Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 80057 - mod_authz_ldap prevents use of other auth mechanisms if loaded
mod_authz_ldap prevents use of other auth mechanisms if loaded
Product: Stronghold Cross Platform
Classification: Retired
Component: mod_authz_ldap (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Stronghold Engineering List
Depends On:
  Show dependency treegraph
Reported: 2002-12-19 06:26 EST by Joe Orton
Modified: 2007-04-18 12:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-03-03 04:17:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2003:078 normal SHIPPED_LIVE Updated mod_authz_ldap package for Stronghold 4.0 now available 2003-06-30 00:00:00 EDT
Red Hat Product Errata RHSA-2003:082 normal SHIPPED_LIVE Important: apache, openssl, php, tomcat security update for Stronghold 2003-02-27 00:00:00 EST

  None (edit)
Description Joe Orton 2002-12-19 06:26:53 EST
Description of problem:
If mod_authz_ldap is configured a for *any* location, it tries to take over
authentication for *all* locations where auth is required (even if other
locations use AuthUserFile-based authentication).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Use a config like:

   <Location /ldap>
      AuthzLDAPServer localhost
      AuthzLDAPUserBase dc=example,dc=com
      AuthzLDAPUserKey uid
      AuthzLDAPUserScope base

      AuthType basic
      AuthName "ldap@example.com"
      require valid-user


   <Location /basic>
	AuthType basic
	AuthUserFile /blah/passwd
	AuthName "basic@example.com"
	require valid-user

Then try and access location /basic/
Actual results:
failure to autbenticate regardless of username/password
error_log entries as follows:

[Thu Dec 19 11:20:33 2002] [crit] [client] [1650] no ldap connection
[Thu Dec 19 11:20:38 2002] [error] [client] [1650] bind as
(null)=joe,(null)/foo failed: 81

Expected results:
authentication in /basic/ based on passwd file contents

Additional info:
Comment 1 Joe Orton 2002-12-19 06:51:08 EST
Worse yet; mod_authz_ldap prevents use of other auth mechanisms simply
if loaded, even if not configured.

A workaround is to put:
    AuthzLDAPAuthoritative off
in the location where non-LDAP authentication is needed.
Comment 2 Joe Orton 2003-03-03 04:17:56 EST
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.