50257 – mod_authnz_ldap always returning WWW-Authenticate header, even when authentication succeeds

Bug 50257 - mod_authnz_ldap always returning WWW-Authenticate header, even when authentication succeeds

Summary: mod_authnz_ldap always returning WWW-Authenticate header, even when authentic...

Status:	RESOLVED DUPLICATE of bug 40721

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_authz_ldap (show other bugs)
Version:	2.2.16
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-11-11 15:25 UTC by Nathan Neulinger
Modified:	2010-12-04 08:17 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nathan Neulinger 2010-11-11 15:25:21 UTC

Moved from using mod_auth_krb to mod_authnz_ldap, and noticing a problem.

With previous setup, a successful authentication + failed authorization results in a 401 w/o the WWW-Authenticate header. 

With mod_authnz_ldap, it always returns the WWW-Authenticate header, even if authentication was successful.

This changes user behaviour significantly in the case of a page they are not supposed to have access to, even though they have correctly entered their userid+pw. 

I have not been able to find any combination of  authoritative config options to get this to work as expected. Is this an expected limitation of mod_authnz_ldap, or am I just missing something in my configuration?

---------
[Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(379): [client 131.151.49.1] [28790] auth_ldap authenticate: using URL ldap://mst-gc.mst.edu:3268/dc=edu?sAMAccountName?sub?(objectClass=*)
[Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(484): [client 131.151.49.1] [28790] auth_ldap authenticate: accepting nneul
[Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(665): [client 131.151.49.1] [28790] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False]
[Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(685): [client 131.151.49.1] [28790] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False]
[Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(874): [client 131.151.49.1] [28790] auth_ldap authorise: authorisation denied
----------

Comment 1 Eric Covener 2010-11-11 17:44:50 UTC

This is really a comparison between mod_auth_krb and any in-tree authorization provider, right? 

RFC2616 says a 401 must include www-authenticate, and that a 401 means authorization was denied.

Comment 2 Nathan Neulinger 2010-11-11 18:01:04 UTC

Interesting, I think you may be right there. It's been a while since I used other auth modules - I'm just used to the mod_auth_krb behavior where it doesn't continually reprompt for user+pw for an authorization failure. 

Is there any way to get that similar behavior - where an authorization failure (as opposed to authentication failure) doesn't result in another password prompt with the basic auth facility?

Comment 3 Eric Covener 2010-12-04 07:55:21 UTC

I don't think this is something that can be made optional

Comment 4 Stefan Fritsch 2010-12-04 08:17:00 UTC

(In reply to comment #3)
> I don't think this is something that can be made optional

True for 2.2. But mod_authz_core in trunk has all necessary information to make the behaviour configurable.

*** This bug has been marked as a duplicate of bug 40721 ***