Bug #1096
closedfirst HTTP authentication against LDAP fails: Bad search filter
Description
Hello,
with "ldap" as auth.backend, HTTP authentication fails the first time after lighttpd has been started; however, subsequent authentication requests succeed.
Authenticating as user "foo" with request URI "/bar/" gives the following error:
2007-03-27 22:01:40: (log.c.75) server started 2007-03-27 22:01:49: (http_auth.c.752) ldap: Bad search filter filter: foo 2007-03-27 22:01:49: (http_auth.c.861) password doesn't match for /bar/ foo
This bug is caused by the LDAP result filter (i.e. ldap_filter_pre and ldap_filter_post) not yet having been initialized when the first LDAP search is performed. Here is the relevant code from http_auth.c:
/* build filter */ buffer_copy_string_buffer(p->ldap_filter, p->conf.ldap_filter_pre); buffer_append_string_buffer(p->ldap_filter, username); buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post); /* 2. */ if (p->conf.ldap == NULL || LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) { if (auth_ldap_init(srv, &p->conf) != HANDLER_GO_ON) return -1; if (LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) { log_error_write(srv, __FILE__, __LINE__, "sssb", "ldap:", ldap_err2string(ret), "filter:", p->ldap_filter); return -1; } }
To work around this problem, I copied the build filter code to additionally execute before the second ldap_search_s call, so ldap_filter_pre and ldap_filter_post are properly initialized by auth_ldap_init before. As expected, this fixes the issue.
Regards,
Peter.
-- peterco
Updated by stbuehler over 16 years ago
- Status changed from New to Fixed
- Resolution set to duplicate
Filters should be fixed, see #1564.
Also available in: Atom