Bug 51322

Summary: Prepend and append string to LDAP search parameter
Product: Apache httpd-2 Reporter: Steve Cross <hairlesshobo>
Component: mod_auth_ldapAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: enhancement Keywords: MassUpdate, PatchAvailable
Priority: P2    
Version: 2.2.17   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Patch to mod_authnz_ldap that allows a string to be appended and prepended to the search parameter

Description Steve Cross 2011-06-04 23:06:04 UTC 
While trying to setup my Apache web server for LDAP authentication against an OpenLDAP database, I discovered that there is a lack of required syntax for my needs. Most all LDAP-aware applications how some method of specifying additional characters to be added before or after the search parameter. Take my setup for instance (obviously replacing example.org with the real domain that I am not going to specify here).

Since I am running multiple virtual email domains from one server, I needed a method of separating the accounts for one domain from the others. I have the users of my directory setup as such:

dn: ou=People,dc=example,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: cn=example.org_johndoe,ou=People,dc=example,dc=org
cn: example.org_johndoe
objectclass: inetOrgPerson
objectclass: top
sn: doe

dn: cn=example.org_janedoe,ou=People,dc=example,dc=org
cn: example.org_janedoe
objectclass: inetOrgPerson
objectclass: top
sn: doe

When attempting to search by cn, which is the root DN, the user would have to type in the full account name. This is a problem because whenever an account name is setup the first portion of the name is not exposed to the end user because it is expected that the application that is talking with the LDAP database will know how to handle it automatically. With the way that the mod_authnz_ldap is setup, there is a limitation that does not allow this to work.
Comment 1 Steve Cross 2011-06-04 23:12:30 UTC 
I have created a patch that adds the following two options to the mod_authnz_ldap configuration:

AuthLDAPAttrPrependString
AuthLDAPAttrAppendString

These two configuration parameters allow you to specify a string that must be added before and after the LDAP value that is being searched for. Using the example structure in the post above, if someone were to login with the username "johndoe", then it would be searching the LDAP database for that exact cn. Now configure the module with the following line:

AuthLDAPAttrPrependString "example.org_"

When configured this way and someone logs in with the username "johndoe", the LDAP database is searched for "example.org_johndoe" instead. I have attached the patch which was originally written for 2.2.16 but has been tested against the latest stable 2.2.19 version.

Steve Cross
Comment 2 Steve Cross 2011-06-04 23:13:39 UTC 
Created attachment 27112 [details]
Patch to mod_authnz_ldap that allows a string to be appended and prepended to the search parameter

Standard unified diff format.
Comment 3 William A. Rowe Jr. 2018-11-07 21:08:16 UTC 
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.