Lighttpd

Hello,

with "ldap" as auth.backend, HTTP authentication fails the first time after lighttpd has been started; however, subsequent authentication requests succeed.

Authenticating as user "foo" with request URI "/bar/" gives the following error:

2007-03-27 22:01:40: (log.c.75) server started 
2007-03-27 22:01:49: (http_auth.c.752) ldap: Bad search filter filter: foo 
2007-03-27 22:01:49: (http_auth.c.861) password doesn't match for /bar/ foo 

This bug is caused by the LDAP result filter (i.e. ldap_filter_pre and ldap_filter_post) not yet having been initialized when the first LDAP search is performed. Here is the relevant code from http_auth.c:

                /* build filter */
                buffer_copy_string_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
                buffer_append_string_buffer(p->ldap_filter, username);
                buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);

                /* 2. */
                if (p->conf.ldap == NULL ||
                    LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
                        if (auth_ldap_init(srv, &p->conf) != HANDLER_GO_ON)
                                return -1;
                        if (LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {

                        log_error_write(srv, __FILE__, __LINE__, "sssb",
                                        "ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);

                        return -1;
                        }
                }

To work around this problem, I copied the build filter code to additionally execute before the second ldap_search_s call, so ldap_filter_pre and ldap_filter_post are properly initialized by auth_ldap_init before. As expected, this fixes the issue.

Regards,
Peter.

-- peterco