Bug 38789

Summary: Existing User, wrong password generates internal error
Product: Apache httpd-2 Reporter: Mika Borner <mika.borner>
Component: mod_authz_ldapAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED WONTFIX    
Severity: normal CC: jpetrakis
Priority: P2    
Version: 2.2.9   
Target Milestone: ---   
Hardware: Sun   
OS: Solaris   

Description Mika Borner 2006-02-27 08:31:20 UTC 
When authenticating with an existing user against LDAP, supplying a wrong 
password, an internal server error is generated immediatly.

If the user does not exists, the user is challenged again (correct behaviour).
If the user exists and the supplied password is correct, the user will be 
authenticated, and authorized (correct behaviour).

The LDAP Server is Novell NDS
Comment 1 John P. Petrakis 2006-03-05 02:17:06 UTC 
Also happens on httpd built on Win32 authenticating against openldap using patch
from bug 37814
Comment 2 Brad Nicholes 2006-03-06 16:52:46 UTC 
I don't have a Solaris box to test with, but given the description of the 
problem, everything works as expected on Suse Linux 10 against a Novell NDS 
ldap server.  Can you provide more information such as your auth_ldap 
configuration and any error messages in the error_log with LogLevel set to 
DEBUG.
Comment 3 Mika Borner 2006-03-15 12:06:27 UTC 
(In reply to comment #2)
> I don't have a Solaris box to test with, but given the description of the 
> problem, everything works as expected on Suse Linux 10 against a Novell NDS 
> ldap server.  Can you provide more information such as your auth_ldap 
> configuration and any error messages in the error_log with LogLevel set to 
> DEBUG.

Here it comes. Debug does not show anything interesting:

[Wed Mar 15 12:55:32 2006] [info] Initial (No.1) HTTPS request received for 
child 5 (server host.domain:443)
[Wed Mar 15 12:55:32 2006] [debug] mod_authnz_ldap.c(373): [client 169.xx.xx.x] 
[20006] auth_ldap authenticate: using URL ldap://nds-ldap1.domain:389/
o=Organisation?uid, referer: https://host.domain/menu.html
[Wed Mar 15 12:55:35 2006] [warn] [client 169.xx.xx.xx] [20006] auth_ldap 
authenticate: user username authentication failed; URI /PATH/ 
[ldap_simple_bind_s() to check user credentials failed][Invalid credentials], 
referer: https://host.domain/menu.html
[Wed Mar 15 12:55:35 2006] [info] [client 169.xx.xx.xx] Connection closed to 
child 5 with unclean shutdown (server host.domain:443)

Directive:

<Location /PATH>
        AuthType Basic
        AuthName "host.domain"
        AuthBasicProvider ldap
        AuthLDAPURL ldap://nds-ldap1.domain:389/o=Organisation?uid
        require ldap-attribute ou=4314
        Options Indexes
        IndexOptions FancyIndexing
        IndexStyleSheet "/css/font.css"
        Order allow,deny
        Allow from all
</Location>
Comment 4 Brad Nicholes 2006-03-15 15:59:48 UTC 
I tried to match your configuration as close as possible, but I am still not 
seeing a problem.  Everything seems to work as expected.
Comment 5 Mick 2006-05-23 17:31:19 UTC 
I am experiencing the same problem. System is Fedora Core 4; Apache HTTP Server
2.0.54; Against OpenLDAP 2.2.29

mod_authz_ldap Directive is as follows:

<Directory /some/path/ >
         Options None
         AuthType Basic
         AuthName "Authentication"
         AuthzLDAPMethod ldap
         AuthzLDAPServer ldap.example.com
         AuthzLDAPUserBase ou=People,dc=example,dc=com
         AuthzLDAPUserKey uid
         AuthzLDAPUserScope subtree
         AuthzLDAPAuthoritative off
         require valid-user
</Directory>
Comment 6 Mika Borner 2006-05-31 05:36:19 UTC 
This seems to work now, as I am using httpd Version 2.2.2 with the Novell CLDAP 
SDK linked to it.
Comment 7 Nick Kew 2009-11-15 16:25:55 UTC 
The OP says it works for him in the latest comment, and it's ancient.

If there's a bug now, it needs clarifying in the light of comment 6.
Comment 8 margus 2010-02-25 09:49:14 UTC 
On Debian with LDAPS problem exists, 2.2.9-10+lenny6.