I've run into another quirk during my 2.5 upgrade process. We use the
Apache ldap authnz module with a configuration such as:
AuthLDAPURL ldaps://ldap.cpp.edu:636/DC=cpp,DC=edu?uid
Require ldap-group uid=unxadmin,ou=group,dc=cpp,dc=edu
This stopped working when accessing a server updated to 2.5. On the 2.4
server, the Apache logs look like:
[Wed Nov 10 15:07:52.056237 2021] [authnz_ldap:debug] [pid 29887]
mod_authnz_ldap.c(926): [client 10.104.223.117:51050] AH01714: auth_ldap
authorize: require group: testing for member:
uid=henson,ou=user,dc=cpp,dc=edu (uid=unxadmin,ou=group,dc=cpp,dc=edu)
[Wed Nov 10 15:07:52.056264 2021] [authnz_ldap:debug] [pid 29887]
mod_authnz_ldap.c(935): [client 10.104.223.117:51050] AH01715: auth_ldap
authorize: require group: authorization successful (attribute member)
[Comparison true (cached)][6 - Compare True]
and the slapd logs look like:
Nov 10 15:07:52 ldap-01 slapd[1233]: conn=224154 op=4 CMP
dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="member"
Nov 10 15:07:52 ldap-01 slapd[1233]: conn=224154 op=4 RESULT tag=111
err=6 text=
Nov 10 15:08:42 ldap-01 slapd[1233]: conn=224154 fd=138 closed
(connection lost)
whereas on the 2.5 server, the Apache logs look like:
[Wed Nov 10 15:03:52.375004 2021] [authnz_ldap:debug] [pid 29088]
mod_authnz_ldap.c(926): [client 10.104.223.117:51022] AH01714: auth_ldap
authorize: require group: testing for member:
uid=henson,ou=user,dc=cpp,dc=edu (uid=unxadmin,ou=group,dc=cpp,dc=edu)
[Wed Nov 10 15:03:52.375887 2021] [authnz_ldap:debug] [pid 29088]
mod_authnz_ldap.c(945): [client 10.104.223.117:51022] AH01719: auth_ldap
authorize: require group "uid=unxadmin,ou=group,dc=cpp,dc=edu": didn't
match with attr member [Comparison false (adding to cache)][5 - Compare
False]
and the slapd logs look like:
Nov 10 15:03:52 ldap-03 slapd[1197]: conn=208924 op=4 CMP
dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="member"
Nov 10 15:03:52 ldap-03 slapd[1197]: conn=208924 op=4 RESULT tag=111
err=5 qtime=0.000011 etime=0.000139 text=
If I understand correctly, Apache is making a compare call to check to
see if my DN (uid=henson,ou=user,dc=cpp,dc=edu) exists as a value of the
member attribute in the group uid=unxadmin,ou=group,dc=cpp,dc=edu. It
certainly does, on both the server running 2.4 and 2.5:
dn: uid=unxadmin,ou=group,dc=cpp,dc=edu
objectClass: groupOfNames
objectClass: cppGroup
objectClass: posixGroup
uid: unxadmin
cn: Unix Administrators
gidNumber: 17730
member:
member: uid=gkuri,ou=user,dc=cpp,dc=edu
member: uid=henson,ou=user,dc=cpp,dc=edu
memberUid: gkuri
memberUid: henson
Any thoughts on why this is behaving differently? The configuration
should be pretty much identical, modulo required path changes and
updating the memberOf handling.
I was able to work around it by sitting a couple of additional parameters:
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
This now compares just my uid (henson) to the group memberUid attribute:
Nov 10 15:24:54 ldap-03 slapd[1197]: conn=210708 op=4 CMP
dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="memberUid"
Nov 10 15:24:54 ldap-03 slapd[1197]: conn=210708 op=4 RESULT tag=111
err=6 qtime=0.000016 etime=0.000108 text=
Apparently "err=6" is good and "err=5" is not :)? I was able to
replicate this difference in behavior using the CLI tools:
# ldapcompare -x -H ldaps://ldap-01.ldap.cpp.edu/
uid=unxadmin,ou=group,dc=cpp,dc=edu member:uid=henson,ou=user,dc=cpp,dc=edu
TRUE
# ldapcompare -x -H ldaps://ldap-03.ldap.cpp.edu/
uid=unxadmin,ou=group,dc=cpp,dc=edu member:uid=henson,ou=user,dc=cpp,dc=edu
FALSE
ldapsearch confirms that attribute exists for that group in both locations:
ldapsearch -x -H ldaps://ldap-01.ldap.cpp.edu/
member=uid=henson,ou=user,dc=cpp,dc=edu dn | grep unxadmin
# unxadmin, group, cpp.edu
dn: uid=unxadmin,ou=group,dc=cpp,dc=edu
# ldapsearch -x -H ldaps://ldap-03.ldap.cpp.edu/
member=uid=henson,ou=user,dc=cpp,dc=edu dn | grep unxadmin
# unxadmin, group, cpp.edu
dn: uid=unxadmin,ou=group,dc=cpp,dc=edu
Help :)? Thanks much…
