Project

General

Profile

Bug #2707

mod_auth ldap auth requires binding as the root of LDAP

Added by weitang114 almost 2 years ago. Updated almost 2 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-01-21
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Doing ldap_search_s() on my LDAP server requires bind-dn/bind-pw as root.
Exposing root's password in the 05-auth.conf can be dangerous. Apache2 seems to bind as the user to authenticate instead.
For lighttpd 1.4, Is there a workaround ?
Thanks.

@
/* 2. */
if (p->anon_conf->ldap == NULL ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {

/* try again; the ldap library sometimes fails for the first call but reconnects */
if (p->anon_conf->ldap == NULL || ret != LDAP_SERVER_DOWN ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
if (auth_ldap_init(srv, p->anon_conf) != HANDLER_GO_ON)
return -1;
if (NULL == p->anon_conf->ldap) return -1;
if (LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
log_error_write(srv, FILE, LINE, "sssb",
"ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);
return -1;
}
}
}@

History

#1

Updated by darix almost 2 years ago

it tries to bind as anon to find the user dn and then binds with the user dn and the password. i think that is a better description.

#2

Updated by weitang114 almost 2 years ago

darix wrote:

it tries to bind as anon to find the user dn and then binds with the user dn and the password. i think that is a better description.

Sorry for misunderstanding the code.
Since the ldap server asked for root dn, it gave me at the first part:

2016-01-22 01:20:55: (http_auth.c.669) ldap: Insufficient access filter: (uid=weitang114)

And I can't achieve the "bind with the user dn" part. (http_auth.c: 721)

#3

Updated by stbuehler almost 2 years ago

  • Status changed from New to Invalid

You will need some "anon" user which is allowed to search for the actual user; there is no need for this user to be "root".

#4

Updated by stbuehler almost 2 years ago

  • Project changed from Lighttpd2 to Lighttpd
#5

Updated by weitang114 almost 2 years ago

Thank you very much. It was my misunderstanding.

Also available in: Atom