Merge r1885939, r1885940, r1885941, r1885945 from trunk:

author Ruediger Pluem <rpluem@apache.org>

Tue, 2 Mar 2021 07:43:35 +0000 (07:43 +0000)

committer Ruediger Pluem <rpluem@apache.org>

Tue, 2 Mar 2021 07:43:35 +0000 (07:43 +0000)
author Ruediger Pluem <rpluem@apache.org>
Tue, 2 Mar 2021 07:43:35 +0000 (07:43 +0000)
committer Ruediger Pluem <rpluem@apache.org>
Tue, 2 Mar 2021 07:43:35 +0000 (07:43 +0000)
diff --git a/CHANGES b/CHANGES

index 5af3c081b938bda2c889fde7a75d4550139f8790..47ac08b2b5dbfea559f4d5cf7be0244de9553b39 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.4.47
  
+  *) mod_authnz_ldap: Prevent authentications with empty passwords for the
+     initial bind to fail with status 500. [Ruediger Pluem]
+
    *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
       the format can't match anyway.  [Yann Ylavic]
  
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c

index 4634fe96857146da1923d4bfdd4bccb1de9b5306..a7b4939752e7306bf4b023138b7feaa21abd7a70 100644 (file)
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -500,6 +500,32 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
          return AUTH_GENERAL_ERROR;
      }
  
+    /* Get the password that the client sent */
+    if (password == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
+                      "auth_ldap authenticate: no password specified");
+        return AUTH_GENERAL_ERROR;
+    }
+
+    if (user == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
+                      "auth_ldap authenticate: no user specified");
+        return AUTH_GENERAL_ERROR;
+    }
+
+    /*
+     * A bind to the server with an empty password always succeeds, so
+     * we check to ensure that the password is not empty. This implies
+     * that users who actually do have empty passwords will never be
+     * able to authenticate with this module. I don't see this as a big
+     * problem.
+     */
+    if (!(*password)) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10263)
+                      "auth_ldap authenticate: empty password specified");
+        return AUTH_DENIED;
+    }
+
      /* There is a good AuthLDAPURL, right? */
      if (sec->host) {
          const char *binddn = sec->binddn;
@@ -522,21 +548,6 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691)
                    "auth_ldap authenticate: using URL %s", sec->url);
  
-    /* Get the password that the client sent */
-    if (password == NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
-                      "auth_ldap authenticate: no password specified");
-        util_ldap_connection_close(ldc);
-        return AUTH_GENERAL_ERROR;
-    }
-
-    if (user == NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
-                      "auth_ldap authenticate: no user specified");
-        util_ldap_connection_close(ldc);
-        return AUTH_GENERAL_ERROR;
-    }
-
      /* build the username filter */
      authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
  
@@ -1673,6 +1684,10 @@ static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg
          sec->bindpw = (char *)arg;
      }
  
+    if (!(*sec->bindpw)) {
+        return "Empty passwords are invalid for AuthLDAPBindPassword";
+    }
+
      return NULL;
  }
author	Ruediger Pluem <rpluem@apache.org>
	Tue, 2 Mar 2021 07:43:35 +0000 (07:43 +0000)
committer	Ruediger Pluem <rpluem@apache.org>
	Tue, 2 Mar 2021 07:43:35 +0000 (07:43 +0000)
CHANGES		patch \| blob \| blame \| history
modules/aaa/mod_authnz_ldap.c		patch \| blob \| blame \| history