Bug #2707
closedmod_auth ldap auth requires binding as the root of LDAP
Description
Doing ldap_search_s() on my LDAP server requires bind-dn/bind-pw as root.
Exposing root's password in the 05-auth.conf can be dangerous. Apache2 seems to bind as the user to authenticate instead.
For lighttpd 1.4, Is there a workaround ?
Thanks.
@
/* 2. */
if (p->anon_conf->ldap == NULL ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
/* try again; the ldap library sometimes fails for the first call but reconnects */
if (p->anon_conf->ldap == NULL || ret != LDAP_SERVER_DOWN ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
if (auth_ldap_init(srv, p->anon_conf) != HANDLER_GO_ON)
return -1;
if (NULL == p->anon_conf->ldap) return -1;
if (LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
log_error_write(srv, FILE, LINE, "sssb",
"ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);
return -1;
}
}
}@
Updated by darix almost 9 years ago
it tries to bind as anon to find the user dn and then binds with the user dn and the password. i think that is a better description.
Updated by weitang114 almost 9 years ago
darix wrote:
it tries to bind as anon to find the user dn and then binds with the user dn and the password. i think that is a better description.
Sorry for misunderstanding the code.
Since the ldap server asked for root dn, it gave me at the first part:
2016-01-22 01:20:55: (http_auth.c.669) ldap: Insufficient access filter: (uid=weitang114)
And I can't achieve the "bind with the user dn" part. (http_auth.c: 721)
Updated by stbuehler over 8 years ago
- Status changed from New to Invalid
You will need some "anon" user which is allowed to search for the actual user; there is no need for this user to be "root".
Updated by stbuehler over 8 years ago
- Project changed from Lighttpd2 to Lighttpd
Updated by weitang114 over 8 years ago
Thank you very much. It was my misunderstanding.
Also available in: Atom