Bug 1415257 - AuthLDAPBindDN might not be used for some LDAP searches causing LDAP authz failures
Summary: AuthLDAPBindDN might not be used for some LDAP searches causing LDAP authz f...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: Branislav Náter
URL:
Whiteboard:
Depends On:
Blocks: 1420047
TreeView+ depends on / blocked
 
Reported: 2017-01-20 16:49 UTC by Hung
Modified: 2020-05-14 15:33 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1420047 (view as bug list)
Environment:
Last Closed: 2017-08-01 21:36:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2175 0 normal SHIPPED_LIVE httpd bug fix update 2017-08-01 18:40:47 UTC

Description Hung 2017-01-20 16:49:42 UTC
Description of problem:

After upgrading from httpd-2.4.6-40 to httpd-2.4.6-45, Customer notice that apache binds as privileged user, looks up auth user, binds as auth user, checks group membership - it does not rebind as privileged user before checking group membership

<Directory "/var/www/html/test_folder">
    
        Order allow,deny
        Allow from all

        AuthType Basic
        AuthName "Ldap Test"
        AuthBasicProvider ldap
        AuthLDAPURL ldap://ldap.dev.example.com/ou=people,o=example,o=com?uid
        AuthLDAPBindDN "uid=web_auth,ou=people,o=example,o=com"
        AuthLDAPBindPassword "*********"
        Require ldap-group cn=useraccessgrp,ou=groups,o=example,o=com
</Directory>



# grep "15:18:" var/log/httpd/ssl_access_log
192.168.122.1 - - [18/Jan/2017:15:18:11 -0800] "GET /test_folder/ HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
192.168.122.1 - test_user [18/Jan/2017:15:18:16 -0800] "GET /test_folder/ HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
192.168.122.1 - - [18/Jan/2017:15:18:21 -0800] "GET /favicon.ico HTTP/1.1" 200 568 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"

# grep "15:18:" var/log/httpd/ssl_error_log  |grep auth
[Wed Jan 18 15:18:11.973374 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of Require ldap-group cn=useraccessgrp,ou=groups,o=example,o=com: denied (no authenticated user yet)
[Wed Jan 18 15:18:11.973383 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 18 15:18:16.428074 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of Require ldap-group cn=useraccessgrp,ou=groups,o=example,o=com: denied (no authenticated user yet)
[Wed Jan 18 15:18:16.428082 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 18 15:18:16.428200 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(501): [client 192.168.122.1:52196] AH01691: auth_ldap authenticate: using URL ldaps://ldaps1.dev.example.com/ou=people,o=example,o=com?uid
[Wed Jan 18 15:18:16.530868 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(593): [client 192.168.122.1:52196] AH01697: auth_ldap authenticate: accepting test_user
[Wed Jan 18 15:18:16.530940 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(871): [client 192.168.122.1:52196] AH01713: auth_ldap authorize: require group: testing for group membership in "cn=useraccessgrp,ou=groups,o=example,o=com"
[Wed Jan 18 15:18:16.530950 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(879): [client 192.168.122.1:52196] AH01714: auth_ldap authorize: require group: testing for member: uid=test_user,ou=people,o=example,o=com (cn=useraccessgrp,ou=groups,o=example,o=com)
[Wed Jan 18 15:18:16.531960 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(898): [client 192.168.122.1:52196] AH01719: auth_ldap authorize: require group "cn=useraccessgrp,ou=groups,o=example,o=com": didn't match with attr Comparison complete [member][32 - No such object]
[Wed Jan 18 15:18:16.531973 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(879): [client 192.168.122.1:52196] AH01714: auth_ldap authorize: require group: testing for uniqueMember: uid=test_user,ou=people,o=example,o=com (cn=useraccessgrp,ou=groups,o=example,o=com)
[Wed Jan 18 15:18:16.532628 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(898): [client 192.168.122.1:52196] AH01719: auth_ldap authorize: require group "cn=useraccessgrp,ou=groups,o=example,o=com": didn't match with attr Comparison complete [uniqueMember][32 - No such object]
[Wed Jan 18 15:18:16.532646 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(915): [client 192.168.122.1:52196] AH01716: auth_ldap authorise: require group "cn=useraccessgrp,ou=groups,o=example,o=com": failed [Comparison complete][32 - No such object], checking sub-groups
[Wed Jan 18 15:18:16.534008 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(938): [client 192.168.122.1:52196] AH01718: auth_ldap authorise: require group (sub-group) "cn=useraccessgrp,ou=groups,o=example,o=com": didn't match with attr DN failed group verification. [member][32 - No such object]
[Wed Jan 18 15:18:16.534026 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(915): [client 192.168.122.1:52196] AH01716: auth_ldap authorise: require group "cn=useraccessgrp,ou=groups,o=example,o=com": failed [DN failed group verification.][32 - No such object], checking sub-groups
[Wed Jan 18 15:18:16.535247 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(938): [client 192.168.122.1:52196] AH01718: auth_ldap authorise: require group (sub-group) "cn=useraccessgrp,ou=groups,o=example,o=com": didn't match with attr DN failed group verification. [uniqueMember][32 - No such object]
[Wed Jan 18 15:18:16.535259 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(945): [client 192.168.122.1:52196] AH01720: auth_ldap authorize group: authorization denied for user test_user to /test_folder/
[Wed Jan 18 15:18:16.535266 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of Require ldap-group cn=useraccessgrp,ou=groups,o=example,o=com: denied
[Wed Jan 18 15:18:16.535272 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of <RequireAny>: denied
[Wed Jan 18 15:18:16.535278 2017] [authz_core:error] [pid 20916] [client 192.168.122.1:52196] AH01631: user test_user: authorization failure for "/test_folder/": 
[Wed Jan 18 15:18:21.923278 2017] [authz_core:debug] [pid 20917] mod_authz_core.c(809): [client 192.168.122.1:52198] AH01626: authorization result of Require all granted: granted
[Wed Jan 18 15:18:21.923289 2017] [authz_core:debug] [pid 20917] mod_authz_core.c(809): [client 192.168.122.1:52198] AH01626: authorization result of <RequireAny>: granted



Version-Release number of selected component (if applicable):

httpd-2.4.6-45.el7.x86_64
mod_ldap-2.4.6-45.el7.x86_64


How reproducible:

Unsure

Additional info:

Look like there was an upstream patch and will need to be backported: 

  http://svn.apache.org/viewvc?view=revision&revision=1613682
  http://svn.apache.org/viewvc?view=revision&revision=1613684

Comment 8 errata-xmlrpc 2017-08-01 21:36:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2175

Comment 9 Serge Kravchenko 2017-11-15 14:42:20 UTC
This fix has broken anonymous bind, what is quite possible when using ldaps.
Prior to this fix, AuthLDAPBindDN and AuthLDAPBindPassword were not required.

Comment 10 Joe Orton 2017-11-17 14:21:57 UTC
Serge, can you please file a bug and open a support ticket so we can look at that in more detail?


Note You need to log in before you can comment on or make changes to this bug.