Re: [users@httpd] AuthLDAPInitialBindAsUser etc.
> > On Mon, May 8, 2017 at 10:37 AM, Dirk van Deun> wrote: > >> > >> Are you able to recompile? > >> > >> untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff > >> > >> you would not specify the directive in your case > >> > > > > That fixes it. If there is no other way around this, it would indeed > > seem to be a bug. > > > I can't really think of any feasible workaround to intercept that and > replace the password. > > If you're able, can you confirm s/AUTH_USER_NOT_FOUND/AUTH_DENIED/ > works too? Probably more appropriate. > That is okay: no visible difference for the user. By the way, do you think there is actually a good use case for AuthLDAPInitialBindAsUserAllowEmptyPassword ? It amounts to allowing users to implement their own passwordless bind, presumably for servers that are secured not to allow anonymous bind, or else you would use anonymous bind in the first place... Dirk van Deun -- Ceterum censeo Redmond delendum - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] AuthLDAPInitialBindAsUser etc.
On Mon, May 8, 2017 at 10:37 AM, Dirk van Deunwrote: >> >> Are you able to recompile? >> >> untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff >> >> you would not specify the directive in your case >> > > That fixes it. If there is no other way around this, it would indeed > seem to be a bug. I can't really think of any feasible workaround to intercept that and replace the password. If you're able, can you confirm s/AUTH_USER_NOT_FOUND/AUTH_DENIED/ works too? Probably more appropriate. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] AuthLDAPInitialBindAsUser etc.
> > Are you able to recompile? > > untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff > > you would not specify the directive in your case > That fixes it. If there is no other way around this, it would indeed seem to be a bug. Thanks, Dirk van Deun -- Ceterum censeo Redmond delendum - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] AuthLDAPInitialBindAsUser etc.
Are you able to recompile? untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff you would not specify the directive in your case On Mon, May 8, 2017 at 9:08 AM, Dirk van Deunwrote: >> >> On Mon, May 8, 2017 at 4:11 AM, Dirk van Deun >> wrote: >> > However, if the user types a user name but no password, this is >> > in effect still an attempt to use unauthenticated bind, which fails, >> > and the user gets an Internal Server Error; and even worse is that >> > reloading the page immediately gives a new Internal Server Error. The >> > user has to close the browser and restart it before trying again. >> >> >> Sounds like it may just be a bug. What message accompanies it? >> >> -- > > On screen: > > Internal Server Error > > The server encountered an internal error or misconfiguration and was > unable to complete your request. > > Please contact the server administrator at y...@example.com to inform > them of the time this error occurred, and the actions you performed > just before this error. > > More information about this error may be available in the server error > log. > > In the logs (with LDAPLibraryDebug 7): > > [...] > ** ld 0x564925782930 Outstanding Requests: > * msgid 1, origid 1, status InProgress >outstanding referrals 0, parent count 0 > ld 0x564925782930 request count 1 (abandoned 0) > ** ld 0x564925782930 Response Queue: >Empty > ld 0x564925782930 response count 0 > ldap_chkResponseList ld 0x564925782930 msgid 1 all 0 > ldap_chkResponseList returns ld 0x564925782930 NULL > ldap_int_select > read1msg: ld 0x564925782930 msgid 1 all 0 > read1msg: ld 0x564925782930 msgid 1 message type bind > read1msg: ld 0x564925782930 0 new referrals > read1msg: mark request completed, ld 0x564925782930 msgid 1 > request done: ld 0x564925782930 msgid 1 > res_errno: 53, res_error: disallowed>, res_matched: <> > ldap_free_request (origid 1, msgid 1) > ldap_parse_result > ldap_msgfree > ldap_free_connection 1 1 > ldap_send_unbind > TLS trace: SSL3 alert write:warning:close notify > ldap_free_connection: actually freed > > Best, > > Dirk van Deun > -- > Ceterum censeo Redmond delendum > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] AuthLDAPInitialBindAsUser etc.
> > On Mon, May 8, 2017 at 4:11 AM, Dirk van Deun> wrote: > > However, if the user types a user name but no password, this is > > in effect still an attempt to use unauthenticated bind, which fails, > > and the user gets an Internal Server Error; and even worse is that > > reloading the page immediately gives a new Internal Server Error. The > > user has to close the browser and restart it before trying again. > > > Sounds like it may just be a bug. What message accompanies it? > > -- On screen: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at y...@example.com to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log. In the logs (with LDAPLibraryDebug 7): [...] ** ld 0x564925782930 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x564925782930 request count 1 (abandoned 0) ** ld 0x564925782930 Response Queue: Empty ld 0x564925782930 response count 0 ldap_chkResponseList ld 0x564925782930 msgid 1 all 0 ldap_chkResponseList returns ld 0x564925782930 NULL ldap_int_select read1msg: ld 0x564925782930 msgid 1 all 0 read1msg: ld 0x564925782930 msgid 1 message type bind read1msg: ld 0x564925782930 0 new referrals read1msg: mark request completed, ld 0x564925782930 msgid 1 request done: ld 0x564925782930 msgid 1 res_errno: 53, res_error: , res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind TLS trace: SSL3 alert write:warning:close notify ldap_free_connection: actually freed Best, Dirk van Deun -- Ceterum censeo Redmond delendum - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] AuthLDAPInitialBindAsUser etc.
