Ticket #1096 (closed defect: duplicate)

Opened 19 months ago

Last modified 6 weeks ago

first HTTP authentication against LDAP fails: Bad search filter

Reported by: peterco@… Owned by: jan
Priority: normal Milestone: 1.4.20
Component: mod_auth Version: 1.4.x-svn
Severity: normal Keywords: ldap authentication first bad search filter
Cc: marian@… Blocked By:
Need User Feedback: no Blocking:

Description

Hello,

with "ldap" as auth.backend, HTTP authentication fails the first time after lighttpd has been started; however, subsequent authentication requests succeed.

Authenticating as user "foo" with request URI "/bar/" gives the following error: 

2007-03-27 22:01:40: (log.c.75) server started 
2007-03-27 22:01:49: (http_auth.c.752) ldap: Bad search filter filter: foo 
2007-03-27 22:01:49: (http_auth.c.861) password doesn't match for /bar/ foo

This bug is caused by the LDAP result filter (i.e. ldap_filter_pre and ldap_filter_post) not yet having been initialized when the first LDAP search is performed. Here is the relevant code from http_auth.c: 

                /* build filter */
                buffer_copy_string_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
                buffer_append_string_buffer(p->ldap_filter, username);
                buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);


                /* 2. */
                if (p->conf.ldap == NULL ||
                    LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
                        if (auth_ldap_init(srv, &p->conf) != HANDLER_GO_ON)
                                return -1;
                        if (LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {

                        log_error_write(srv, __FILE__, __LINE__, "sssb",
                                        "ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);

                        return -1;
                        }
                }

To work around this problem, I copied the build filter code to additionally execute before the second ldap_search_s call, so ldap_filter_pre and ldap_filter_post are properly initialized by auth_ldap_init before. As expected, this fixes the issue.

Regards, Peter.

Change History

Changed 14 months ago by anonymous

  • pending unset
  • milestone set to 1.4.17

Changed 11 months ago by mneagul

  • cc marian@… added

Changed 6 weeks ago by stbuehler

  • status changed from new to closed
  • resolution set to duplicate

Filters should be fixed, see #1564.

Note: See TracTickets for help on using tickets.