Support

dcb · #1 07-09-2008, 06:06 AM

We are using the Enterprise version (3.3.15) on Slackware 12 (32bit).
We've setup a LDAP realm that seems to work properly. I mean, if you give the correct user/pass it all works as it is supposed to. But the real problem is when you give a bogus user/pass. Instead of asking for the user/pass again it will give you the URI requested. Of course on the next request it will ask again for user/pass, you can give a bogus one again and go on like that forever, gaining access to areas that are supposed to be protected.
Now I've checked and this happens only when the "Required" field in the context config is left empty (I tried putting there valid-user, with no effect). But the documentation says: "If it is not specified, all valid users can access this resource.", or a bogus user/pass combination shouldn't be considered valid.

mistwang · #2 07-09-2008, 02:32 PM

We will look into this issue. Thanks for the bug report.

mistwang · #3 07-11-2008, 12:45 PM

Can you please turn on debug logging by change "DebugLevel" to "HIGH", then try one request and send the error.log to bug@litespeed...

dcb · #4 07-15-2008, 11:20 AM

Do you need the entire log file? even for only 40 seconds it still has 10MB.

dcb · #5 07-15-2008, 11:26 AM

the relevant LDAP related lines seem to be:
2008-07-15 14:09:24.898 [DEBUG] [*.*.*.*:34457-0#admin] Assigned ID: 2 to 'ldap://[removed.host]/dc=manager,dc=com???(&(objectClass=person)(uid=fwe rfwerf))'
2008-07-15 14:09:24.898 [DEBUG] [*.*.*.*:34457-0#admin] checkAuthentication() return -1
2008-07-15 14:09:24.898 [DEBUG] [*.*.*.*:34457-0#admin] processNewReq() return 0.

If that's not enough I can try to grep the log by the name of the virtual host, that must reduce it a lot as another virtual host is producing the bulk of the traffic.

mistwang · #6 07-15-2008, 11:31 AM

You can grep the log by the IP.