You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/07/18 14:49:55 UTC

[Bug 59880] New: ldap-filter generates bad filters

https://bz.apache.org/bugzilla/show_bug.cgi?id=59880

            Bug ID: 59880
           Summary: ldap-filter generates bad filters
           Product: Apache httpd-2
           Version: 2.4.18
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authnz_ldap
          Assignee: bugs@httpd.apache.org
          Reporter: earle.timothy@gmail.com

Use case: using the Require ldap-filter directive to prevent users with expired
passwords from logging in (see freeIPA for lengthy discussions on this). The
attribute containing the expiration is krbPasswordExpiration.

What's expected: a valid ldap filter in the Require ldap-filter directive
should results in a valid filter being generated
What's happening: the value of ldap-filter is either quoted, wrapped in
additional parenthesis resulting in an invalid LDAP filter. if the value of
require ldap-filter contains neither quotes nor parenthesis, then it doesn't
pass the internal filter validation.

Configuration:
LogLevel debug
AuthType basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldaphost/cn=users,cn=accounts,dc=domain,dc=tld"
<RequireAll>
  Require valid-user
  Require ldap-filter "krbPasswordExpiration>=%{TIME}Z"
</RequireAll>

Logging in with a valid user results in the following bad filter per the error
logs:
[Mon Jul 18 14:06:12.205145 2016] [authnz_ldap:debug] [pid 19470]
mod_authnz_ldap.c(613): [client 76.189.145.127:58266] AH01697: auth_ldap
authenticate: accepting test.user
[Mon Jul 18 14:06:12.205177 2016] [authz_core:debug] [pid 19470]
mod_authz_core.c(809): [client 76.189.145.127:58266] AH01626: authorization
result of Require valid-user : granted
[Mon Jul 18 14:06:12.205193 2016] [authnz_ldap:debug] [pid 19470]
mod_authnz_ldap.c(1341): [client 76.189.145.127:58266] AH01743: auth_ldap
authorize: checking filter "krbPasswordExpiration>=20160718140612Z"
[Mon Jul 18 14:06:12.207455 2016] [authnz_ldap:debug] [pid 19470]
mod_authnz_ldap.c(1376): [client 76.189.145.127:58266] AH01746: auth_ldap
authorize: require ldap-filter:
(&("krbPasswordExpiration>=20160718140612Z")(uid=test.user)) authorization
failed [ldap_search_ext_s() for user failed][Bad search filter]

-----

Surrounding the ldap-filter value with parentheses to make it a valid search
filter on its own:
Require ldap-filter "(krbPasswordExpiration>=%{TIME}Z)"

Results in the following in the error log:
[Mon Jul 18 14:18:51.184101 2016] [authnz_ldap:debug] [pid 19544]
mod_authnz_ldap.c(613): [client 76.189.145.127:58527] AH01697: auth_ldap
authenticate: accepting test.user
[Mon Jul 18 14:18:51.184132 2016] [authz_core:debug] [pid 19544]
mod_authz_core.c(809): [client 76.189.145.127:58527] AH01626: authorization
result of Require valid-user : granted
[Mon Jul 18 14:18:51.184148 2016] [authnz_ldap:debug] [pid 19544]
mod_authnz_ldap.c(1341): [client 76.189.145.127:58527] AH01743: auth_ldap
authorize: checking filter "(krbPasswordExpiration>=20160718141851Z)"
[Mon Jul 18 14:18:51.186277 2016] [authnz_ldap:debug] [pid 19544]
mod_authnz_ldap.c(1376): [client 76.189.145.127:58527] AH01746: auth_ldap
authorize: require ldap-filter:
(&("(krbPasswordExpiration>=20160718141851Z)")(uid=test.user)) authorization
failed [ldap_search_ext_s() for user failed][Bad search filter]

-----

Removing the quotes and keeping the parentheses:
Require ldap-filter (krbPasswordExpiration>=%{TIME}Z)

Results in the following in the error log:
[Mon Jul 18 14:24:53.341343 2016] [authnz_ldap:debug] [pid 19618]
mod_authnz_ldap.c(613): [client 76.189.145.127:58645] AH01697: auth_ldap
authenticate: accepting test.user
[Mon Jul 18 14:24:53.341378 2016] [authz_core:debug] [pid 19618]
mod_authz_core.c(809): [client 76.189.145.127:58645] AH01626: authorization
result of Require valid-user : granted
[Mon Jul 18 14:24:53.341399 2016] [authnz_ldap:debug] [pid 19618]
mod_authnz_ldap.c(1341): [client 76.189.145.127:58645] AH01743: auth_ldap
authorize: checking filter (krbPasswordExpiration>=20160718142453Z)
[Mon Jul 18 14:24:53.343507 2016] [authnz_ldap:debug] [pid 19618]
mod_authnz_ldap.c(1376): [client 76.189.145.127:58645] AH01746: auth_ldap
authorize: require ldap-filter:
(&((krbPasswordExpiration>=20160718142453Z))(uid=test.user)) authorization
failed [ldap_search_ext_s() for user failed][Bad search filter]

-----
Finally, removing the quotes and parenthesis entirely results in the following:
Require ldap-filter krbPasswordExpiration>=%{TIME}Z

