[Bug 65168] New: Authentication with authnz_ldap fails if attribute displayName is different than samAccountName or CN

Fri, 05 Mar 2021 07:03:18 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65168

            Bug ID: 65168
           Summary: Authentication with authnz_ldap fails if attribute
                    displayName is different than samAccountName or CN
           Product: Apache httpd-2
           Version: 2.4.46
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authnz_ldap
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Created attachment 37755
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37755&action=edit
error.log with authnz_ldap

Hi,

I've configured authentication using authnz_ldap module and noticed that some
users in my AD can login while others can't.
After some investigating I've managed to reproduce the issue as follows
* Install AD on Windows Server (confirmed with 2008R2, 2016 & 2019)
* Configure Apache to use LDAP, for the test I used the following in .htaccess:

AuthName admin
AuthType basic
AuthBasicProvider  ldap 
AuthLDAPURL "ldap://127.0.0.1/DC=corp,DC=ad?sAMAccountName?sub?(objectClass=*)"
LDAPReferrals off
AuthLDAPInitialBindAsUser on
Require valid-user

# note you can use "cn" attribute as well in the URL, same result

* Create a new user with displayName different then his samAccountName & CN,
e.g.
CN=samAccountName=dummy
displayName=dummy1

* try to login, it will fail with Invalid Credential error
* change dummy's displayName to dummy - do not change the password
* try to login, now it will allow you to login

note that using AuthLDAPBindDN & AuthLDAPBindPassword seems to work regardless
of displayName's value, but this configuration is not secure


Attached the log details related to the issue.
I used ApacheLounge's latest Windows build v2.4.46

BTW, I tested the same user/password with PHP's LDAP functionality (see
https://php.net/ldap) during my Apache tests and PHP was able to login using
the credentials while Apache HTTP failed with the error.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to