'[Bug 64472] New: mod_auth_digest module's AuthDigestProvider directive does not sets 'ldap' as provi'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    [Bug 64472] New: mod_auth_digest module's AuthDigestProvider directive does not sets 'ldap' as provi
From:       bugzilla () apache ! org
Date:       2020-05-27 6:43:50
Message-ID: bug-64472-7868 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64472

            Bug ID: 64472
           Summary: mod_auth_digest module's AuthDigestProvider directive
                    does not sets 'ldap' as provider to authenticate users
                    from LDAP
           Product: Apache httpd-2
           Version: 2.4.43
          Hardware: All
                OS: All
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: mod_auth_digest
          Assignee: bugs@httpd.apache.org
          Reporter: rohitgaikwad0907@gmail.com
  Target Milestone: ---

1) The AuthnProviderAlias supports AuthBasicProvider of mod_auth_basic module
for authentication with "ldap". 
Reference: https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html 

WhereAs, AuthnProviderAlias does not supports AuthDigestProvider of
mod_auth_digest module for authentication with "ldap". 

The below configuration does not work with AuthDigestProvider for "ldap":

# Basic Authentication provider

<AuthnProviderAlias ldap MyEnterpriseLdap>
  AuthLDAPURL
"ldap://machine1.abcd.com:389/CN=Users,DC=abcd,DC=com?sAMAccountName?sub?(objectClass=*)"
  AuthLDAPBindDN "CN=rohit,CN=Users,DC=abcd,DC=com"
  AuthLDAPBindPassword "abc123"
  LDAPReferrals Off
</AuthnProviderAlias>

# Authenticated resources
<LocationMatch ^/+WebApp/+(;.*)?>
  AuthName "WebApp"
  AuthType Basic
  AuthBasicProvider MyEnterpriseLdap 
  Require valid-user
</LocationMatch>

2) Moreover, are there any plans to implement "auth-int" for AuthDigestQop
Directive
https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html#page-header

3) There will be an blocking issue in second half of calendar year 2020, When
Microsoft addresses CVE-2017-8563
(https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563)
a set of unsafe default configurations for LDAP channel binding and LDAP
signing which exist on Active Directory domain controllers that let LDAP
clients communicate with them without enforcing LDAP channel binding and LDAP
signing.

Thus the LDAP simple binds now needs to be converted into SASL like DIGEST-MD5
and add a support for signing through qop as a "auth-int".

Can someone please have a look into the issue? This will cause all LDAP
applications which uses AuthType as "Basic" to move to port 636 and switch to
SSL/TLS. 
However, When SASL(DIGEST-MD5) with signing(auth-int) is used, LDAP Clients
that do enable or support signing can connect over port 389.


Thanks,
       --Rohit

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic