45946 – AuthLDAPUrl invokes mod_authnz_ldap although AuthBasicProvider=file

Bug 45946 - AuthLDAPUrl invokes mod_authnz_ldap although AuthBasicProvider=file

Summary: AuthLDAPUrl invokes mod_authnz_ldap although AuthBasicProvider=file

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_authz_ldap (show other bugs)
Version:	2.2.9
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-10-03 12:29 UTC by Patrick Näf Moser
Modified:	2010-05-29 20:29 UTC (History)
CC List:	1 user (show)

Attachments
LogLevel debug error log (1.04 KB, text/plain) 2008-10-07 08:42 UTC, Patrick Näf Moser	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Näf Moser 2008-10-03 12:29:38 UTC

On my machine I have two types of user databases
* an LDAP directory
* a global .htpasswd file

For both types of user databases I would like to specify the details (location, bind DN) only once, so that I don't have to repeat those details for every directory that I want to protect. For instance:

<Directory />
  <IfModule mod_authnz_ldap.c>
    AuthLDAPUrl ldap://127.0.0.1:389/ou=users,dc=foo,dc=ch?uid?sub?(objectClass=*)
    AuthLDAPBindDN cn=httpd,ou=users,dc=foo,dc=ch
    AuthLDAPBindPassword secret
  </IfModule>
  <IfModule mod_authn_file.c>
    AuthUserFile /etc/apache2/.htpasswd
  </IfModule>
</Directory>


To protect a certain directory using the .htpasswd file, I have this configuration:

<Directory /bar/>
  AuthName "access to bar"
  AuthType Basic
  AuthBasicProvider file
  Require valid-user
</Directory>

Note that I have set "AuthBasicProvider file". If I wanted LDAP authentication, I would set "AuthBasicProvider ldap".


Now to the problem:
* I use my web browser to access http://<server>/bar/
* My web browser asks me to enter a username/password
* I enter a username/password that exists in the global .htpasswd file, but not in the LDAP directory

Expected result:
* I am being granted access to http://<server>/bar/

Actual result:
* I get a "401 Authorization Required" page


Additional information:
* Removing the AuthLDAPUrl directive fixes the problem, i.e. I am being granted access to http://<server>/bar/
* Instead of removing AuthLDAPUrl: Adding the directive "AuthzLDAPAuthoritative off" also fixes the problem
* Access is always granted if I enter a username/password that exists both in the global .htpasswd file and the LDAP directory


Conclusion:
* if an AuthLDAPUrl directive is inherited by a directory further down the tree, AuthLDAPUrl seems to activate/trigger/invoke mod_authnz_ldap
* I was living under the impression that mod_authnz_ldap is activated/triggered/invoked only when setting AuthBasicProvider to "ldap"
* quoting from the documentation of mod_authnz_ldap (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html): "When using mod_auth_basic, this module is invoked via the AuthBasicProvider directive with the ldap value."


System configuration
* Debian testing
* apache2 -v prints this:
  Server version: Apache/2.2.9 (Debian)
  Server built:   Jul 20 2008 08:23:41
* Browsers that I have tried: Firefox 3.0.1, Safari 3.1.2

Comment 1 Eric Covener 2008-10-04 07:24:52 UTC

Can't tell for sure without your LogLevel debug errorlog for the failure, but it seems like mod_authnz_ldap is trying to perform authorization, not authentication.

When mod_authnz_ldap is used for authorization, it does some extra processing if it wasn't also called for authentication -- namely mapping the username to a DN.

When it fails to map a username to a DN, it returns as you describe -- but it should have been able to check that a require ldap-* was even going to be present (later on, it will use this in the same way it uses the authoritative flag).

This would affect 2.2.x and not trunk because of differences in the authentication.  My advice would be to set LDAP authorization as non-authoritative if you must configure an AuthLDAPUrl globally, as these are the two conditions LDAP authorization will use to step out of the way.

Comment 2 Patrick Näf Moser 2008-10-07 08:42:08 UTC

Created attachment 22678 [details]
LogLevel debug error log

I have attached an error log created with "LogLevel debug". It looks indeed as if mod_authnz_ldap tries to perform authorization when it shouldn't.

My current workaround, by the way, is to place AuthLDAPUrl et al. in a central file (e.g. /etc/apache2/ldap.conf) which I then include in each <Directory> block that requires authentication. At the moment this is good enough for me to avoid duplication.

Comment 3 Brad Nicholes 2008-10-08 09:35:08 UTC

One of the down sides of having to include both authentication and authorization in the same modules, is that when the module is loaded, it tries to perform both operations. Due to the fact that there was a lot of ldap data that had to be shared between the authentication and authorization sides of auth_ldap, the result was that both sides were combined into one module.  Hence authnz_ldap rather than authn_ldap and authz_ldap like other modules.  

So the short answer to your problem is that you need to include AuthZLDAPAuthoritative off in your configuration block.  This will tell authnz_ldap to ignore the authorization directive and allow another authz module to handle it.  See the "Authorization Phase" topic in the documentation http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#operation

Comment 4 Eric Covener 2010-05-29 20:29:47 UTC

This is fixed in 2.2.14 and later