https://bz.apache.org/bugzilla/show_bug.cgi?id=65168
Bug ID: 65168 Summary: Authentication with authnz_ldap fails if attribute displayName is different than samAccountName or CN Product: Apache httpd-2 Version: 2.4.46 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: mod_authnz_ldap Assignee: bugs@httpd.apache.org Reporter: a...@dbyt.es Target Milestone: --- Created attachment 37755 --> https://bz.apache.org/bugzilla/attachment.cgi?id=37755&action=edit error.log with authnz_ldap Hi, I've configured authentication using authnz_ldap module and noticed that some users in my AD can login while others can't. After some investigating I've managed to reproduce the issue as follows * Install AD on Windows Server (confirmed with 2008R2, 2016 & 2019) * Configure Apache to use LDAP, for the test I used the following in .htaccess: AuthName admin AuthType basic AuthBasicProvider ldap AuthLDAPURL "ldap://127.0.0.1/DC=corp,DC=ad?sAMAccountName?sub?(objectClass=*)" LDAPReferrals off AuthLDAPInitialBindAsUser on Require valid-user # note you can use "cn" attribute as well in the URL, same result * Create a new user with displayName different then his samAccountName & CN, e.g. CN=samAccountName=dummy displayName=dummy1 * try to login, it will fail with Invalid Credential error * change dummy's displayName to dummy - do not change the password * try to login, now it will allow you to login note that using AuthLDAPBindDN & AuthLDAPBindPassword seems to work regardless of displayName's value, but this configuration is not secure Attached the log details related to the issue. I used ApacheLounge's latest Windows build v2.4.46 BTW, I tested the same user/password with PHP's LDAP functionality (see https://php.net/ldap) during my Apache tests and PHP was able to login using the credentials while Apache HTTP failed with the error. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org