View Issue Details

IDProjectCategoryView StatusLast Update
0005763CentOS-6httpdpublic2012-06-05 05:52
Reporterjbowman 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version6.2 
Target VersionFixed in Version 
Summary0005763: httpd 2.2 connectivity bug in authnz_ldap
Descriptionhttpd 2.2 mod_authnz_ldap does not allow connection to untrusted servers even when given certificates validating their identity, and even when LDAPVerifyServerCert Off is used in the config files. This only seems to be happening in very recent 2.2 installs, older ones ignored the server certificate entirely. This only occurs with ldap over SSL (ldaps). This may be the fault of OpenLDAP, mod_ldap, or mod_authnz_ldap, I have no idea.
Steps To ReproduceSet up a Windows AD server with secure LDAP, set up as dc.example.com in this example. Set up a valid username and password to access LDAP, and a username to use for the http authentication. Do NOT give it a public SSL cert, but let it use its own pre-generated one.

Install httpd on a fresh install of CentOS (or install with web server role) and add an index.html in /var/www/html.

On CentOS, set up the following directory in httpd (I have this inside of a vhost, not sure if that makes a difference):

    <Directory "/var/www/html">
       AllowOverride None
       Order allow,deny
       Allow from all
       AuthName "Access"
       AuthType Basic
       AuthzLDAPAuthoritative off
       AuthBasicProvider ldap
       AuthUserFile /dev/null
       AuthLDAPURL "ldaps://dc.example.com:3269/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)" SSL
       AuthLDAPBindDN "CN=UserName,dc=example,dc=com"
       AuthLDAPBindPassword password
       Require ldap-attribute objectClass=user
    </Directory>

Restart httpd and load up the site in a web browser. It should ask you for your name and password. Whether you use a valid one or not, it will give a 500 error page. In the error.log you'll see the following:

[Mon Jun 04 16:22:43 2012] [info] [client 127.0.0.1] [12756] auth_ldap authenticate: user myusername authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

The config option that is supposed to prevent this behavior is:
LDAPVerifyServerCert Off
or
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/servercert.crt

Unfortunately, when either or both of the above is inserted into httpd.conf and restarted, the behavior is exactly the same as before and the error log message is exactly the same, so I can't find any way to connect to the server from httpd.
Additional InformationBecause 2.2 doesn't have any deeper logging it took a while to narrow it down to this particular problem. Plain debug logging didn't show any LDAP errors. Is there another command I can use to diagnose why it might be failing?
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2012-06-05 05:52 jbowman New Issue