https://issues.apache.org/bugzilla/show_bug.cgi?id=55089
Bug ID: 55089
Summary: Caching of LDAP credentials is not clearly documented
in mod_authnz_ldap
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authnz_ldap
Assignee: [email protected]
Reporter: [email protected]
When mod_authnz_ldap is used to restrict access to a resource, the LDAP
credentials are cached in mod_ldap.
The default setting of LDAPCacheTTL is 600. This allows a user to continue to
access a resource for 10 minutes after their credentials have been revoked.
Although this is documented for mod_ldap, it is not exposed in the default
httpd config file nor documented with mod_authnz_ldap. A naive administrator
may assume that revoking credentials takes effect immediately.
On a server where mod_authnz_ldap gives access to a user's profile, it could
allow a user whose account had been locked by an administrator to regain
access.
Suggestion: add a caveat to mod_authnz_ldap.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