Results in the following in the error log:
[Mon Jul 18 14:21:37.896357 2016] [authnz_ldap:debug] [pid 19579]
mod_authnz_ldap.c(613): [client 76.189.145.127:58578] AH01697: auth_ldap
authenticate: accepting test.user
[Mon Jul 18 14:21:37.896389 2016] [authz_core:debug] [pid 19579]
mod_authz_core.c(809): [client 76.189.145.127:58578] AH01626: authorization
result of Require valid-user : granted
[Mon Jul 18 14:21:37.896405 2016] [authnz_ldap:debug] [pid 19579]
mod_authnz_ldap.c(1341): [client 76.189.145.127:58578] AH01743: auth_ldap
authorize: checking filter krbPasswordExpiration>=20160718142137Z
[Mon Jul 18 14:21:37.900660 2016] [authnz_ldap:debug] [pid 19579]
mod_authnz_ldap.c(1383): [client 76.189.145.127:58578] AH01747: auth_ldap
authorize: require ldap-filter: authorization failed [User not found][No such
object]


-----

A couple take aways
- The documentation could be updated to include what the ldap-filter will end
up being. Ex: it doesn't say that it will wrap it in an &() with the
uid=%{REMOTE_USER} - I presume this will change based on the value of the
AuthLDAPURL directive.
- Additionally, how the filter should be constructed to properly be included
with the final, generated filter would be helpful too. A few examples, such as
the ones I've listed above could save some frustration and add some clarity.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 59880] ldap-filter generates bad filters

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59880

Alex Duzsardi <al...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alex.duzsardi@gmail.com

--- Comment #1 from Alex Duzsardi <al...@gmail.com> ---
For me it works like this

#single attribute filter
Require ldap-filter memberof=CN=Admins,CN=Users,DC=testing,DC=lan

# two attributes 
Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)

Notice , there're no quotes and/or outer parentheses 
User 'admin' gets access based on the later filter , and user 'tester' which is
a member of the 'Admins' group but doesn't have the mail attribute =
admin@testing.lan get's access denied


[Wed Oct 19 16:11:39.029877 2016] [authz_core:debug] [pid 3159]
mod_authz_core.c(809): [client 10.0.1.110:61615] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:11:39.029904 2016] [authz_core:debug] [pid 3159]
mod_authz_core.c(809): [client 10.0.1.110:61615] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279454 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279481 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:11:46.279503 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(501): [client 10.0.1.110:61619] AH01691: auth_ldap
authenticate: using URL
ldap://10.100.30.10/DC=testing,DC=lan?samaccountname?sub
[Wed Oct 19 16:11:46.279807 2016] [ldap:debug] [pid 3160] util_ldap.c(372):
AH01278: LDAP: Setting referrals to On.
[Wed Oct 19 16:11:46.289145 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(593): [client 10.0.1.110:61619] AH01697: auth_ldap
authenticate: accepting admin
[Wed Oct 19 16:11:46.289168 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1259): [client 10.0.1.110:61619] AH01743: auth_ldap
authorize: checking filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)
[Wed Oct 19 16:11:46.300097 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1271): [client 10.0.1.110:61619] AH01744: auth_ldap
authorize: checking dn match CN=admin,CN=Users,DC=testing,DC=lan
[Wed Oct 19 16:11:46.300120 2016] [authnz_ldap:debug] [pid 3160]
mod_authnz_ldap.c(1286): [client 10.0.1.110:61619] AH01745: auth_ldap
authorize: require ldap-filter: authorization successful
[Wed Oct 19 16:11:46.300125 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
granted
[Wed Oct 19 16:11:46.300127 2016] [authz_core:debug] [pid 3160]
mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result
of <RequireAny>: granted
[Wed Oct 19 16:14:24.524105 2016] [authz_core:debug] [pid 3161]
mod_authz_core.c(809): [client 10.0.1.110:61677] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:14:24.524133 2016] [authz_core:debug] [pid 3161]
mod_authz_core.c(809): [client 10.0.1.110:61677] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919074 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919163 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 19 16:14:40.919197 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(501): [client 10.0.1.110:61682] AH01691: auth_ldap
authenticate: using URL
ldap://10.100.30.10/DC=testing,DC=lan?samaccountname?sub
[Wed Oct 19 16:14:40.919552 2016] [ldap:debug] [pid 3162] util_ldap.c(372):
AH01278: LDAP: Setting referrals to On.
[Wed Oct 19 16:14:40.931736 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(593): [client 10.0.1.110:61682] AH01697: auth_ldap
authenticate: accepting tester
[Wed Oct 19 16:14:40.931773 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1259): [client 10.0.1.110:61682] AH01743: auth_ldap
authorize: checking filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan)
[Wed Oct 19 16:14:40.940934 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1301): [client 10.0.1.110:61682] AH01747: auth_ldap
authorize: require ldap-filter: authorization failed [User not found][No such
object]
[Wed Oct 19 16:14:40.940961 2016] [authnz_ldap:debug] [pid 3162]
mod_authnz_ldap.c(1309): [client 10.0.1.110:61682] AH01748: auth_ldap authorize
filter: authorization denied for user tester to /ldap-status
[Wed Oct 19 16:14:40.940967 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of Require ldap-filter
&(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)(mail=admin@testing.lan):
denied
[Wed Oct 19 16:14:40.940970 2016] [authz_core:debug] [pid 3162]
mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result
of <RequireAny>: denied
[Wed Oct 19 16:14:40.940973 2016] [authz_core:error] [pid 3162] [client
10.0.1.110:61682] AH01631: user tester: authorization failure for
"/ldap-status":

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org