"satisfy any;" does not work with "allow/deny" and "auth_ldap" #7

Closed
jasonwbarnett opened this Issue Feb 7, 2013 · 4 comments

Comments

Projects
None yet
3 participants

I've attempted to document the problem as best I can and I've provided debugging logs for ALL scenarios. I would try to fix this myself, although I don't know C. I spent several hours looking through the code and found myself lost...

I ran through the following scenarios to help you track down the issue.

  1. JUST Basic Auth (WORKS)
  2. JUST LDAP Auth (WORKS)
  3. Basic Auth, Access (IP Auth) (Client IP does NOT match), and satisfy any (WORKS)
  4. LDAP Auth, Access (IP Auth) (Client IP does NOT match), and satisfy any (does NOT work)

All four scenarios work, except 4. In scenario 4 with a client whose IP does not match, the browser does not even prompt the end user for a username and password like it does in scenario 3.

Nginx Config for scenario 4: https://gist.github.com/jasonwbarnett/4727443

  1. Debug Log: https://gist.github.com/jasonwbarnett/4727534
  2. Debug Log: https://gist.github.com/jasonwbarnett/4727452
  3. Debug Log: https://gist.github.com/jasonwbarnett/4727480
  4. Debug Log: https://gist.github.com/jasonwbarnett/4727481

I was able to resolve this issue with what I consider a "hack"

If you need to use 4. above, then you simply need to also include Auth Basic with an empty password file AND the "auth_basic" and "auth_ldap" directives MUST be equal to one another.

Example config:

    ## CORE:
    satisfy any;

    ## LDAP MODULE
    auth_ldap "MUST BE EQUAL";
    auth_ldap_require valid_user;
    auth_ldap_satisfy any;

    ## AUTH BASIC MODULE
    auth_basic "MUST BE EQUAL";
    auth_basic_user_file /etc/nginx/emptyFile;

    ## IP MODULE
    allow 8.8.8.8/32;
    allow 10.10.10.10/32;
    allow 10.10.20.42/32;
    deny all;

tdm4 commented Mar 3, 2014

This works for me, however I get numerous errors in nginx:

2014/03/03 16:45:52 [error] 17168#0: *67 http_auth_ldap: Authentication timed out, client: 10.xxx.xxx.xxx, server: example.com, request: "GET /tracks/getdata HTTP/1.1", host: "example.com", referrer: "https://example.com.com/"

There has to be a cleaner way to do this.

I attempted to deep dive into the code and it looks like this is the only way to do it... It's probably possible, but you would most likely need to patch the core NGINX code which doesn't sound like a good idea. I wish there was a simpler way, but I really don't think there is.

landryb commented Jun 13, 2014

I would add to this that it also fails for me in case the client IP matches the allow block.

ie

satisfy any;
auth_ldap_servers myserv;
allow 10.0.0.0/24;
deny all;

if i come from an ip in the allow block, i get the 401 prompt, while i shouldnt since satisfy any is in use. This is a huge blocker for me to use auth-ldap, since i can "easily" do the same thing with lighttpd and apache2.... adding to this that one cant seem to use allow in a potential referer check if block....

@eramoto eramoto added a commit to eramoto/nginx-auth-ldap that referenced this issue Jul 28, 2016

@eramoto eramoto Not insert the same request at ngx_http_auth_ldap_get_connection()
When inserting the same request to waiting_requests queue twice, the queue will be broken.
In addition, the following segmentation fault occurs at the second ngx_http_auth_ldap_return_connection()
if the nginx binary was compiled with --with-debug.

By this fix, ngx_http_auth_ldap_get_connection() will not insert the same request.

