP credentials are
supplied
Product: Apache httpd-2
Version: 2.2.9
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: dstusynski@ptc.com
There seems to be an issue on Windows Apache 2.2.9 when compiled against the
MSSDK for LDAP. When a user accesses a authenticated resource and is prompted
for credentials, if they do not enter a username and password and instead hit
ok at the prompt, Apache returns a 500 error due to a filter error.
Excerpt from the Error Log:
[Mon Jul 14 11:16:04 2008] [debug] mod_headers.c(711): headers:
ap_headers_output_filter()
[Mon Jul 14 11:16:08 2008] [debug] mod_authnz_ldap.c(377): [client
132.253.10.108] [6488] auth_ldap authenticate: using URL
ldap://server:389/ou=people,cn=EnterpriseLdap,cn=app,dc=server,dc=subdomain,dc=domain,dc=com,
referer: http://server:10080/app/
[Mon Jul 14 11:16:08 2008] [warn] [client 132.253.10.108] [6488] auth_ldap
authenticate: user authentication failed; URI /app/servlet/Navigation
[ldap_search_ext_s() for user failed][Filter Error], referer:
http://server:10080/app/
Taken from the Access Log:
132.253.10.108 - - [14/Jul/2008:11:16:08 -0500] "GET
/PDMPJL91/servlet/Navigation HTTP/1.1" 500 487 15625
I was slightly curious about this so I recompiled with a few lines of "random"
debugging to see what statements where firing and what some variables were
being set to in mod_authnz_ldap.c and util_ldap.c.
In mod_authnz_ldap.c's function static void authn_ldap_build_filter(...):
I added a logging statement in the
if (sent_user != NULL) {
user = apr_pstrdup (r->pool, sent_user);
to see what the user was being set to in the event this statement was
executing. Ther user was logged as "user=[]" and is clearly not NULL which I
expected since in fact the if(sent_user != NULL) was executing. I originally
didn't expect this statement to execute at all.
The filter eventually gets created by:
else
filter = sec->filter;
and is set to the "objectclass=*" (my logs kick out filter=[objectclass=*]).
>From a quick glance that appears to be a valid filter for the MS
ldap_search_ext_s API.
Then when authn_ldap_check_password function gets executed I originally
expected the request to error out on the password=NULL and/or the username=NULL
check, however, these did not execute. I guess that means the empty user/pass
is an empty string as opposed to NULL.
In util_ldap.c the statement:
result = ldap_search_ext_s(ldc->ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
in results error code being Filter Error from the logs.
For sanity sake, I tested with Firefox and IE to rule out any odd IE quirk.
Is this an Apache issue not handling the blank user/pass credentials properly?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45393] Apache returns 500 Error when no LDAP
credentials are supplied
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45393
Ignasi <ib...@flumotion.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.2.9 |2.2.15
OS/Version|Windows XP |Linux
--- Comment #3 from Ignasi <ib...@flumotion.com> 2011-01-21 07:27:23 EST ---
We have Linux RHEL6 with httpd 2.2.15, and after loged with LDAP username and
password, apache return 500 error.
No information available about this error in the server error log.
With the follow configuration:
# vim: syntax=apache
<VirtualHost _default_:443>
SSLEngine On
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/pki/tls/certs/xxx.crt
SSLCertificateKeyFile /etc/pki/tls/private/xxxxxxxxx.key
ServerName xxxxxxxxxx
ServerAlias xxxxxxxxxxxxx
DocumentRoot /var/www/xxxxxxxx
# Specific configuration
<Location /private/status>
SetHandler server-status
</Location>
<Location />
AuthType Basic
AuthName "Admin xxxxxx"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://ldap.xxxxxxxx.com/ou=People,dc=xxxxx,dc=com?uid?one
Require ldap-user xxxx xxxx
</Location>
ErrorLog logs/xxxxxxxx-ssl-error_log
CustomLog logs/xxxxxxxxx-ssl-access_log combined
</VirtualHost>
Modules loaded:
auth_basic_module
ldap_module
authnz_ldap_module
The same configuration works with RHEL5.x and httpd 2.2.3.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45393] Apache returns 500 Error when no LDAP
credentials are supplied
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45393
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.2.15 |2.2.8
OS/Version|Linux |Windows XP
--- Comment #4 from Eric Covener <co...@gmail.com> 2011-01-21 07:38:15 EST ---
Ignasi, don't misapropriate someone elses open bug report.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45393] Apache returns 500 Error when no LDAP
credentials are supplied
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45393
--- Comment #1 from Eric Covener <co...@gmail.com> 2008-07-14 13:50:06 PST ---
I went down this path for another PR (or issue raised on IRC) a few months ago.
The empty userid is permitted by HTTP basic auth, and some LDAP SDKs do support
the filter generated such as "attr=" with no value. I believe I lost the heart
to try to change it when both openldap and Tivoli directory server supported
the syntax.
if you can find chapter and verse of the LDAP filter syntax that says it's
forbidden, mod_authnz_ldap would be able to short-circuit sending the DN search
-- otherwise we'd have to add some special-case MSSDK logic to do the same (to
prevent the 500, request still forbidden obviously)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45393] Apache returns 500 Error when no LDAP
credentials are supplied
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45393
--- Comment #2 from Dan Stusynski <ds...@ptc.com> 2008-07-17 13:18:05 PST ---
The additional bug 41435 seems the same as this one I reported (not sure if
that is what you were referring to). I tried to decide on a way to modify
mod_authnz_ldap.c authn_ldap_build_filter() function to handle this situation
but I don't see a way that one can build a valid MS LDAP filter that is 1)
valid for syntax and 2) that isn't guaranteed to return any users. Simply using
objectclass=* wouldn't work for the use case of 1 LDAP user, nor would the
attempt to have a uid=null (a null string) since that gets translated to a
literal uid when searching LDAP (as opposed to '\0' or similar C
representation).
I'm left thinking that just modifying util_ldap.c as the original poster in
that bug mentioned is a decent option while adding a check that the requests
user isn't blank (so we only gobble the FILTER_ERROR when a username is blank).
For example:
/* MS LDAP SDK returns a FILTER ERROR when searching for "attr="
attribute=nothing). Check the result error and user length from the request
and return invalid instead of 500. */
#if APR_HAS_MICROSOFT_LDAPSDK
if ( (result == LDAP_FILTER_ERROR) && (strlen(r->user) <= 0) )
{
ldc->reason = "ldap_search_ext_s() to search for user failed";
ldap_msgfree(res);
uldap_connection_unbind(ldc);
return LDAP_INVALID_CREDENTIALS;
}
#endif
Place this just after the ldap_search_ext_s() ldap call and before the all
encompassing if (result != LDAP_SUCCESS) statement.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45393] Apache returns 500 Error when no LDAP
credentials are supplied
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45393
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |covener@gmail.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org