auth.backend.ldap.filter not working with conditionals/not being rebuilt

[laph@…]

If you define a (dynamic) filter within a conditional like this:

$HTTP["host"] == "a.host.name" {
 var.customer             = "customer-name"
 auth.backend.ldap.filter = "(&(uid=$)(|(gidNumber=345)(cn=" + var.customer + ")))"
 auth.require             = ( 
  "" => (
   "method"  => "basic",
   "realm"   => "Login",
   "require" => "valid-user",
  ),
 )
}

the filter seems to be built ONLY ONCE and never be rebuild based on the HTTP-Host.

Therefore the first Login-Attempt from a HTTP-Host fixes the LDAP-Filter, making it quite unusable with virtual hosting.

Using "require => user=xxx|user=yyy" doesn't work for us - we have hundreds of them, some shared between V-Servers, some not. Therefore we need "dynamic" LDAP-Filters based on the HTTP-Host conditional.

[uspoerlein@…]

I have the same problem, I need to match against UID in some parts and CN in some other parts of the Webserver. And the filters are not regenerated.

It's even worse, I tried using (|(uid=$)(cn=$)) as a filter, but only the first occurence of $ is expanded to the auth user as can be seen from the slapd debug log

filter="(|(uid=lana)(cn=$))"

The problem is still present on 1.4.19

[stbuehler]

1. The "var.xxxx" variables in the config are replaced while parsing the config (by design, won't change).
2. The doc says "the $ is replaced", and imho this includes that you should use only one.

[uspoerlein@…]

Well, if the documentation mentions this shortcoming, then this is probably not a bug report.

I hope you don't mind me reopening it as a feature request instead? Without such a functionality, I'm unable to authorize various parts of my webserver. I'd have to use multiple lighty instances or switch to Apache. :(

[stbuehler]

Are you really sure you need this and it would not be solvable with conditionals? I.e. you would have many lighty instances in a mod_proxy chain to do it?

[uspoerlein@…]

No, it cannot be solved by conditionals, that's what this bug is all about.

The trick with mod_proxy should work, but this is so much overhead for what I'm doing. I'd then have to track multiple lighty instances, etc.

LDAP support in lighty could really do with some lovin. Whould it be so hard to make the filter dynamic like pretty much all the rest of lighty configuration?

[stbuehler]

I have just more important things to do, and i don't see the need for it in a clean system.

So if someone provides a nice patch to do this, i will apply it.

[laph@…]

Replying to stbuehler:

I have just more important things to do, and i don't see the need for it in a clean system. So if someone provides a nice patch to do this, i will apply it.

Well, I don't agree. If you have multiple vhosts you simply expect to be able to set different LDAP Filters in different vhosts - just like you can do with htdigest or any other auth mechanism. Using a LDAP Filter, you "select" a group of people being able to access a vhost. You don't expect that this group is granted access to ALL vhosts hosted by this lighty server instance.

From my point of view, I'd still call it a defect.

[stbuehler]

If you need separate filters for different vhosts, why don't you just put them into a vhost conditional?

Before you claim it is a defect you should understand how the config works!

[laph@…]

Replying to stbuehler:

If you need separate filters for different vhosts, why don't you just put them into a vhost conditional? Before you claim it is a defect you should understand how the config works!

But that's exactly the issue !!!

I've put different filters into different vhosts (== HTTP[host] conditionals), but as soon as there's a auth request for one of them, the filter used within this (first accessed) one, is also used for all the others, without respecting the different filters in different conditionals.

$HTTP["host"] == "foo.host.name" {
 var.customer             = "Foo-customer"
 auth.backend.ldap.filter = "(&(uid=$)(|(gidNumber=345)(cn=" + var.customer + ")))"
 auth.require             = ( 
  "" => (
   "method"  => "basic",
   "realm"   => "Login",
   "require" => "valid-user",
  ),
 )
}

$HTTP["host"] == "bar.host.name" {
 var.customer             = "Bar-customer"
 auth.backend.ldap.filter = "(&(uid=$)(|(gidNumber=345)(cn=" + var.customer + ")))"
 auth.require             = ( 
  "" => (
   "method"  => "basic",
   "realm"   => "Login",
   "require" => "valid-user",
  ),
 )
}

If "foo.host.name" is accessed first (right after a lighty-restart), the conditional "(&(uid=$)(|(gidNumber=345)(cn=Foo-customer)))" is used for each and every vhost. If "bar.host.name" is accessed first, it's the other way around.

But it's never in the expected way, that "cn=Foo-customer" is used for "foo.host.name" and "cn=Bar-customer" for "bar.host.name", even though I define them in HTTP[host] conditionals.

[stbuehler]

Thank you very much for finally give the details i need to understand you.

You are right, it is a defect - fixed in [2280].

uspoerlein: if you have a patch for your requested enhancement (or just want a ticket for it), please open a new ticket for it.