Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 80057 - mod_authz_ldap prevents use of other auth mechanisms if loaded
Summary: mod_authz_ldap prevents use of other auth mechanisms if loaded
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Stronghold Cross Platform
Classification: Retired
Component: mod_authz_ldap
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Stronghold Engineering List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-19 11:26 UTC by Joe Orton
Modified: 2007-04-18 16:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-03-03 09:17:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2003:078 normal SHIPPED_LIVE Updated mod_authz_ldap package for Stronghold 4.0 now available 2003-06-30 04:00:00 UTC
Red Hat Product Errata RHSA-2003:082 normal SHIPPED_LIVE Important: apache, openssl, php, tomcat security update for Stronghold 2003-02-27 05:00:00 UTC

Description Joe Orton 2002-12-19 11:26:53 UTC
Description of problem:
If mod_authz_ldap is configured a for *any* location, it tries to take over
authentication for *all* locations where auth is required (even if other
locations use AuthUserFile-based authentication).

Version-Release number of selected component (if applicable):
0.19

How reproducible:
always

Steps to Reproduce:
Use a config like:

   <Location /ldap>
      AuthzLDAPServer localhost
      AuthzLDAPUserBase dc=example,dc=com
      AuthzLDAPUserKey uid
      AuthzLDAPUserScope base

      AuthType basic
      AuthName "ldap@example.com"
      require valid-user

   </Location>

   <Location /basic>
	AuthType basic
	AuthUserFile /blah/passwd
	AuthName "basic@example.com"
	require valid-user
   </Location>

Then try and access location /basic/
    
Actual results:
failure to autbenticate regardless of username/password
error_log entries as follows:

[Thu Dec 19 11:20:33 2002] [crit] [client 172.16.18.90] [1650] no ldap connection
[Thu Dec 19 11:20:38 2002] [error] [client 172.16.18.90] [1650] bind as
(null)=joe,(null)/foo failed: 81

Expected results:
authentication in /basic/ based on passwd file contents

Additional info:

Comment 1 Joe Orton 2002-12-19 11:51:08 UTC
Worse yet; mod_authz_ldap prevents use of other auth mechanisms simply
if loaded, even if not configured.

A workaround is to put:
    AuthzLDAPAuthoritative off
in the location where non-LDAP authentication is needed.


Comment 2 Joe Orton 2003-03-03 09:17:56 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-082.html



Note You need to log in before you can comment on or make changes to this bug.