Re: [users@httpd] AuthLDAPInitialBindAsUser etc.

[Dirk van Deun]

> 
> On Mon, May 8, 2017 at 10:37 AM, Dirk van Deun  
> wrote:
> >>
> >> Are you able to recompile?
> >>
> >> untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff
> >>
> >> you would not specify the directive in your case
> >>
> >
> > That fixes it.  If there is no other way around this, it would indeed
> > seem to be a bug.
> 
> 
> I can't really think of any feasible workaround to intercept that and
> replace the password.
> 
> If you're able, can you confirm s/AUTH_USER_NOT_FOUND/AUTH_DENIED/
> works too?  Probably more appropriate.
> 

That is okay: no visible difference for the user.

By the way, do you think there is actually a good use case for
AuthLDAPInitialBindAsUserAllowEmptyPassword ?  It amounts to allowing
users to implement their own passwordless bind, presumably for
servers that are secured not to allow anonymous bind, or else you
would use anonymous bind in the first place...

Dirk van Deun
-- 
Ceterum censeo Redmond delendum

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AuthLDAPInitialBindAsUser etc.

[Eric Covener]

On Mon, May 8, 2017 at 10:37 AM, Dirk van Deun  wrote:
>>
>> Are you able to recompile?
>>
>> untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff
>>
>> you would not specify the directive in your case
>>
>
> That fixes it.  If there is no other way around this, it would indeed
> seem to be a bug.


I can't really think of any feasible workaround to intercept that and
replace the password.

If you're able, can you confirm s/AUTH_USER_NOT_FOUND/AUTH_DENIED/
works too?  Probably more appropriate.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AuthLDAPInitialBindAsUser etc.

[Dirk van Deun]

> 
> Are you able to recompile?
> 
> untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff
> 
> you would not specify the directive in your case
> 

That fixes it.  If there is no other way around this, it would indeed
seem to be a bug.

Thanks,

Dirk van Deun
-- 
Ceterum censeo Redmond delendum

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AuthLDAPInitialBindAsUser etc.

[Eric Covener]

Are you able to recompile?

untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff

you would not specify the directive in your case


On Mon, May 8, 2017 at 9:08 AM, Dirk van Deun  wrote:
>>
>> On Mon, May 8, 2017 at 4:11 AM, Dirk van Deun  
>> wrote:
>> > However, if the user types a user name but no password, this is
>> > in effect still an attempt to use unauthenticated bind, which fails,
>> > and the user gets an Internal Server Error; and even worse is that
>> > reloading the page immediately gives a new Internal Server Error.  The
>> > user has to close the browser and restart it before trying again.
>>
>>
>> Sounds like it may just be a bug. What message accompanies it?
>>
>> --
>
> On screen:
>
> Internal Server Error
>
> The server encountered an internal error or misconfiguration and was
> unable to complete your request.
>
> Please contact the server administrator at y...@example.com to inform
> them of the time this error occurred, and the actions you performed
> just before this error.
>
> More information about this error may be available in the server error
> log.
>
> In the logs (with LDAPLibraryDebug 7):
>
> [...]
> ** ld 0x564925782930 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>outstanding referrals 0, parent count 0
>   ld 0x564925782930 request count 1 (abandoned 0)
> ** ld 0x564925782930 Response Queue:
>Empty
>   ld 0x564925782930 response count 0
> ldap_chkResponseList ld 0x564925782930 msgid 1 all 0
> ldap_chkResponseList returns ld 0x564925782930 NULL
> ldap_int_select
> read1msg: ld 0x564925782930 msgid 1 all 0
> read1msg: ld 0x564925782930 msgid 1 message type bind
> read1msg: ld 0x564925782930 0 new referrals
> read1msg:  mark request completed, ld 0x564925782930 msgid 1
> request done: ld 0x564925782930 msgid 1
> res_errno: 53, res_error:  disallowed>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_parse_result
> ldap_msgfree
> ldap_free_connection 1 1
> ldap_send_unbind
> TLS trace: SSL3 alert write:warning:close notify
> ldap_free_connection: actually freed
>
> Best,
>
> Dirk van Deun
> --
> Ceterum censeo Redmond delendum
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>



-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AuthLDAPInitialBindAsUser etc.

[Dirk van Deun]

> 
> On Mon, May 8, 2017 at 4:11 AM, Dirk van Deun  
> wrote:
> > However, if the user types a user name but no password, this is
> > in effect still an attempt to use unauthenticated bind, which fails,
> > and the user gets an Internal Server Error; and even worse is that
> > reloading the page immediately gives a new Internal Server Error.  The
> > user has to close the browser and restart it before trying again.
> 
> 
> Sounds like it may just be a bug. What message accompanies it?
> 
> -- 

On screen:

Internal Server Error

The server encountered an internal error or misconfiguration and was
unable to complete your request.

Please contact the server administrator at y...@example.com to inform
them of the time this error occurred, and the actions you performed
just before this error.

More information about this error may be available in the server error
log.

