LDAP Authentication Issue

Discussion in 'Bug Reports' started by dcb, Jul 9, 2008.

  1. dcb

    dcb New Member

    We are using the Enterprise version (3.3.15) on Slackware 12 (32bit).
    We've setup a LDAP realm that seems to work properly. I mean, if you give the correct user/pass it all works as it is supposed to. But the real problem is when you give a bogus user/pass. Instead of asking for the user/pass again it will give you the URI requested. Of course on the next request it will ask again for user/pass, you can give a bogus one again and go on like that forever, gaining access to areas that are supposed to be protected.
    Now I've checked and this happens only when the "Required" field in the context config is left empty (I tried putting there valid-user, with no effect). But the documentation says: "If it is not specified, all valid users can access this resource.", or a bogus user/pass combination shouldn't be considered valid.
  2. mistwang

    mistwang LiteSpeed Staff

    We will look into this issue. Thanks for the bug report.
  3. mistwang

    mistwang LiteSpeed Staff

    Can you please turn on debug logging by change "DebugLevel" to "HIGH", then try one request and send the error.log to bug@litespeed...
  4. dcb

    dcb New Member

    Do you need the entire log file? even for only 40 seconds it still has 10MB.
  5. dcb

    dcb New Member

    the relevant LDAP related lines seem to be:
    2008-07-15 14:09:24.898 [DEBUG] [*.*.*.*:34457-0#admin] Assigned ID: 2 to 'ldap://[removed.host]/dc=manager,dc=com???(&(objectClass=person)(uid=fwerfwerf))'
    2008-07-15 14:09:24.898 [DEBUG] [*.*.*.*:34457-0#admin] checkAuthentication() return -1
    2008-07-15 14:09:24.898 [DEBUG] [*.*.*.*:34457-0#admin] processNewReq() return 0.

    If that's not enough I can try to grep the log by the name of the virtual host, that must reduce it a lot as another virtual host is producing the bulk of the traffic.
  6. mistwang

    mistwang LiteSpeed Staff

    You can grep the log by the IP.

Share This Page