Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken
Concerned version
Version: %2.0.7
Platform: Nginx
Summary
The following auth combination does not work, when using the AuthBasic handler:
[ad and ssl, ad] or [ad, ad]
Logs
lemonldap-auth-combination-failed.log
Backends used
- LemonLDAP-NG server with File Session Storage on sso.corp.example.com
- LemonLDAP-NG handler with REST Session Storage (pointing to sso.corp.example.com) on webmail-sso.intern.example.com
Nginx configuration on webmail-sso.intern.example.com:
server {
# ...
location = /lmauth-basic {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth-basic)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param VHOSTTYPE AuthBasic;
}
location ^~ /rpc.php/ {
auth_request /lmauth-basic;
auth_request_set $authuser $upstream_http_auth_user;
fastcgi_param HTTP_LEMONLDAP_USER $authuser;
auth_request_set $authpw $upstream_http_auth_pw;
fastcgi_param HTTP_LEMONLDAP_PW $authpw;
auth_request_set $lmauth_header $upstream_http_auth_header;
fastcgi_param HTTP_AUTHORIZATION $lmauth_header;
alias /var/www/horde-sso/rpc.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
}
}
Possible fixes
The $req->{user}
gets overwritten in NG/Portal/Auth/SSL.pm
even if no certificate is present. $req->{user}
is then empty when checking in NG/Portal/Auth/LDAP.pm
.
A quick not thoroughly tested fix could be:
--- /usr/share/perl5/Lemonldap/NG/Portal/Auth/SSL.pm 2020-04-09 11:43:57.707126444 +0200
+++ /usr/share/perl5/Lemonldap/NG/Portal/Auth/SSL.pm 2020-04-09 11:44:25.318117340 +0200
@@ -39,7 +39,7 @@
$field = $tmp;
}
- if ( $req->user( $req->env->{$field} ) ) {
+ if ( $req->env->{$field} and $req->user( $req->env->{$field} ) ) {
$self->userLogger->notice( "GoodSSL authentication for " . $req->user );
return PE_OK;
}