Bug #3216
closedauth.require "require" => "group=CN=... doesn't work with 1.4.69 on debian12 anymore
Description
LDAP auth with requirement user belonging to a group works on Debian 11. LDAP server is ActiveDirectory.
ii lighttpd 1.4.59-1+deb11u2 amd64 fast webserver with minimal memory footprint iU lighttpd-modules-ldap 1.4.59-1+deb11u2 amd64 LDAP-based modules for lighttpd ii libldap-2.4-2:amd64 2.4.57+dfsg-3+deb11u1 amd64 OpenLDAP libraries
snippet from lighttpd -f /etc/lighttpd/lighttpd.conf -p
auth.backend.ldap.groupmember = "member"
auth.backend = "ldap"
auth.backend.ldap.hostname = "ldap.example.com"
auth.backend.ldap.base-dn = "OU=EXAMPLE,DC=example,DC=com"
auth.backend.ldap.filter = "(sAMAccountName=$)"
auth.backend.ldap.bind-dn = "CN=ldap_access_account,OU=EXAMPLE,DC=example,DC=com"
auth.backend.ldap.bind-pw = "*****"
$HTTP["url"] =^ "/tmp/" {
$HTTP["remoteip"] == "192.168.0.0/24" {
# block 13
url.access-allow = ("")
} # end of $HTTP["remoteip"] == "192.168.0.0/24"
else {
# block 14
auth.require = (
"/tmp" => (
"method" => "basic",
"realm" => "LDAP auth required",
"require" => "group=CN=MYGROUP4,OU=Org,OU=Groups,OU=EXAMPLE,DC=example,DC=com",
),
)
} # end of else
} # end of $HTTP["url"] =^ "/tmp/"
LDAP pcap for the 1.4.59 version:
tshark -r lighttpd_ldap_1.4.59.pcap -Y ldap (-V for the most important packet)
LDAP 146 bindRequest(1) "CN=ldap_access_account,OU=EXAMPLE,DC=example,DC=com" simple
LDAP 88 bindResponse(1) success
LDAP 140 searchRequest(2) "OU=EXAMPLE,DC=example,DC=com" wholeSubtree
LDAP 165 searchResEntry(2) "CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com" | searchResDone(2) success [1 result]
LDAP 145 bindRequest(1) "CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com" simple
LDAP 88 bindResponse(1) success
LDAP 73 unbindRequest(2)
LDAP 222 searchRequest(3) "CN=MYGROUP4,OU=Org,OU=Groups,OU=EXAMPLE,DC=example,DC=com" wholeSubtree
LDAPMessage searchRequest(3) "CN=MYGROUP4,OU=Org,OU=Groups,OU=EXAMPLE,DC=example,DC=com" wholeSubtree
messageID: 3
protocolOp: searchRequest (3)
searchRequest
baseObject: CN=MYGROUP4,OU=Org,OU=Groups,OU=EXAMPLE,DC=example,DC=com
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (member=CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com)
filter: equalityMatch (3)
equalityMatch
attributeDesc: member
assertionValue: CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com
attributes: 1 item
AttributeDescription: 1.1
LDAP 168 searchResEntry(3) "CN=MYGROUP4,OU=Org,OU=Groups,OU=EXAMPLE,DC=example,DC=com" | searchResDone(3) success [2 results]
LDAP 140 searchRequest(4) "OU=EXAMPLE,DC=example,DC=com" wholeSubtree
LDAP 165 searchResEntry(4) "CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com" | searchResDone(4) success [3 results]
LDAP 145 bindRequest(1) "CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com" simple
LDAP 88 bindResponse(1) success
LDAP 73 unbindRequest(2)
LDAP 222 searchRequest(5) "CN=MYGROUP4,OU=Org,OU=Groups,OU=EXAMPLE,DC=example,DC=com" wholeSubtree
LDAP 168 searchResEntry(5) "CN=MYGROUP4,OU=Org,OU=Groups,OU=EXAMPLE,DC=example,DC=com" | searchResDone(5) success [4 results]
After upgrading to Debian 12 release, the lighttpd/libldap packages where upgraded and this LDAP auth doesn't succeed anymore.
ii lighttpd 1.4.69-1 amd64 fast webserver with minimal memory footprint ii lighttpd-modules-ldap 1.4.69-1 amd64 LDAP-based modules for lighttpd ii libldap-2.5-0:amd64 2.5.13+dfsg-5 amd64 OpenLDAP libraries
tshark -r lighttpd_ldap_1.4.69.pcap -Y ldap (-V for the most important packet)
LDAP 146 bindRequest(1) "CN=ldap_access_account,OU=EXAMPLE,DC=example,DC=com" simple
LDAP 88 bindResponse(1) success
LDAP 140 searchRequest(2) "OU=EXAMPLE,DC=example,DC=com" wholeSubtree
LDAP 165 searchResEntry(2) "CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com" | searchResDone(2) success [1 result]
LDAP 145 bindRequest(1) "CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com" simple
LDAP 88 bindResponse(1) success
LDAP 73 unbindRequest(2)
LDAP 163 searchRequest(3) "<ROOT>" wholeSubtree
LDAPMessage searchRequest(3) "<ROOT>" wholeSubtree
messageID: 3
protocolOp: searchRequest (3)
searchRequest
baseObject:
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (member=CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com)
filter: equalityMatch (3)
equalityMatch
attributeDesc: member
assertionValue: CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com
attributes: 1 item
AttributeDescription: 1.1
LDAP 176 searchResDone(3) noSuchObject (0000208D: NameErr: DSID-03100220, problem 2001 (NO_OBJECT), data 0, best match of:\n\t''\n) [1 result]
LDAP 163 searchRequest(4) "<ROOT>" wholeSubtree
LDAP 176 searchResDone(4) noSuchObject (0000208D: NameErr: DSID-03100220, problem 2001 (NO_OBJECT), data 0, best match of:\n\t''\n) [1 result]
LDAP 73 unbindRequest(5)
LDAP 146 bindRequest(1) "CN=ldap_access_account,OU=EXAMPLE,DC=example,DC=com" simple
LDAP 88 bindResponse(1) success
LDAP 163 searchRequest(2) "<ROOT>" wholeSubtree
LDAP 176 searchResDone(2) noSuchObject (0000208D: NameErr: DSID-03100220, problem 2001 (NO_OBJECT), data 0, best match of:\n\t''\n) [0 results]
LDAP 73 unbindRequest(3)
Problem is that on new version the baseObject in group searchrequest is empty . The amount of such requests is equal to "group=" entries in require clause, so lighttpd auth module is aware of the configuration, but somehow the groups DN doesn't make it to the request anymore. Is the problem inside lighttpd or libldap? I read the changelogs for lighttpd and also checked the mod_authn_ldap.c for recent changes, but I didn't find anything relatable.
