Hide Forgot
Description of problem: After upgrading from httpd-2.4.6-40 to httpd-2.4.6-45, Customer notice that apache binds as privileged user, looks up auth user, binds as auth user, checks group membership - it does not rebind as privileged user before checking group membership <Directory "/var/www/html/test_folder"> Order allow,deny Allow from all AuthType Basic AuthName "Ldap Test" AuthBasicProvider ldap AuthLDAPURL ldap://ldap.dev.example.com/ou=people,o=example,o=com?uid AuthLDAPBindDN "uid=web_auth,ou=people,o=example,o=com" AuthLDAPBindPassword "*********" Require ldap-group cn=useraccessgrp,ou=groups,o=example,o=com </Directory> # grep "15:18:" var/log/httpd/ssl_access_log 192.168.122.1 - - [18/Jan/2017:15:18:11 -0800] "GET /test_folder/ HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" 192.168.122.1 - test_user [18/Jan/2017:15:18:16 -0800] "GET /test_folder/ HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" 192.168.122.1 - - [18/Jan/2017:15:18:21 -0800] "GET /favicon.ico HTTP/1.1" 200 568 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" # grep "15:18:" var/log/httpd/ssl_error_log |grep auth [Wed Jan 18 15:18:11.973374 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of Require ldap-group cn=useraccessgrp,ou=groups,o=example,o=com: denied (no authenticated user yet) [Wed Jan 18 15:18:11.973383 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Jan 18 15:18:16.428074 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of Require ldap-group cn=useraccessgrp,ou=groups,o=example,o=com: denied (no authenticated user yet) [Wed Jan 18 15:18:16.428082 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Jan 18 15:18:16.428200 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(501): [client 192.168.122.1:52196] AH01691: auth_ldap authenticate: using URL ldaps://ldaps1.dev.example.com/ou=people,o=example,o=com?uid [Wed Jan 18 15:18:16.530868 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(593): [client 192.168.122.1:52196] AH01697: auth_ldap authenticate: accepting test_user [Wed Jan 18 15:18:16.530940 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(871): [client 192.168.122.1:52196] AH01713: auth_ldap authorize: require group: testing for group membership in "cn=useraccessgrp,ou=groups,o=example,o=com" [Wed Jan 18 15:18:16.530950 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(879): [client 192.168.122.1:52196] AH01714: auth_ldap authorize: require group: testing for member: uid=test_user,ou=people,o=example,o=com (cn=useraccessgrp,ou=groups,o=example,o=com) [Wed Jan 18 15:18:16.531960 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(898): [client 192.168.122.1:52196] AH01719: auth_ldap authorize: require group "cn=useraccessgrp,ou=groups,o=example,o=com": didn't match with attr Comparison complete [member][32 - No such object] [Wed Jan 18 15:18:16.531973 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(879): [client 192.168.122.1:52196] AH01714: auth_ldap authorize: require group: testing for uniqueMember: uid=test_user,ou=people,o=example,o=com (cn=useraccessgrp,ou=groups,o=example,o=com) [Wed Jan 18 15:18:16.532628 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(898): [client 192.168.122.1:52196] AH01719: auth_ldap authorize: require group "cn=useraccessgrp,ou=groups,o=example,o=com": didn't match with attr Comparison complete [uniqueMember][32 - No such object] [Wed Jan 18 15:18:16.532646 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(915): [client 192.168.122.1:52196] AH01716: auth_ldap authorise: require group "cn=useraccessgrp,ou=groups,o=example,o=com": failed [Comparison complete][32 - No such object], checking sub-groups [Wed Jan 18 15:18:16.534008 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(938): [client 192.168.122.1:52196] AH01718: auth_ldap authorise: require group (sub-group) "cn=useraccessgrp,ou=groups,o=example,o=com": didn't match with attr DN failed group verification. [member][32 - No such object] [Wed Jan 18 15:18:16.534026 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(915): [client 192.168.122.1:52196] AH01716: auth_ldap authorise: require group "cn=useraccessgrp,ou=groups,o=example,o=com": failed [DN failed group verification.][32 - No such object], checking sub-groups [Wed Jan 18 15:18:16.535247 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(938): [client 192.168.122.1:52196] AH01718: auth_ldap authorise: require group (sub-group) "cn=useraccessgrp,ou=groups,o=example,o=com": didn't match with attr DN failed group verification. [uniqueMember][32 - No such object] [Wed Jan 18 15:18:16.535259 2017] [authnz_ldap:debug] [pid 20916] mod_authnz_ldap.c(945): [client 192.168.122.1:52196] AH01720: auth_ldap authorize group: authorization denied for user test_user to /test_folder/ [Wed Jan 18 15:18:16.535266 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of Require ldap-group cn=useraccessgrp,ou=groups,o=example,o=com: denied [Wed Jan 18 15:18:16.535272 2017] [authz_core:debug] [pid 20916] mod_authz_core.c(809): [client 192.168.122.1:52196] AH01626: authorization result of <RequireAny>: denied [Wed Jan 18 15:18:16.535278 2017] [authz_core:error] [pid 20916] [client 192.168.122.1:52196] AH01631: user test_user: authorization failure for "/test_folder/": [Wed Jan 18 15:18:21.923278 2017] [authz_core:debug] [pid 20917] mod_authz_core.c(809): [client 192.168.122.1:52198] AH01626: authorization result of Require all granted: granted [Wed Jan 18 15:18:21.923289 2017] [authz_core:debug] [pid 20917] mod_authz_core.c(809): [client 192.168.122.1:52198] AH01626: authorization result of <RequireAny>: granted Version-Release number of selected component (if applicable): httpd-2.4.6-45.el7.x86_64 mod_ldap-2.4.6-45.el7.x86_64 How reproducible: Unsure Additional info: Look like there was an upstream patch and will need to be backported: http://svn.apache.org/viewvc?view=revision&revision=1613682 http://svn.apache.org/viewvc?view=revision&revision=1613684
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2175
This fix has broken anonymous bind, what is quite possible when using ldaps. Prior to this fix, AuthLDAPBindDN and AuthLDAPBindPassword were not required.
Serge, can you please file a bug and open a support ticket so we can look at that in more detail?