Bug 604727 - mod_authnz_ldap Apache module fails when 'refer' entries returned from LDAP
mod_authnz_ldap Apache module fails when 'refer' entries returned from LDAP
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Joe Orton
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-16 11:31 EDT by Martin Poole
Modified: 2012-08-30 10:15 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 04:52:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
upstream patch adjusted for 2.2.3-43 (2.55 KB, application/octet-stream)
2010-06-16 11:31 EDT, Martin Poole
no flags Details

  None (edit)
Description Martin Poole 2010-06-16 11:31:45 EDT
Created attachment 424505 [details]
upstream patch adjusted for 2.2.3-43

Customer is trying Working on centralising the authentication systems using kerberos and LDAP against Windows AD 2003 to provide SSO.  They are using mod_authnz_ldap module shipped with RHEL5 to configure apache server to authenticate against LDAP server.

There's an Issue with mod_authnz_ldap shipped whereby it incorrectly follows referrals without using the supplied bind credentials. The request is denied by the AD and causes authorization to fail.

There's an fix in the upstream for the above issue.  The relevant BZ is as follows.
https://issues.apache.org/bugzilla/show_bug.cgi?id=26538


httpd-2.2.3-43.el5.x86_64

 Observed behavior:

CU is using mod_authnz_ldap module to authenticate httpd against Windows AD 2003. The authentication fails because the results returned gives referrals  to follow which httpd follows without using the supplied bind credentials.
Since windows 2k3 doesn't allow anonymous bind the authentication fails.

  Desired behavior:

httpd and mod_authnz_ldap should follow referrals with appropriate bind credentials.


The patch associated with upstream BZ 26538 (https://issues.apache.org/bugzilla/show_bug.cgi?id=26538) is for 2.0.63 codebase

below patchset addresses the same issue. But has the patch for 2.2.4

https://issues.apache.org/bugzilla/show_bug.cgi?id=40268
https://issues.apache.org/bugzilla/show_bug.cgi?id=42557 (patch is attached in this BZ)




1. Configure httpd to authenticate using kerberos with authorization with ldap backend.

2. configure etc/httpd/conf.d/auth_kerb.conf as below
<Location /auth>
AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/httpd/conf/keytab

AuthLDAPBindDN 'cn=my_svc_account,ou=Service Accounts,ou=London,ou=UK,dc=mydomain,dc=local'
AuthLDAPBindPassword <<BIND PASSWORD>>
AuthLDAPUrl "ldap://my.AD.server:389/dc=mydomain,dc=lcoal?userPrincipalName?sub?(objectClass=user)" NONE
require ldap-group CN=LinuxRoot,OU=Mail,OU=Groups,OU=London,OU=UK,DC=mydomain,DC=local
</Location>

3. user accounts are under different OUs to the normal ou=People., Here we have (as you can see above) users segmented by region then city so my user account would be CN=john.doe,ou=Users,ou=London,ou=UK,DC=mydomain,dc=local.


The problem is related to how the authnz_ldap module interprets the referral entries sent back by Active Directory.
Comment 1 Joe Orton 2010-06-16 11:42:25 EDT
Thanks for the backport!
Comment 3 RHEL Product and Program Management 2010-08-09 15:40:08 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 9 errata-xmlrpc 2011-07-21 04:52:23 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html
Comment 10 errata-xmlrpc 2011-07-21 07:46:56 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html
Comment 11 Ray Van Dolson 2011-08-01 17:03:36 EDT
FYI, it seems that upstream went with the LDAPReferrals configuration directive rather than LDAPChaseReferrals[1].

Reference Comment #2.  Also reference the Apache 2.2 documentation here[2] and this[3] commit.

Should RHEL's Apache be updated to stick with upstream?

[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=42557
[2] http://httpd.apache.org/docs/2.3/mod/mod_ldap.html#ldapreferrals
[3] http://svn.apache.org/viewvc?view=revision&revision=614605
Comment 12 Ray Van Dolson 2011-08-01 17:05:27 EDT
In support of the above, there is no documentation for LDAPChaseReferrals short of a mention here[1].

LDAPReferrals is close (from the Apache documentation itself), but is usable within a Directory context whereas LDAPChaseReferrals does not appear to be.

[1] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.7_Technical_Notes/httpd.html
Comment 13 Ray Van Dolson 2011-08-01 17:13:43 EDT
For those interested, opened:

  https://bugzilla.redhat.com/show_bug.cgi?id=727342

Note You need to log in before you can comment on or make changes to this bug.