You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Fenlason, Josh" <jf...@ptc.com> on 2006/06/02 19:03:24 UTC
RE: Authentication Bug? (Patch?)
I made the following patch to mod_authnz_ldap.c and it fixed my issue.
Does any one have any comments? Any chance this could be committed?
Anything else I need to do? Thanks.
,
Josh.
*** mod_authnz_ldap.c Fri Apr 21 20:53:05 2006
--- mod_authnz_ldap.c.patch Fri Jun 02 11:48:41 2006
***************
*** 409,415 ****
"[%" APR_PID_T_FMT "] auth_ldap authenticate: "
"user %s authentication failed; URI %s
[%s][%s]",
getpid(), user, r->uri, ldc->reason,
ldap_err2string(result));
!
return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND
#ifdef LDAP_SECURITY_ERROR
: (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
--- 409,417 ----
"[%" APR_PID_T_FMT "] auth_ldap authenticate: "
"user %s authentication failed; URI %s
[%s][%s]",
getpid(), user, r->uri, ldc->reason,
ldap_err2string(result));
! if ( LDAP_INVALID_CREDENTIALS == result ) {
! return AUTH_DENIED; // user provided invalid credentials.
deny them so they can retry
! }
return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND
#ifdef LDAP_SECURITY_ERROR
: (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
________________________________
From: Fenlason, Josh
Sent: Friday, June 02, 2006 10:07 AM
To: 'dev@httpd.apache.org'
Subject: Authentication Bug?
I'm trying to move to Apache 2.2.2 and I'm running into some
authentication troubles.
When I enter the correct username/password it authenticates
properly. When I enter an invalid username, I get prompted up to three
times and it fails with a 401 like expected. My problem is when I
attempt to authenticate with a valid username and provide an invalid
password. It fails with a 500 error and this message is in the error
log "[3692] auth_ldap authenticate: user admin authentication failed;
URI / [ldap_simple_bind_s() to check user credentials failed][Invalid
Credentials]". It only prompts me once. If I don't enter the correct
password, it fails for the browser session.
I'm not the only one experiencing this issue, see the thread on
the user list
(http://marc.theaimsgroup.com/?l=apache-httpd-users&m=114910962114624&w=
2).
Is there something wrong with my configuration? If not, I can
open a bug. In my opinion this would be a pretty serious regression
from Apache 2.0.x (hopefully I'm just missing something obvious though).
,
Josh.
Here's my authentication configuration:
<AuthnProviderAlias ldap test>
AuthLDAPURL ldap://localhost/ou=people
<ldap://localhost/ou=people>
</AuthnProviderAlias>
<Location />
AuthzLDAPAuthoritative off
AuthName "Test"
AuthType Basic
AuthBasicProvider test
require valid-user
</Location>
RE: Authentication Bug? (Patch?)
Posted by Brad Nicholes <BN...@novell.com>.
Which LDAP client library are you linking with and what version is
it. The problem is that your client library apparently doesn't support
the LDAP_SECURITY_ERROR macro. This macro basically does what your
patch is doing except that it looks at the complete range of possible
security related failures. The macro is defined as
#define LDAP_RANGE(n,x,y) (((x) <= (n)) && ((n) <= (y)))
#define LDAP_SECURITY_ERROR(n) LDAP_RANGE((n),0x30,0x32) /* 48-50 */
I know that both OpenLDAP and Novell LDAP support this macro.
Brad
>>> On 6/2/2006 at 11:03 AM, in message
<CF...@HQ-MAIL4.ptcnet.ptc.com>,
"Fenlason,
Josh" <jf...@ptc.com> wrote:
> I made the following patch to mod_authnz_ldap.c and it fixed my
issue.
> Does any one have any comments? Any chance this could be committed?
> Anything else I need to do? Thanks.
> ,
> Josh.
>
> *** mod_authnz_ldap.c Fri Apr 21 20:53:05 2006
> --- mod_authnz_ldap.c.patch Fri Jun 02 11:48:41 2006
> ***************
> *** 409,415 ****
> "[%" APR_PID_T_FMT "] auth_ldap authenticate:
"
> "user %s authentication failed; URI %s
> [%s][%s]",
> getpid(), user, r->uri, ldc->reason,
> ldap_err2string(result));
> !
> return (LDAP_NO_SUCH_OBJECT == result) ?
AUTH_USER_NOT_FOUND
> #ifdef LDAP_SECURITY_ERROR
> : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
> --- 409,417 ----
> "[%" APR_PID_T_FMT "] auth_ldap authenticate:
"
> "user %s authentication failed; URI %s
> [%s][%s]",
> getpid(), user, r->uri, ldc->reason,
> ldap_err2string(result));
> ! if ( LDAP_INVALID_CREDENTIALS == result ) {
> ! return AUTH_DENIED; // user provided invalid
credentials.
> deny them so they can retry
> ! }
> return (LDAP_NO_SUCH_OBJECT == result) ?
AUTH_USER_NOT_FOUND
> #ifdef LDAP_SECURITY_ERROR
> : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
>
>
>
> ________________________________
>
> From: Fenlason, Josh
> Sent: Friday, June 02, 2006 10:07 AM
> To: 'dev@httpd.apache.org'
> Subject: Authentication Bug?
>
>
>
> I'm trying to move to Apache 2.2.2 and I'm running into some
> authentication troubles.
> When I enter the correct username/password it authenticates
> properly. When I enter an invalid username, I get prompted up to
three
> times and it fails with a 401 like expected. My problem is when I
> attempt to authenticate with a valid username and provide an invalid
> password. It fails with a 500 error and this message is in the
error
> log "[3692] auth_ldap authenticate: user admin authentication
failed;
> URI / [ldap_simple_bind_s() to check user credentials
failed][Invalid
> Credentials]". It only prompts me once. If I don't enter the
correct
> password, it fails for the browser session.
> I'm not the only one experiencing this issue, see the thread on
> the user list
>
(http://marc.theaimsgroup.com/?l=apache-httpd-users&m=114910962114624&w=
> 2).
> Is there something wrong with my configuration? If not, I can
> open a bug. In my opinion this would be a pretty serious regression
> from Apache 2.0.x (hopefully I'm just missing something obvious
though).
> ,
> Josh.
>
> Here's my authentication configuration:
>
> <AuthnProviderAlias ldap test>
> AuthLDAPURL ldap://localhost/ou=people
> <ldap://localhost/ou=people>
> </AuthnProviderAlias>
>
> <Location />
> AuthzLDAPAuthoritative off
> AuthName "Test"
> AuthType Basic
> AuthBasicProvider test
> require valid-user
> </Location