In the logs (with LDAPLibraryDebug 7):

[...]
** ld 0x564925782930 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x564925782930 request count 1 (abandoned 0)
** ld 0x564925782930 Response Queue:
   Empty
  ld 0x564925782930 response count 0
ldap_chkResponseList ld 0x564925782930 msgid 1 all 0
ldap_chkResponseList returns ld 0x564925782930 NULL
ldap_int_select
read1msg: ld 0x564925782930 msgid 1 all 0
read1msg: ld 0x564925782930 msgid 1 message type bind
read1msg: ld 0x564925782930 0 new referrals
read1msg:  mark request completed, ld 0x564925782930 msgid 1
request done: ld 0x564925782930 msgid 1
res_errno: 53, res_error: , res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed

Best,

Dirk van Deun
-- 
Ceterum censeo Redmond delendum

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AuthLDAPInitialBindAsUser etc.

[Eric Covener]

On Mon, May 8, 2017 at 4:11 AM, Dirk van Deun  wrote:
> However, if the user types a user name but no password, this is
> in effect still an attempt to use unauthenticated bind, which fails,
> and the user gets an Internal Server Error; and even worse is that
> reloading the page immediately gives a new Internal Server Error.  The
> user has to close the browser and restart it before trying again.


Sounds like it may just be a bug. What message accompanies it?

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: [EXT] [users@httpd] AuthLDAPInitialBindAsUser etc.

[Dirk van Deun]

Hi,

I should have given more context.  I am trying to protect a directory
of static content using the standard login dialog of the browser,
purely via .htaccess.  So there is no form to check.

I have an alternative solution that does wrap everything using a php
script and that functions fine, but that's overkill for static content.

Best,

Dirk

> 
> Hi Dirk
> You can perform some client-side javascript validation to make sure password 
> field is not empty before submitting form.
> 
> Thanks & Regards
> Siddharth Sinha
> Associate IT Application Specialist
> Office: 8955329
> On-Call: +917774036954
> 
>  
> 
> 
>  
> 
> 
> 
> 
> -Original Message-
> From: Dirk van Deun [mailto:dvand...@wilma.vub.ac.be] 
> Sent: Monday, May 08, 2017 1:41 PM
> To: users@httpd.apache.org
> Subject: [EXT] [users@httpd] AuthLDAPInitialBindAsUser etc.
> 
> Hi all,
> 
> I have a 90% solution for authenticating against an ldap server that does not 
> allow unauthenticated binds, but I'm looking for the last 10%.  I am using 
> AuthLDAPInitialBindAsUser on, AuthLDAPSearchAsUser on and 
> AuthLDAPCompareAsUser on, and that works brilliantly as long as the user 
> enters a password, either correct or incorrect.
> 
> However, if the user types a user name but no password, this is in effect 
> still an attempt to use unauthenticated bind, which fails, and the user gets 
> an Internal Server Error; and even worse is that reloading the page 
> immediately gives a new Internal Server Error.  The user has to close the 
> browser and restart it before trying again.
> 
> How do I prevent that from happening ?
> 
> Best,
> 
> Dirk van Deun
> --
> 
> 

Dirk van Deun
-- 
Ceterum censeo Redmond delendum

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: [EXT] [users@httpd] AuthLDAPInitialBindAsUser etc.

[Siddharth Sinha]

Hi Dirk
You can perform some client-side javascript validation to make sure password 
field is not empty before submitting form.

Thanks & Regards
Siddharth Sinha
Associate IT Application Specialist
Office: 8955329
On-Call: +917774036954

 


 




-Original Message-
From: Dirk van Deun [mailto:dvand...@wilma.vub.ac.be] 
Sent: Monday, May 08, 2017 1:41 PM
To: users@httpd.apache.org
Subject: [EXT] [users@httpd] AuthLDAPInitialBindAsUser etc.

Hi all,

I have a 90% solution for authenticating against an ldap server that does not 
allow unauthenticated binds, but I'm looking for the last 10%.  I am using 
AuthLDAPInitialBindAsUser on, AuthLDAPSearchAsUser on and AuthLDAPCompareAsUser 
on, and that works brilliantly as long as the user enters a password, either 
correct or incorrect.

However, if the user types a user name but no password, this is in effect still 
an attempt to use unauthenticated bind, which fails, and the user gets an 
Internal Server Error; and even worse is that reloading the page immediately 
gives a new Internal Server Error.  The user has to close the browser and 
restart it before trying again.

How do I prevent that from happening ?

Best,

Dirk van Deun
--
Ceterum censeo Redmond delendum

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] AuthLDAPInitialBindAsUser etc.

[Dirk van Deun]

Hi all,

I have a 90% solution for authenticating against an ldap server that
does not allow unauthenticated binds, but I'm looking for the
last 10%.  I am using AuthLDAPInitialBindAsUser on,
AuthLDAPSearchAsUser on and AuthLDAPCompareAsUser on, and that works
brilliantly as long as the user enters a password, either correct
or incorrect.

However, if the user types a user name but no password, this is
in effect still an attempt to use unauthenticated bind, which fails,
and the user gets an Internal Server Error; and even worse is that
reloading the page immediately gives a new Internal Server Error.  The
user has to close the browser and restart it before trying again.

How do I prevent that from happening ?

Best,

Dirk van Deun
-- 
Ceterum censeo Redmond delendum

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org