https://issues.apache.org/bugzilla/show_bug.cgi?id=49632
Summary: mod_authnz_ldap denies users when search is performed
at AD root.
Product: Apache httpd-2
Version: 2.2.3
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_ldap
AssignedTo: [email protected]
ReportedBy: [email protected]
When mod_authnz_ldap is setup to search for a user at the root of an AD domain
it will fail the user because of the referrals returned in the search.
--- config ---
<Location /private>
# SSLRequireSSL
AuthType Kerberos
AuthName "EXAMPLE Domain Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
# Strip the realm from the kerberos principle.
MapUsernameRule (.*)@(.*) "$1"
AuthLDAPURL "ldap://dc1.example.com
dc2.example.com/dc=example,dc=com?sAMAccountName"
AuthLDAPBindDN cn=nss_ldap,ou=services,dc=example,dc=com
AuthLDAPBindPassword ********
Require ldap-group cn=Domain Admins,ou=Groups,dc=example,dc=com
</Location>
---
--- error_log ---
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(1432): [client
172.30.235.107] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(915): [client
172.30.235.107] Using HTTP/[email protected] as server
principal for password verification
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(655): [client
172.30.235.107] Trying to get TGT for user [email protected]
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(569): [client
172.30.235.107] Trying to verify authenticity of KDC using principal
HTTP/[email protected]
[Wed Jul 21 14:40:34 2010] [debug] src/mod_auth_kerb.c(994): [client
172.30.235.107] kerb_authenticate_user_krb5pwd ret=0
[email protected] authtype=Basic
[Wed Jul 21 14:40:34 2010] [info] [client 172.30.235.107] Applying pattern
'^(.*)@(.*)$' to user '[email protected]', mech:'Any'
[Wed Jul 21 14:40:34 2010] [info] [client 172.30.235.107] Pattern matched
[Wed Jul 21 14:40:34 2010] [notice] [client 172.30.235.107] User name
'[email protected]' rewritten to 'tmclaughlin'
[Wed Jul 21 14:40:34 2010] [debug] mod_authnz_ldap.c(683): [client
172.30.235.107] ldap authorize: Creating LDAP req structure
[Wed Jul 21 14:40:37 2010] [debug] mod_authnz_ldap.c(695): [client
172.30.235.107] auth_ldap authorise: User DN not found, ldap_search_ext_s() for
user failed
---
The resulting request made by mod_authnz_ldap is for
(&(objectclass=*)(sAMAccountName=tmclaughlin)). The search result is the
account entry in AD plus three referrals:
ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
ldap://example.com/CN=Configuration,DC=example,DC=com
The attempts to search these three referrals all fail with the same LDAP error:
00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece
I've found two workarounds for this issue. One is to change the path in
AuthLDAPURL to where all our users are stored. This may not work for all
organizations. The second is to set in /etc/openldap/ldap.conf "REFERRALS
off". That unfortunately affects the behavior of everything using the openldap
libs. The best fix would probably be to implement what looks to have been done
in mod_auth_ldap in bugzilla 26538 and add AuthLDAPFollowReferrals which would
allow toggling referral chasing in mod_authnz_ldap.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
