DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=27748>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=27748 ldap auth periodically fails, requires restart [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From [EMAIL PROTECTED] 2004-03-31 18:39 ------- The problem is in the poor way the ldap session is managed (which could cause other severe problems, if individual users cannot browse the tree, and it should be re-considered). Kurt Olsen has found this problem and come up with a quick fix (see patch). Note: this also relates to bug# 17274. Kurt's description: -------------- In the file util_ldap.c, in the function util_ldap_cache_checkuserid, when a user tries to authenticate the module takes these steps: 1) check the cache, returning success or failure if results cached. 2) open a connection via the function util_ldap_connection_open, using the ldc struct. if ldc->bound = 1, then don't do anything in util_ldap_connection_open. 3) do a search to validate, and locate the dn for, the username provided. 4) verify that there is only 1 result of the search in #3. 5) verify that the password is non empty. 6) rebind with the dn found in step 3 with the password provided, using the ldc struct. if there is a failure then return failure status. on success update cache and return success status. The problem is that the ldc used in #6 is the same ldc used to lookup a user's dn in the tree. So if the password is incorrect then the ldap_simple_bind_s used to verify the password will have screwed up the ldc->ldap binding. The next time this ldc struct is used, the ldc->bound value is set to 1, but the actual valid bind has been hosed. One simple fix is to add an "ldc->bound = 0;" into the two tests for failure after the ldap_simple_bind_s. This causes the util_ldap_connection_open to re-bind with the proper DN prior to looking up users. Even in the case where the users are logging in correctly, there is still the problem that when user A authenticates the ldc->ldap bind is now bound with his username and password. If user A doesn't have rights to search the tree, then when user B comes along at a later point in time the search for user B's dn in the tree will fail. The correct fix would be to create an util_ldap_connection_t *foo; that would be used for testing provided passwords, but would not have an impact on the ldc struct used for searching and what not. Kurt Olsen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
