[pkg-lighttpd] Bug#419661: lighttpd: first HTTP authentication against LDAP fails: Bad search filter

Peter Colberg peterco at gmx.net
Tue Apr 17 09:07:32 UTC 2007

Package: lighttpd
Version: 1.4.15-1
Severity: normal
Tags: patch upstream

Now that the newest upstream version has been packaged for Debian, I
would like to point out a bug with LDAP authentication which has since
been ignored upstream[1] (in analogy to the other LDAP bug already
fixed in Debian).

With "ldap" as auth.backend, HTTP authentication fails the first time
after lighttpd has been started; however, subsequent authentication
requests succeed.

Authenticating as user "foo" with request URI "/bar/" gives the
following error:

 2007-03-27 22:01:40: (log.c.75) server started 
 2007-03-27 22:01:49: (http_auth.c.752) ldap: Bad search filter filter: foo 
 2007-03-27 22:01:49: (http_auth.c.861) password doesn't match for /bar/ foo 

This bug is caused by the LDAP result filter (i.e. ldap_filter_pre
and ldap_filter_post) not yet having been initialized when the first
LDAP search is performed.

To work around this problem, I copied the build filter code in
http_auth.c to additionally execute before the second ldap_search_s
call, so ldap_filter_pre and ldap_filter_post are properly initialized
by auth_ldap_init before.

I have included this patch below; it applies after 03_ldap_leak_bugfix.dpatch.


[1] http://trac.lighttpd.net/trac/ticket/1096
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 04_ldap_build_filter_fix.dpatch
Type: application/x-shellscript
Size: 1141 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20070417/d1d0a4ee/04_ldap_build_filter_fix.bin

More information about the pkg-lighttpd-maintainers mailing list