Bug 80057 - mod_authz_ldap prevents use of other auth mechanisms if loaded
Summary: mod_authz_ldap prevents use of other auth mechanisms if loaded
Alias: None
Product: Stronghold Cross Platform
Classification: Retired
Component: mod_authz_ldap
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Stronghold Engineering List
Depends On:
TreeView+ depends on / blocked
Reported: 2002-12-19 11:26 UTC by Joe Orton
Modified: 2007-04-18 16:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-03-03 09:17:56 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2003:078 0 normal SHIPPED_LIVE Updated mod_authz_ldap package for Stronghold 4.0 now available 2003-06-30 04:00:00 UTC
Red Hat Product Errata RHSA-2003:082 0 normal SHIPPED_LIVE Important: apache, openssl, php, tomcat security update for Stronghold 2003-02-27 05:00:00 UTC

Description Joe Orton 2002-12-19 11:26:53 UTC
Description of problem:
If mod_authz_ldap is configured a for *any* location, it tries to take over
authentication for *all* locations where auth is required (even if other
locations use AuthUserFile-based authentication).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Use a config like:

   <Location /ldap>
      AuthzLDAPServer localhost
      AuthzLDAPUserBase dc=example,dc=com
      AuthzLDAPUserKey uid
      AuthzLDAPUserScope base

      AuthType basic
      AuthName "ldap@example.com"
      require valid-user


   <Location /basic>
	AuthType basic
	AuthUserFile /blah/passwd
	AuthName "basic@example.com"
	require valid-user

Then try and access location /basic/
Actual results:
failure to autbenticate regardless of username/password
error_log entries as follows:

[Thu Dec 19 11:20:33 2002] [crit] [client] [1650] no ldap connection
[Thu Dec 19 11:20:38 2002] [error] [client] [1650] bind as
(null)=joe,(null)/foo failed: 81

Expected results:
authentication in /basic/ based on passwd file contents

Additional info:

Comment 1 Joe Orton 2002-12-19 11:51:08 UTC
Worse yet; mod_authz_ldap prevents use of other auth mechanisms simply
if loaded, even if not configured.

A workaround is to put:
    AuthzLDAPAuthoritative off
in the location where non-LDAP authentication is needed.

Comment 2 Joe Orton 2003-03-03 09:17:56 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.