On Mon, May 8, 2017 at 4:11 AM, Dirk van Deunwrote: > However, if the user types a user name but no password, this is > in effect still an attempt to use unauthenticated bind, which fails, > and the user gets an Internal Server Error; and even worse is that > reloading the page immediately gives a new Internal Server Error. The > user has to close the browser and restart it before trying again. Sounds like it may just be a bug. What message accompanies it? -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: [EXT] [users@httpd] AuthLDAPInitialBindAsUser etc.
Hi, I should have given more context. I am trying to protect a directory of static content using the standard login dialog of the browser, purely via .htaccess. So there is no form to check. I have an alternative solution that does wrap everything using a php script and that functions fine, but that's overkill for static content. Best, Dirk > > Hi Dirk > You can perform some client-side javascript validation to make sure password > field is not empty before submitting form. > > Thanks & Regards > Siddharth Sinha > Associate IT Application Specialist > Office: 8955329 > On-Call: +917774036954 > > > > > > > > > > -Original Message- > From: Dirk van Deun [mailto:dvand...@wilma.vub.ac.be] > Sent: Monday, May 08, 2017 1:41 PM > To: users@httpd.apache.org > Subject: [EXT] [users@httpd] AuthLDAPInitialBindAsUser etc. > > Hi all, > > I have a 90% solution for authenticating against an ldap server that does not > allow unauthenticated binds, but I'm looking for the last 10%. I am using > AuthLDAPInitialBindAsUser on, AuthLDAPSearchAsUser on and > AuthLDAPCompareAsUser on, and that works brilliantly as long as the user > enters a password, either correct or incorrect. > > However, if the user types a user name but no password, this is in effect > still an attempt to use unauthenticated bind, which fails, and the user gets > an Internal Server Error; and even worse is that reloading the page > immediately gives a new Internal Server Error. The user has to close the > browser and restart it before trying again. > > How do I prevent that from happening ? > > Best, > > Dirk van Deun > -- > > Dirk van Deun -- Ceterum censeo Redmond delendum - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] RE: [EXT] [users@httpd] AuthLDAPInitialBindAsUser etc.
Hi Dirk You can perform some client-side javascript validation to make sure password field is not empty before submitting form. Thanks & Regards Siddharth Sinha Associate IT Application Specialist Office: 8955329 On-Call: +917774036954 -Original Message- From: Dirk van Deun [mailto:dvand...@wilma.vub.ac.be] Sent: Monday, May 08, 2017 1:41 PM To: users@httpd.apache.org Subject: [EXT] [users@httpd] AuthLDAPInitialBindAsUser etc. Hi all, I have a 90% solution for authenticating against an ldap server that does not allow unauthenticated binds, but I'm looking for the last 10%. I am using AuthLDAPInitialBindAsUser on, AuthLDAPSearchAsUser on and AuthLDAPCompareAsUser on, and that works brilliantly as long as the user enters a password, either correct or incorrect. However, if the user types a user name but no password, this is in effect still an attempt to use unauthenticated bind, which fails, and the user gets an Internal Server Error; and even worse is that reloading the page immediately gives a new Internal Server Error. The user has to close the browser and restart it before trying again. How do I prevent that from happening ? Best, Dirk van Deun -- Ceterum censeo Redmond delendum - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] AuthLDAPInitialBindAsUser etc.
Hi all, I have a 90% solution for authenticating against an ldap server that does not allow unauthenticated binds, but I'm looking for the last 10%. I am using AuthLDAPInitialBindAsUser on, AuthLDAPSearchAsUser on and AuthLDAPCompareAsUser on, and that works brilliantly as long as the user enters a password, either correct or incorrect. However, if the user types a user name but no password, this is in effect still an attempt to use unauthenticated bind, which fails, and the user gets an Internal Server Error; and even worse is that reloading the page immediately gives a new Internal Server Error. The user has to close the browser and restart it before trying again. How do I prevent that from happening ? Best, Dirk van Deun -- Ceterum censeo Redmond delendum - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org