https://bz.apache.org/bugzilla/show_bug.cgi?id=59880
Bug ID: 59880
Summary: ldap-filter generates bad filters
Product: Apache httpd-2
Version: 2.4.18
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authnz_ldap
Assignee: [email protected]
Reporter: [email protected]
Use case: using the Require ldap-filter directive to prevent users with expired
passwords from logging in (see freeIPA for lengthy discussions on this). The
attribute containing the expiration is krbPasswordExpiration.
What's expected: a valid ldap filter in the Require ldap-filter directive
should results in a valid filter being generated
What's happening: the value of ldap-filter is either quoted, wrapped in
additional parenthesis resulting in an invalid LDAP filter. if the value of
require ldap-filter contains neither quotes nor parenthesis, then it doesn't
pass the internal filter validation.
Configuration:
LogLevel debug
AuthType basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldaphost/cn=users,cn=accounts,dc=domain,dc=tld"
<RequireAll>
Require valid-user
Require ldap-filter "krbPasswordExpiration>=%{TIME}Z"
</RequireAll>
Logging in with a valid user results in the following bad filter per the error
logs:
[Mon Jul 18 14:06:12.205145 2016] [authnz_ldap:debug] [pid 19470]
mod_authnz_ldap.c(613): [client 76.189.145.127:58266] AH01697: auth_ldap
authenticate: accepting test.user
[Mon Jul 18 14:06:12.205177 2016] [authz_core:debug] [pid 19470]
mod_authz_core.c(809): [client 76.189.145.127:58266] AH01626: authorization
result of Require valid-user : granted
[Mon Jul 18 14:06:12.205193 2016] [authnz_ldap:debug] [pid 19470]
mod_authnz_ldap.c(1341): [client 76.189.145.127:58266] AH01743: auth_ldap
authorize: checking filter "krbPasswordExpiration>=20160718140612Z"
[Mon Jul 18 14:06:12.207455 2016] [authnz_ldap:debug] [pid 19470]
mod_authnz_ldap.c(1376): [client 76.189.145.127:58266] AH01746: auth_ldap
authorize: require ldap-filter:
(&("krbPasswordExpiration>=20160718140612Z")(uid=test.user)) authorization
failed [ldap_search_ext_s() for user failed][Bad search filter]
-----
Surrounding the ldap-filter value with parentheses to make it a valid search
filter on its own:
Require ldap-filter "(krbPasswordExpiration>=%{TIME}Z)"
Results in the following in the error log:
[Mon Jul 18 14:18:51.184101 2016] [authnz_ldap:debug] [pid 19544]
mod_authnz_ldap.c(613): [client 76.189.145.127:58527] AH01697: auth_ldap
authenticate: accepting test.user
[Mon Jul 18 14:18:51.184132 2016] [authz_core:debug] [pid 19544]
mod_authz_core.c(809): [client 76.189.145.127:58527] AH01626: authorization
result of Require valid-user : granted
[Mon Jul 18 14:18:51.184148 2016] [authnz_ldap:debug] [pid 19544]
mod_authnz_ldap.c(1341): [client 76.189.145.127:58527] AH01743: auth_ldap
authorize: checking filter "(krbPasswordExpiration>=20160718141851Z)"
[Mon Jul 18 14:18:51.186277 2016] [authnz_ldap:debug] [pid 19544]
mod_authnz_ldap.c(1376): [client 76.189.145.127:58527] AH01746: auth_ldap
authorize: require ldap-filter:
(&("(krbPasswordExpiration>=20160718141851Z)")(uid=test.user)) authorization
failed [ldap_search_ext_s() for user failed][Bad search filter]
-----
Removing the quotes and keeping the parentheses:
Require ldap-filter (krbPasswordExpiration>=%{TIME}Z)
Results in the following in the error log:
[Mon Jul 18 14:24:53.341343 2016] [authnz_ldap:debug] [pid 19618]
mod_authnz_ldap.c(613): [client 76.189.145.127:58645] AH01697: auth_ldap
authenticate: accepting test.user
[Mon Jul 18 14:24:53.341378 2016] [authz_core:debug] [pid 19618]
mod_authz_core.c(809): [client 76.189.145.127:58645] AH01626: authorization
result of Require valid-user : granted
[Mon Jul 18 14:24:53.341399 2016] [authnz_ldap:debug] [pid 19618]
mod_authnz_ldap.c(1341): [client 76.189.145.127:58645] AH01743: auth_ldap
authorize: checking filter (krbPasswordExpiration>=20160718142453Z)
[Mon Jul 18 14:24:53.343507 2016] [authnz_ldap:debug] [pid 19618]
mod_authnz_ldap.c(1376): [client 76.189.145.127:58645] AH01746: auth_ldap
authorize: require ldap-filter:
(&((krbPasswordExpiration>=20160718142453Z))(uid=test.user)) authorization
failed [ldap_search_ext_s() for user failed][Bad search filter]
-----
Finally, removing the quotes and parenthesis entirely results in the following:
Require ldap-filter krbPasswordExpiration>=%{TIME}Z
Results in the following in the error log:
[Mon Jul 18 14:21:37.896357 2016] [authnz_ldap:debug] [pid 19579]
mod_authnz_ldap.c(613): [client 76.189.145.127:58578] AH01697: auth_ldap
authenticate: accepting test.user
[Mon Jul 18 14:21:37.896389 2016] [authz_core:debug] [pid 19579]
mod_authz_core.c(809): [client 76.189.145.127:58578] AH01626: authorization
result of Require valid-user : granted
[Mon Jul 18 14:21:37.896405 2016] [authnz_ldap:debug] [pid 19579]
mod_authnz_ldap.c(1341): [client 76.189.145.127:58578] AH01743: auth_ldap
authorize: checking filter krbPasswordExpiration>=20160718142137Z
[Mon Jul 18 14:21:37.900660 2016] [authnz_ldap:debug] [pid 19579]
mod_authnz_ldap.c(1383): [client 76.189.145.127:58578] AH01747: auth_ldap
authorize: require ldap-filter: authorization failed [User not found][No such
object]
-----
A couple take aways
- The documentation could be updated to include what the ldap-filter will end
up being. Ex: it doesn't say that it will wrap it in an &() with the
uid=%{REMOTE_USER} - I presume this will change based on the value of the
AuthLDAPURL directive.
- Additionally, how the filter should be constructed to properly be included
with the final, generated filter would be helpful too. A few examples, such as
the ones I've listed above could save some frustration and add some clarity.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