If I change the auth.require to "require" => "valid-user", then without group validation authentication succeeds.
Lighttpd error.log:
server.c.1976) server stopped by UID = 0 PID = 1 (server.c.1704) server started (lighttpd/1.4.69) (mod_authn_ldap.c.628) ldap: No such object; filter: (member=CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com) (mod_authn_ldap.c.628) ldap: No such object; filter: (member=CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com) (mod_authn_ldap.c.628) ldap: No such object; filter: (member=CN=Myfirstname Mylastname,OU=People,OU=EXAMPLE,DC=example,DC=com) (mod_auth.c.850) password doesn't match for /tmp username: myusername IP: 10.10.10.10
I tried also 1.4.71 from debian experimental release, but it behaves the same, as 1.4.69.
lighttpd_1.4.71-1+exp1_amd64.deb lighttpd-mod-openssl_1.4.71-1+exp1_amd64.deb lighttpd-modules-ldap_1.4.71-1+exp1_amd64.deb
Updated by gstrauss over 1 year ago
Thank you for the detailed report. I'll try to dig into this in the next few days.
Debian is notorious for being out-of-date. As you found, there have not been any recent changes to mod_authn_ldap.c. Are you able to test with lighttpd 1.4.60? A quick look through git log mod_authn_ldap.c and the only commit that jumps out at me for a more in-depth review (since it touches auth.backend.ldap.groupmember) would be commit af3df29a from two years ago.
I do not have a test environment for LDAP readily available. You might be able to more quickly test by building lighttpd 1.4.59 and lighttpd 1.4.60 packages for Debian 12. See lighttpd distro packaging. Building a lighttpd 1.4.59 package for Debian 12 would allow you to isolate if the issue is more likely in lighttpd or in libldap.
Updated by gstrauss over 1 year ago
- Status changed from New to Patch Pending
- Target version changed from 1.4.xx to 1.4.72
A change in mod_auth in lighttpd 1.4.65 probably introduced the bug: commit 8b296531
Untested patch
--- a/src/mod_authn_ldap.c
+++ b/src/mod_authn_ldap.c
@@ -693,7 +693,7 @@ static handler_t mod_authn_ldap_memberOf(log_error_st *errh, plugin_config *s, c
plugin_config_ldap * const ldc = s->ldc;
for (size_t i = 0; i < groups->used; ++i) {
- const char *base = groups->data[i]->key.ptr;
+ const char *base = ((data_string *)groups->data[i])->value.ptr;
LDAPMessage *lm = mod_authn_ldap_search(errh, ldc, base, filter->ptr);
if (NULL != lm) {
int count = ldap_count_entries(ldc->ldap, lm);
Updated by raunz over 1 year ago
I've just tested a 1.4.60 release and it is still OK.
git clone https://salsa.debian.org/debian/lighttpd.git git checkout debian/1.4.60-1 debuild -us -uc
Updated by raunz over 1 year ago
gstrauss wrote in #note-2:
A change in mod_auth in lighttpd 1.4.65 probably introduced the bug: commit 8b296531
Untested patch
[...]
It works! Many thanks!
git clone https://salsa.debian.org/debian/lighttpd.git git checkout debian/1.4.69-1 edited src/mod_authn_ldap.c and same file in lighttpd-1.4.69.tar.gz debuild -us -uc dpkg -i lighttpd_1.4.69-1_all.deb lighttpd-modules-ldap_1.4.69-1_amd64.deb 2023-07-04 15:27:24: (server.c.2078) server stopped by UID = 0 PID = 1 2023-07-04 15:27:25: (server.c.1704) server started (lighttpd/1.4.69-devel-debian/1.4.69-1)
LDAP group authentication succeeds! Tested with one group= and also multiple group= requirement.
Updated by gstrauss over 1 year ago
- Status changed from Patch Pending to Fixed
Applied in changeset e0cd9ae5b0947de2ea55c01ba48f4d9d17368222.
Updated by gstrauss over 1 year ago
Sorry about the bug. Thank you for testing the patch and, again, thank you for the detailed report.
Updated by raunz over 1 year ago
gstrauss wrote in #note-6:
Sorry about the bug. Thank you for testing the patch and, again, thank you for the detailed report.
I'm glad that I could help. Your response has been top class!
btw - is there a chance, that You could get this patch to debian12 stable release (e.g. 1.4.69-2)
Updated by gstrauss over 1 year ago
I aim to have lighttpd 1.4.72 out this summer and it should reach Debian backports some time later this summer.
I find that there is a huge amount of friction "working with" Debian to accomplish anything. I spend more time on Debian than I do combined for 5+ other distros, some of which I am the package maintainer.
Also available in: Atom