  * debug messages at the moment nginx dumped core

    ====
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: Authentication loop (phase=0, iteration=0)
    2016/07/26 13:19:09 [debug] 4299#0: *2 event timer add: 3: 10000:1469506759827
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: request_timeout=10000
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: Authentication loop (phase=1, iteration=0)
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: Wants a free connection to "test_ldap"
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: No connection available at the moment, waiting...
    2016/07/26 13:19:09 [debug] 4299#0: *2 http run request: "/portal/Image?"
    2016/07/26 13:19:09 [debug] 4299#0: *2 access phase: 6
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: Authentication loop (phase=1, iteration=0)
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: Wants a free connection to "test_ldap"
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: No connection available at the moment, waiting...
    <snip>
    2016/07/26 13:19:09 [debug] 4299#0: *5 http_auth_ldap: Authentication loop (phase=6, iteration=1)
    2016/07/26 13:19:09 [debug] 4299#0: *5 event timer del: 12: 1469506759826
    2016/07/26 13:19:09 [debug] 4299#0: http_auth_ldap: Marking the connection to "test_ldap" as free
    <snip>
    2016/07/26 13:19:09 [debug] 4299#0: *2 http_auth_ldap: Authentication loop (phase=6, iteration=1)
    2016/07/26 13:19:09 [debug] 4299#0: *2 event timer del: 3: 1469506759827
    2016/07/26 13:19:09 [debug] 4299#0: http_auth_ldap: Marking the connection to "test_ldap" as free
    2016/07/26 13:19:09 [notice] 4298#0: signal 17 (SIGCHLD) received
    2016/07/26 13:19:09 [alert] 4298#0: worker process 4299 exited on signal 11 (core dumped)
    ====

  * backtrace

    ====
    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  0x0000000000491b73 in ngx_http_auth_ldap_return_connection (c=0x26a84e8) at /tmp/test/nginx-1.11.2/../nginx-auth-ldap/ngx_http_auth_ldap_module.c:1117
    1117                ngx_queue_remove(q);
    (gdb) bt
    #0  0x0000000000491b73 in ngx_http_auth_ldap_return_connection (c=0x26a84e8) at /tmp/test/nginx-1.11.2/../nginx-auth-ldap/ngx_http_auth_ldap_module.c:1117
    #1  0x000000000049496a in ngx_http_auth_ldap_authenticate (conf=<optimized out>, ctx=0x26e4698, r=0x26e35a0)
        at /tmp/test/nginx-1.11.2/../nginx-auth-ldap/ngx_http_auth_ldap_module.c:1902
    #2  ngx_http_auth_ldap_handler (r=0x26e35a0) at /tmp/test/nginx-1.11.2/../nginx-auth-ldap/ngx_http_auth_ldap_module.c:1717
    #3  0x0000000000446c38 in ngx_http_core_access_phase (r=<optimized out>, ph=0x26a7f48) at src/http/ngx_http_core_module.c:1071
    #4  0x00000000004428a3 in ngx_http_core_run_phases (r=r@entry=0x26e35a0) at src/http/ngx_http_core_module.c:845
    #5  0x0000000000491ab7 in ngx_http_auth_ldap_wake_request (r=0x26e35a0) at /tmp/test/nginx-1.11.2/../nginx-auth-ldap/ngx_http_auth_ldap_module.c:1063
    #6  0x0000000000491c44 in ngx_http_auth_ldap_reply_connection (c=c@entry=0x26a84e8, error_code=0, error_msg=<optimized out>)
        at /tmp/test/nginx-1.11.2/../nginx-auth-ldap/ngx_http_auth_ldap_module.c:1141
    #7  0x00000000004956b8 in ngx_http_auth_ldap_read_handler (rev=0x265d500) at /tmp/test/nginx-1.11.2/../nginx-auth-ldap/ngx_http_auth_ldap_module.c:1486
    #8  0x00000000004384fe in ngx_epoll_process_events (cycle=0x26594e0, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:900
    #9  0x000000000042ea85 in ngx_process_events_and_timers (cycle=cycle@entry=0x26594e0) at src/event/ngx_event.c:242
    #10 0x0000000000435fe0 in ngx_worker_process_cycle (cycle=0x26594e0, data=<optimized out>) at src/os/unix/ngx_process_cycle.c:753
    #11 0x0000000000434942 in ngx_spawn_process (cycle=cycle@entry=0x26594e0, proc=proc@entry=0x435f3d <ngx_worker_process_cycle>, data=data@entry=0x0,
        name=name@entry=0x49abb7 "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
    #12 0x000000000043613d in ngx_start_worker_processes (cycle=cycle@entry=0x26594e0, n=1, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:358
    #13 0x0000000000436bd6 in ngx_master_process_cycle (cycle=cycle@entry=0x26594e0) at src/os/unix/ngx_process_cycle.c:130
    #14 0x000000000041168b in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:367
    ====
0e919ab
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment