#StackBounty: #linux #rhel #apache-httpd mod_authnz_ldap – using AuthLDAPInitialBindAsUser encountering obscure "internal error&qu…

Bounty: 50

On RHEL 7.4, Apache/2.4.6 using mod_authnz_ldap.so and AuthLDAPInitialBindAsUser config.

The configuration is to do LDAP authentication by binding as the user logging on.

When the user is prompted for his username/password in the “Authentication required” popup:

  • If the user and either leaves the two fields blank or only enter his username and leaves the password field blank and hits “OK”, he gets a page with “The server encountered an internal error or misconfiguration and was unable to complete your request. – there’s no error in /var/log/httpd/error_log
  • If the user enters an invalid username and/or invalid password, the system reacts normally and presents the popup again.
  • If the user enters the correct username and password, the system reacts normally and is presented the desired web page.

How to prevent this error page?

kibana.conf:

<VirtualHost *:80>
    ServerName kibana.mydomain.com
    ProxyPass / http://127.0.0.1:5601/
    ProxyPassReverse / http://127.0.0.1:5601/

    <Location "/app/kibana">
        AuthType basic
        AuthName "LDAP Login"
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://ldap.mydomain/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
        AuthLDAPInitialBindAsUser on
        AuthLDAPInitialBindPattern (.*) "CN=$1,ou=users,dc=example,dc=com"
        Require valid-user
    </Location>

</VirtualHost>

I set LDAPLibraryDebug 7 and got the following error message in /var/log/httpd/error_log

res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_err2string
[Thu Nov 29 20:36:09.068006 2018] [authnz_ldap:info] [pid 25551] [client 72.23.42.165:56915] AH01695: auth_ldap authenticate: user authentication failed; URI /home/debug.jsp [ldap_search_ext_s() for user failed] [Operations error] <—- *this should result in authentication failure not Operation errors which cannot be handled by the http landler and ends up as an internal server error*

The message “In order to perform this operation a successful bind must be completed on the connection.” leads me to believe that the module is attempting to perform another operation even though the binding is incomplete. But it should actually react exactly like when the password is invalid or when the username was not provided.

Error message when the username is passed but the password field is left empty:

[Thu Nov 29 20:48:48.818805 2018] [authnz_ldap:info] [pid 25550] [client 72.23.42.165:57045] AH01695: auth_ldap authenticate: user the.user authentication failed; URI /home/debug.jsp [LDAP: ldap_simple_bind() failed][Invalid credentials]
[Thu Nov 29 20:48:48.818833 2018] [auth_basic:error] [pid 25550] [client 72.23.42.165:57045] AH01617: user the.user: authentication failure for “/home/debug.jsp”: Password Mismatch

Error message when no user name is entered but there is a value in the password field

[Thu Nov 29 20:49:18.720210 2018] [authnz_ldap:info] [pid 25549] [client 72.23.42.165:57050] AH01695: auth_ldap authenticate: user authentication failed; URI /home/debug.jsp [LDAP: ldap_simple_bind() failed][Invalid credentials]
[Thu Nov 29 20:49:18.720222 2018] [auth_basic:error] [pid 25549] [client 72.23.42.165:57050] AH01617: user : authentication failure for “/home/debug.jsp”: Password Mismatch

Message when a correct username/password

[Thu Nov 29 20:53:29.658294 2018] [authnz_ldap:debug] [pid 25551] mod_authnz_ldap.c(593): [client 72.23.42.165:57105] AH01697: auth_ldap authenticate: accepting the.user
[Thu Nov 29 20:53:29.658328 2018] [authz_core:debug] [pid 25551] mod_authz_core.c(809): [client 72.23.42.165:57105] AH01626: authorization result of Require valid-user : granted
[Thu Nov 29 20:53:29.658338 2018] [authz_core:debug] [pid 25551] mod_authz_core.c(809): [client 72.23.42.165:57105] AH01626: authorization result of : granted
[Thu Nov 29 20:53:29.658546 2018] [proxy:debug] [pid 25551] mod_proxy.c(1123): [client 72.23.42.165:57105] AH01143: Running scheme http handler (attempt 0)


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.