Bug 1533793

Summary: Use Variable with mod_authnz_ldap
Product: Red Hat Enterprise Linux 7 Reporter: Arthur Garnier <arthur.garnier>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Maryna Nalbandian <mnalband>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: bgollahe, bnater, fkrska, jhouska, jorton, luhliari, nbhumkar, rbdiri
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: httpd-2.4.6-82.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:19:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1549616    

Description Arthur Garnier 2018-01-12 09:08:31 UTC 
Description of problem:
I'm trying to allow user depending of a URI match with LDAP. 

My conf is like this : 

<If "%{REQUEST_URI} =~ /logs_[a-z0-9]*.[A-Z0-9]{4}/">
SetEnvIf Request_URI "/logs_[a-z0-9]*.([A-Z0-9]*)" VAR=$1
AuthLDAPURL ldaps://ldap-${Env}.XXXXX.com:1234/DC=XXXXX,DC=com?userPrincipalName
AuthLDAPBindDN 'CN=reader ,OU=YYYYY,OU=YYYYY,DC=XXX,DC=XXXXX,DC=com'
AuthLDAPBindPassword *********
<RequireAll>
    Require valid-user
    Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=%{ENV:VAR}_unixlogs,OU=XXXXXX,OU=XXXXXXXXXXXX,DC=XXXXX,DC=com
</RequireAll>
</If>

But in logs I get : 

Jan 11 14:18:31 XXXXXXX httpd: XXXX|XXXXXXXXX|t="Thu Jan 11 14:18:31 2018"  rip="XXXXXXXXXXXX" ip="-" uid="XXXXXXXXXXXX" severity="authnz_ldap:debug" v="XXXXXXXXXX" msg="AH01743: auth_ldap authorize: checking filter memberof:1.2.840.113556.1.4.1941:=CN=%{ENV:VAR}_unixlogs,OU=XXXXXXXX,OU=XXXXXXX,DC=XXXXX,DC=com"


I also tried to add  :
Require env ROB

And this Require returns "Granted"

Juste in case, in the ldap-filter condition I tried several syntaxes (even some with no sense):
%{VAR}, ${VAR}, $VAR, %VAR, %{VAR}e, %{ENV:VAR}


The module documentation provides a similar exemple with ldap-groupe :

AuthLDAPURL ldap://ldap.example.com/o=Example?uid
Require ldap-group cn=%{SERVER_NAME}, o=Example



Version-Release number of selected component (if applicable): httpd-2.4.6-45.el7_3.4.x86_64


How reproducible:
With a LDAP configured it can be reproducted with an empty website, and the sample of the htaccess above

Steps to Reproduce:
1. Setup LDAP
2. Set variable in htaccess
3. Try to use this variable in a Require ldap-filter

Actual results:
Variable is not replaced in logs 

Jan 11 14:18:31 XXXXXXX httpd: XXXX|XXXXXXXXX|t="Thu Jan 11 14:18:31 2018"  rip="XXXXXXXXXXXX" ip="-" uid="XXXXXXXXXXXX" severity="authnz_ldap:debug" v="XXXXXXXXXX" msg="AH01743: auth_ldap authorize: checking filter memberof:1.2.840.113556.1.4.1941:=CN=%{ENV:VAR}_unixlogs,OU=XXXXXXXX,OU=XXXXXXX,DC=XXXXX,DC=com"


Expected results:
Variable should be replaced with its value

Additional info:
Comment 3 Joe Orton 2018-02-07 17:23:41 UTC 
Expressions in the ldap-* require directives are not supported in 2.4.6, per the documentation:

https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#requiredirectives

"Since v2.4.8, expressions are supported within the LDAP require directives."

We can look at backporting this for a future update to the package.
Comment 7 Arthur Garnier 2018-02-12 14:11:47 UTC 
Hi,

My bad I didn't see this mention in the documentation. 
Yes it could be great if you could backport this feature in a future update (soon if possible...). 

Regards
Comment 32 Jan Houska 2018-09-18 14:32:13 UTC 
VERIFIED


NEW PASS:

httpd-2.4.6-88.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:45:56 ] :: [   LOG    ] :: Good  contact -- autorised user
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
100    42  100    42    0     0     19      0  0:00:02  0:00:02 --:--:--    19
100    42  100    42    0     0     19      0  0:00:02  0:00:02 --:--:--    19
:: [ 15:45:58 ] :: [   PASS   ] :: File 'output.good' should contain 'start-<!--#echo VAR="REMOTE_USER" -->-end' 
:: [ 15:45:58 ] :: [   LOG    ] :: Bad contact -- unautorized user
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   477  100   477    0     0   4612      0 --:--:-- --:--:-- --:--:--  4631
:: [ 15:45:58 ] :: [   PASS   ] :: File 'output.bad' should contain '401 Unauthorized' 
:: [ 15:45:59 ] :: [   PASS   ] :: Files output.bad and output.good should differ 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

OLD FAIL:
httpd-2.4.6-80.el7_5.1.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:42:26 ] :: [   LOG    ] :: Good  contact -- autorised user
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
100   477  100   477    0     0    224      0  0:00:02  0:00:02 --:--:--   224
:: [ 15:42:28 ] :: [   FAIL   ] :: File 'output.good' should contain 'start-<!--#echo VAR="REMOTE_USER" -->-end' 
:: [ 15:42:28 ] :: [   LOG    ] :: Bad contact -- unautorized user
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   477  100   477    0     0   4357      0 --:--:-- --:--:-- --:--:--  4376
:: [ 15:42:28 ] :: [   PASS   ] :: File 'output.bad' should contain '401 Unauthorized' 
:: [ 15:42:28 ] :: [   FAIL   ] :: Files output.bad and output.good should differ 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Comment 34 errata-xmlrpc 2018-10-30 11:19:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3211