Package: lighttpd Version: 1.4.15-1 Severity: normal Tags: patch upstream Now that the newest upstream version has been packaged for Debian, I would like to point out a bug with LDAP authentication which has since been ignored upstream[1] (in analogy to the other LDAP bug already fixed in Debian).
With "ldap" as auth.backend, HTTP authentication fails the first time after lighttpd has been started; however, subsequent authentication requests succeed. Authenticating as user "foo" with request URI "/bar/" gives the following error: 2007-03-27 22:01:40: (log.c.75) server started 2007-03-27 22:01:49: (http_auth.c.752) ldap: Bad search filter filter: foo 2007-03-27 22:01:49: (http_auth.c.861) password doesn't match for /bar/ foo This bug is caused by the LDAP result filter (i.e. ldap_filter_pre and ldap_filter_post) not yet having been initialized when the first LDAP search is performed. To work around this problem, I copied the build filter code in http_auth.c to additionally execute before the second ldap_search_s call, so ldap_filter_pre and ldap_filter_post are properly initialized by auth_ldap_init before. I have included this patch below; it applies after 03_ldap_leak_bugfix.dpatch. Regards, Peter [1] http://trac.lighttpd.net/trac/ticket/1096
04_ldap_build_filter_fix.dpatch
Description: application/shellscript