Mailing List Archive: Apache: Users

auth_ldap error

Index | Next | Previous | View Threaded

ayeryier at yahoo

May 9, 2008, 12:51 PM

Post #1 of 5 (148 views)
Permalink

auth_ldap error

Hi, All,
we run apache 2, httpd-2.2.3-11, on linux with mod_authz_ldap-0.26-8.
On sites where we require authenticating to an external ldap directory, when a user browses to the given site, they are prmpted for a login and password ... as expected. If they give proper credentials, all is fine. If they choose "Cancel" they get "Authorization Required" ... again fine. If they enter bad values, they are re-prompted ... up to three times and then get an "Authorization Required" if the credentials are still incorrect ... also fine.
The problem is when they are prompted for a login and password and they click "OK" without entering anything for id and password ... if someone does that, the get back an "Internal Server Error" rather than an "Authorization Required". Note this does not happen on our apache 1.3 server also running on linux.
The error in the error logs is basically:

[Fri May 09 10:21:25 2008] [warn] [client 10.10.10.10] [14460] auth_ldap authenticate: user authentication failed; URI /pubdir1/privdir1/dir/page1.pdf [ldap_search_ext_s() for user failed][Constraint violation], referer: http://www.mysite.com/humanresources/forms.html

Note that "www.mysite.com" is not the real machine name / domain nor is "pubdir1/privdir1/dir/page1.pdf " the real page path but they are similar.

"Constraint violation" almost sounds like a 0/0 issue. Does anyone else have this issue ? I have tried searching ( okay, googling ) for this but I am obviously not using the correct search string because I am not finding any mention of anyone else having this issue. Are others fine using external ldap authentication with apache 2.2.x ?

I appreciate any help anyone can provide.
Thanks

---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.

covener at gmail

May 9, 2008, 2:12 PM

Post #2 of 5 (144 views)
Permalink

Re: auth_ldap error [In reply to]

On Fri, May 9, 2008 at 3:51 PM, Fred Day <ayeryier[at]yahoo.com> wrote:

> click "OK" without entering anything for id and password ... if someone does
> that, the get back an "Internal Server Error" rather than an "Authorization
> Required". Note this does not happen on our apache 1.3 server also running
> on linux.
> The error in the error logs is basically:
>
> [Fri May 09 10:21:25 2008] [warn] [client 10.10.10.10] [14460] auth_ldap
> authenticate: user authentication failed; URI
> /pubdir1/privdir1/dir/page1.pdf [ldap_search_ext_s() for user
> failed][Constraint violation], referer:
> http://www.mysite.com/humanresources/forms.html
>

Looks like a bug, there's a special case for empty username but it
seems like it's not doing the right test.

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

covener at gmail

May 9, 2008, 3:14 PM

Post #3 of 5 (145 views)
Permalink

Re: auth_ldap error [In reply to]

On Fri, May 9, 2008 at 5:12 PM, Eric Covener <covener[at]gmail.com> wrote:
> On Fri, May 9, 2008 at 3:51 PM, Fred Day <ayeryier[at]yahoo.com> wrote:
>
>> click "OK" without entering anything for id and password ... if someone does
>> that, the get back an "Internal Server Error" rather than an "Authorization
>> Required". Note this does not happen on our apache 1.3 server also running
>> on linux.
>> The error in the error logs is basically:
>>
>> [Fri May 09 10:21:25 2008] [warn] [client 10.10.10.10] [14460] auth_ldap
>> authenticate: user authentication failed; URI
>> /pubdir1/privdir1/dir/page1.pdf [ldap_search_ext_s() for user
>> failed][Constraint violation], referer:
>> http://www.mysite.com/humanresources/forms.html
>>
>
> Looks like a bug, there's a special case for empty username but it
> seems like it's not doing the right test.

Do you know what LDAP SDK your server is linked with? With LogLevel
debug it should be reported at startup.

With the version I'm using, the LDAP client is okay with searching for
a filter value of "cn=" but yours apparently treats it as an illegal
filter.

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

ayeryier at yahoo

May 13, 2008, 8:04 AM

Post #4 of 5 (108 views)
Permalink

Re: auth_ldap error [In reply to]

Eric Covener <covener[at]gmail.com> wrote:
On Fri, May 9, 2008 at 3:51 PM, Fred Day wrote:

> click "OK" without entering anything for id and password ... if someone does
> that, the get back an "Internal Server Error" rather than an "Authorization
> Required". Note this does not happen on our apache 1.3 server also running
> on linux.
> The error in the error logs is basically:
>
> [Fri May 09 10:21:25 2008] [warn] [client 10.10.10.10] [14460] auth_ldap
> authenticate: user authentication failed; URI
> /pubdir1/privdir1/dir/page1.pdf [ldap_search_ext_s() for user
> failed][Constraint violation], referer:
> http://www.mysite.com/humanresources/forms.html
>

Looks like a bug, there's a special case for empty username but it
seems like it's not doing the right test.

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

Hi, Eric,
thank you for responding. Somehow I did not receive or inadvertantly deleted your second response ( the one with the questions ) but someone forwarded it to me. For summary, you responded
"
Do you know what LDAP SDK your server is linked with? With LogLevel
debug it should be reported at startup.
With the version I'm using, the LDAP client is okay with searching for
a filter value of "cn=" but yours apparently treats it as an illegal
filter.
"
Changing the log level to debug and restarting gives a

"[info] APR LDAP: Built with OpenLDAP LDAP SDK"

line. A bit above that is a line:

"info] Server: Apache/2.2.2, Interface:

mod_nss/2.2.2, Library: NSS/3.11.2 ECC"

The openldap client rpm is version 2.3.27-8.

Thanks again for any help anyone can provide.

covener at gmail

May 13, 2008, 8:35 AM

Post #5 of 5 (108 views)
Permalink

Re: auth_ldap error [In reply to]

On Tue, May 13, 2008 at 11:04 AM, Fred Day <ayeryier[at]yahoo.com> wrote:

> Built with OpenLDAP LDAP SDK"

I'm unable to reproduce this (500 with LDAP auth when user hits 'ok'
to basic auth prompt) on my apache system built against openldap. Do
you have any insight about sensitivity to ldap client version? I will
poke around again later with something closer to 2.3.27-8 that you
have.

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com