Bug#436424: libapache-mod-ldap: The directive "LDAPUseDNForRemoteUser Off" (default) can cause the temination of an apache process

Tue, 07 Aug 2007 03:17:53 -0700 

Package: libapache-mod-ldap
Version: 1.8-2
Severity: important

Hello,

The usage of the "LDAPUseDNForRemoteUser On" in a .htacces can cause the 
termination of an apache process.
If I try to protect a directory of my apache server with the .htaccess below, I 
systematically obtain an error
in the apache log file.

.htaccess :

AuthName                "My own realm"
AuthType                Basic
LDAPAuth                On
LDAPServer              ldap://127.0.0.1:389/
LDAPBase                ou=people,dc=foodomain,dc=org
LDAPuseridAttr          uid
LDAPUseDNForRemoteUser  Off
require user            uid=foo,ou=people,dc=foodomain,dc=org

Content of the Apache log file (error.log) :

[Tue Aug  7 10:12:34 2007] [notice] Apache/1.3.34 Ben-SSL/1.55 (Debian) 
PHP/4.4.4-8+etch4 configured -- resuming normal operations
[Tue Aug  7 10:12:34 2007] [notice] Accept mutex: sysvsem (Default: sysvsem)
apache-ssl: search.c:182: ldap_search: Assertion `( (ld)->ld_options.ldo_valid 
== 0x2 )' failed.
[Tue Aug  7 10:12:39 2007] [notice] child pid 5927 exit signal Aborted (6)

I have no error if I remplace the 'LDAPUseDNForRemoteUser Off' by an 
'LDAPUseDNForRemoteUser On'.

I look at the source code of the file mod_ldap.c.
The problem is in the resetUsername() function. This function open a new 
connection to the ldap only if conf->ld (the ldap connexion) is not null.
Or in the ldap_check_auth() function who call resetUsername() there are several 
calls to ldap_unbind( conf->ld ). This close the
LDAP connection, but without setting conf->ld to NULL, so resetUsername try to 
reuse a non existent connexion...

I hope this help.

Best regards.
David.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libapache-mod-ldap depends on:
ii  apache-common               1.3.34-4.1   support files for all Apache webse
ii  debconf [debconf-2.0]       1.5.11       Debian configuration management sy
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libldap2                    2.1.30-13.3  OpenLDAP libraries

libapache-mod-ldap recommends no packages.

-- debconf information:
  shared/apache-modules/counters/upgrade_list: ,mod_ldap
  shared/apache-modules/reload-perl: true
  shared/apache-modules/counters/remove: 0
  shared/apache-modules/modules: mod_ldap
  shared/apache-modules/counters/upgrade: -8
  shared/apache-modules/counters/install_list:
  shared/apache-modules/counters/install: 0
  shared/apache-modules/reload-ssl: true
  shared/apache-modules/reload: true
  shared/apache-modules/counters/remove_list:


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to