[Auth_ldap] FW: Possible bug in auth_ldap-1.5.0

CHIU, Wai Pun wpchiu at ied.edu.hk
Tue Nov 21 01:26:02 PST 2000 

Dear Dave,

Eventually, I know the principle.

The symptom is when I enable FrontPage Hack, the AllowOverride AuthCFG will
require another set of LDAP parameter. This problem exist in all version of
the code.

>From the program, for my understand, your FrontPage hack basically will take
AuthUserFile parameter which in turn, contain all the valid user username.
The hack first have function auth_ldap_snarf_pwfile() which store the
parameter and then generate DECLINE. This is the problem to make Override
fail. The hack also include self developed routine to parse the service.pwd
file. You design to have the hack to use own function to parse the FrontPage
password in case valid-user is the acl token.

However, in my opinion. there exist some design issue. If you explicitly
DECLINE inside auth_ldap, you can then pass the authority and let the
auth_ldap to parse the password, which means the auth_ldap_get_pw() routine
is not necessary. In another hand, if you use the auth_ldap_get_pw() for
valid-user, you do not need to decline within the LDAP module. The most
important issue is then, decline force we to have LDAP parameter for every
new directory under user sub-web.

As of an administrator, I prefer to preserve the FrontPage auto-generate
password and the best configuration is to have one set of LDAP parameter for
the path <Directory /home/*/public_html></Directory>

Please comment. I will patch the code based on the 1.5.x version. However, I
need some time to check should I pass the authority to auth_ldap to check
the valid-user token or use the auth_ldap_get_pw().

Best regards,
Chiu Wai Pun


> -----Original Message-----
> From:	CHIU, Wai Pun 
> Sent:	Thursday, November 09, 2000 11:47 PM
> To:	dave at rudedog.org
> Subject:	Possible bug in auth_ldap-1.5.0
> 
> Hi Dave,
>  
> I downloaded your new work of auth_ldap-1.5.0 and tried a possible bug. In
> brief, if AllowOverride is setup to AuthConfig for a directory and the
> ldapauth configuration is set at this directory, sub-directories of this
> point will require another set of ldapauth configuration else the value of
> sec->have_ldap_url at function ldap_authenticate_basic_user() will be
> false result in return DECLINED. I traced the program flow and already
> vertify the situation.
>  
> Here include the debug log of apache for your reference.
>  
> [Thu Nov  9 15:01:17 2000] [debug] auth_ldap.c(403): [client
> 202.45.56.130] {19052} Entering ldap_authenticate_basic_user
> [Thu Nov  9 15:01:17 2000] [error] [client 202.45.56.130] user wpchiu not
> found: /testdirectory
>  
> The problem did not exist at version 1.3.x, that is [ $Id: auth_ldap.c,v
> 1.34 1999/02/11 14:29:12 carrigad Exp $ ]
>  
> Hope all above information can give can help you a bit. By the way, I will
> also try to check where is the problem.
>  
> Regards,
> Chiu Wai Pun
> --
> Chiu Wai Pun
> Assistant Computer Officer (Network Services)
> The Hong Kong Institute of Education
> Email: wpchiu at ied.edu.hk <mailto:wpchiu at ied.edu.hk>
> Voice: (852)-2948-8250

More information about the Auth_ldap mailing list