64472 – mod_auth_digest module's AuthDigestProvider directive does not sets 'ldap' as provider to authenticate users from LDAP

Bug 64472 - mod_auth_digest module's AuthDigestProvider directive does not sets 'ldap' as provider to authenticate users from LDAP

Summary: mod_auth_digest module's AuthDigestProvider directive does not sets 'ldap' as...

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_auth_digest (show other bugs)
Version:	2.4.43
Hardware:	All All

Importance:	P1 blocker (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-05-27 06:43 UTC by Rohit Gaikwad
Modified:	2023-08-27 20:25 UTC (History)
CC List:	2 users (show)

Attachments
SPAM (23 bytes, text/html) 2020-12-29 22:42 UTC, Dolls France	Details
Simple code (509 bytes, text/plain) 2023-08-24 22:28 UTC, Ruslan Semchenko	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rohit Gaikwad 2020-05-27 06:43:50 UTC

1) The AuthnProviderAlias supports AuthBasicProvider of mod_auth_basic module for authentication with "ldap". 
Reference: https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html 

WhereAs, AuthnProviderAlias does not supports AuthDigestProvider of mod_auth_digest module for authentication with "ldap". 

The below configuration does not work with AuthDigestProvider for "ldap":

# Basic Authentication provider

<AuthnProviderAlias ldap MyEnterpriseLdap>
  AuthLDAPURL "ldap://machine1.abcd.com:389/CN=Users,DC=abcd,DC=com?sAMAccountName?sub?(objectClass=*)"
  AuthLDAPBindDN "CN=rohit,CN=Users,DC=abcd,DC=com"
  AuthLDAPBindPassword "abc123"
  LDAPReferrals Off
</AuthnProviderAlias>

# Authenticated resources
<LocationMatch ^/+WebApp/+(;.*)?>
  AuthName "WebApp"
  AuthType Basic
  AuthBasicProvider MyEnterpriseLdap 
  Require valid-user
</LocationMatch>

2) Moreover, are there any plans to implement "auth-int" for AuthDigestQop Directive https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html#page-header

3) There will be an blocking issue in second half of calendar year 2020, When Microsoft addresses CVE-2017-8563 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563) a set of unsafe default configurations for LDAP channel binding and LDAP signing which exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing.

Thus the LDAP simple binds now needs to be converted into SASL like DIGEST-MD5 and add a support for signing through qop as a "auth-int".

Can someone please have a look into the issue? This will cause all LDAP applications which uses AuthType as "Basic" to move to port 636 and switch to SSL/TLS. 
However, When SASL(DIGEST-MD5) with signing(auth-int) is used, LDAP Clients that do enable or support signing can connect over port 389.


Thanks,
       --Rohit

Comment 1 Dolls France 2020-12-29 22:39:54 UTC

The below configuration does not work with AuthDigestProvider for "ldap":

# Basic Authentication provider

<AuthnProviderAlias ldap MyEnterpriseLdap>
  AuthLDAPURL "ldap://machine1.abcd.com:389/CN=Users,DC=abcd,DC=com?sAMAccountName?sub?(objectClass=*)"
  AuthLDAPBindDN "CN=rohit,CN=Users,DC=abcd,DC=com"
  AuthLDAPBindPassword "abc123"
  LDAPReferrals Off
</AuthnProviderAlias>

# Authenticated resources
<LocationMatch ^/+WebApp/+(;.*)?>
  AuthName "WebApp"
  AuthType Basic
  AuthBasicProvider MyEnterpriseLdap 
  Require valid-user
</LocationMatch>

Comment 2 Dolls France 2020-12-29 22:42:44 UTC

Created attachment 37668 [details]
SPAM

Comment 3 Ruslan Semchenko 2023-08-24 22:28:25 UTC

Created attachment 38920 [details]
Simple code

This example uses the AuthType directive with the Digest parameter to specify the use of Digest authentication. The AuthLDAPURL directive defines the URL of the LDAP server for authentication. Replace the `ldap://ldap.example.com/dc=example,dc=com`, `cn=admin,dc=example,dc=com`, and `adminpassword` values with the appropriate values for your LDAP server.

Make sure the mod_authnz_ldap module is installed and enabled on your server and restart the web server to apply the configuration changes.
mod_auth_digest's AuthDigestProvider directive does not support "ldap" as an authentication provider for LDAP users. This directive is only intended for use with databases such as htdigest or DBM files.

If you need to use Digest authentication with LDAP users, you should use the mod_authnz_ldap module instead of mod_auth_digest. The mod_authnz_ldap module provides support for authentication using an LDAP server.

Comment 4 Eric Covener 2023-08-27 20:25:56 UTC

(In reply to Ruslan Semchenko from comment #3)
> Created attachment 38920 [details]
> Simple code
> 
> This example uses the AuthType directive with the Digest parameter to
> specify the use of Digest authentication. The AuthLDAPURL directive defines
> the URL of the LDAP server for authentication. Replace the
> `ldap://ldap.example.com/dc=example,dc=com`, `cn=admin,dc=example,dc=com`,
> and `adminpassword` values with the appropriate values for your LDAP
> server.
> 
> Make sure the mod_authnz_ldap module is installed and enabled on your server
> and restart the web server to apply the configuration changes.
> mod_auth_digest's AuthDigestProvider directive does not support "ldap" as an
> authentication provider for LDAP users. This directive is only intended for
> use with databases such as htdigest or DBM files.
> 
> If you need to use Digest authentication with LDAP users, you should use the
> mod_authnz_ldap module instead of mod_auth_digest. The mod_authnz_ldap
> module provides support for authentication using an LDAP server.


This attachment doesn't use LDAP for digest auth and returns an error because the non-ldap config is incomplete. If you modify it to actually use 'AuthDigestProvider ldap' it returns another error because LDAP and digest don't work together.