authentication problems with mod_ldap v2.8.19

[nvoutsin]

Hi all,

moving from a working configuration based on proftpd-1.3.1 and mod_ldap v2.8.17 to proftpd-1.3.2rc2 and mod_ldap v2.8.19, I discovered that ldap authentication stopped working.  mod_ldap fails with the error:

mod_ldap/2.8.19: pr_ldap_user_lookup(): couldn't get uid attr for canonical username for uid=nvoutsin,ou=People,dc=xxxxxx,dc=xx

I managed to track down the problem in mod_ldap.c up to the point where handle_ldap_is_auth() calls pr_ldap_user_lookup() with a list of ldap attributes that does not include ldap_attr_uid, which explains why "canon_username" in pr_ldap_user_lookup() can not be found. Anyway I suspsect that is somehow related to the removal of the caching code in mod_ldap but I am not sure. Any ideas?

[jwm]

Your diagnosis seems correct; in the past, the cached struct passwd would have been returned immediately, with the generated home directory in it. The attached patch should fix this, by explicitly requesting the uid attr when calling pr_ldap_user_lookup() from handle_ldap_is_auth().

Unfortunately, the forum's attachment configuration seems wrong (won't let me upload them), so you can grab the (simple) patch from http://horde.net/~jwm/topicid-3562.patch .

For posterity, this occurred when LDAPGenerateHomedir was enabled and LDAPGenerateHomedirPrefixNoUsername was not enabled.

[nvoutsin]

Thank you for your prompt reply.

Although, I haven't tried to compile your patch yet, I have already done what you propose, (add the ldap_attr_uid in pass_attrs[]) and proftpd crashed inside a pr_log function that uses the pw->pw_shell ...or something like this. Have you checked this?

 

[nvoutsin]

just to close this thread, the reported issue could be fixed, by placing all possible ldap attributes in  *pass_attrs[] of handle_ldap_is_auth() like this:

Code:

handle_ldap_is_auth(cmd_rec *cmd)
{
  const char *username = cmd->argv[0];
  char *pass_attrs[] = {ldap_attr_userpassword, ldap_attr_uid,
                        ldap_attr_uidnumber, ldap_attr_gidnumber,
                        ldap_attr_homedirectory, ldap_attr_loginshell, NULL};
  struct passwd *pw;

In any case the problem here is that mod_ldap (2.8.19) repeats exactly the same ldap query 4 times during a single FTP command ("PASS"). Are we sure that the removed caching code of mod_ldap isn't really  needed?