Bug 48340 - Binding with user-supplied credentials
Summary: Binding with user-supplied credentials
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authz_ldap (show other bugs)
Version: 2.2.14
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2009-12-04 08:17 UTC by drotiro
Modified: 2012-02-26 17:00 UTC (History)
1 user (show)



Attachments
the proposed patch (2.83 KB, patch)
2009-12-04 08:17 UTC, drotiro
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description drotiro 2009-12-04 08:17:48 UTC
Created attachment 24671 [details]
the proposed patch

I'm proposing a patch to use the username and password entered by the user in the compare phase.
It does something similar to #43792, but differently:
 - it uses the dn retreived from server, instead of appending a suffix to username
 - it saves the password in authn_ldap_request_t, as long as needed then wipes it

It adds a new configuration flag: AuthLDAPBindAsUser
The flag defaults to off, when set to 'on' enable the bind as user behaviour


The patch is against 2.2.14.
Comment 1 Eric Covener 2009-12-04 11:50:00 UTC
Out of curiousity, what do your basic auth usernames look like and what LDAP backends do they authenticate with? I think some kind of munging is necessary in the common case to be able to have something you can bind with.
Comment 2 drotiro 2009-12-07 01:05:44 UTC
We use uid as usernames for the authentication (search phase).
Then I use the user dn fetched this way - and not the username - for authorization (compare phase).

This is very similar to setting the directive 'AuthLDAPBindDN', but dinamically, so no munging is necessary.

Btw, we use lotus notes' ldap.



(In reply to comment #1)
Comment 3 Issac Goldstand 2009-12-08 05:17:16 UTC
(In reply to comment #0)
> Created an attachment (id=24671) [details]
> the proposed patch
> I'm proposing a patch to use the username and password entered by the user in
> the compare phase.
> It does something similar to #43792, but differently:
>  - it uses the dn retreived from server, instead of appending a suffix to
> username
>  - it saves the password in authn_ldap_request_t, as long as needed then wipes
> it
> It adds a new configuration flag: AuthLDAPBindAsUser
> The flag defaults to off, when set to 'on' enable the bind as user behaviour
> The patch is against 2.2.14.

I'm wondering what we're accomplishing by doing the authorization with the bound user?  We're already using the config-supplied DN and password to bind during the authentication phase, and your patch still requires authentication to be provided by mod_authnz_ldap (to cache the password for the authorization bind), so what are we gaining by binding as the user only in the latter phase?

It's a bit confusing as at first read, I'd assumed that you were talking about the authentication bind, which would have made more sense, albeit would need to be documented as being as potentially dangerous as HTTP basic auth over the network (although this refers to the backend network), unless a secure connection to the LDAP server was used.
Comment 4 Eric Covener 2009-12-08 05:34:19 UTC
> I'm wondering what we're accomplishing by doing the authorization with the
> bound user?  We're already using the config-supplied DN and password to bind
> during the authentication phase, and your patch still requires authentication
> to be provided by mod_authnz_ldap (to cache the password for the authorization
> bind), so what are we gaining by binding as the user only in the latter phase?
> 

Reporter has an LDAP server that allows anonymous searches but does not allow anonymous compares [rather it's configured that way].  So he leaves off the bind dn/password to retrieve the DN, but can't do certain types of authz anonymously.

If I commit the patch, I will make the directive sound less general and put some time into the doc.
Comment 5 Issac Goldstand 2009-12-09 10:43:16 UTC
(In reply to comment #4)
> Reporter has an LDAP server that allows anonymous searches but does not allow
> anonymous compares [rather it's configured that way].  So he leaves off the
> bind dn/password to retrieve the DN, but can't do certain types of authz
> anonymously.
> 
> If I commit the patch, I will make the directive sound less general and put
> some time into the doc.

If there's a use-case, I'm +1
Comment 6 Eric Covener 2010-06-01 17:19:38 UTC
committed a variant of your patch to trunk in r950248.
Comment 7 Stefan Fritsch 2012-02-26 17:00:52 UTC
fixed in 2.4.1