Package: apache2-common Version: 2.0.49-1 Severity: normal I have been attempting to diagnose a difficult-to-reproduce bug within mod_auth_ldap. It appears to only search for the requested user using the specified AuthLDAPBindDN during the first request, all other times it uses the dn of the most recently successful authentication. This does not work if the previously authenticated user does not have the authority to search for the new user to access the server.
I also appear to have an issue when a bad password is entered for a user on a web page. The failure is recorded as a "bad password" error in the apache2 log (as expected), but all future requests fail with "no such user" until the web session is closed and re-opened. I have found a fairly comprehensive description of this bug that applies to a different auth_ldap module for Apache 1.3, the symptoms I am exhibiting are very similar. I was unable to determine how to apply the specified patch to my apache2 installation. http://www.suares.com/auth_ldap -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.7 Locale: LANG=C, LC_CTYPE=C Versions of packages apache2-common depends on: ii debconf 1.4.28 Debian configuration management sy ii debianutils 2.8.2 Miscellaneous utilities specific t ii libapr0 2.0.49-1 The Apache Portable Runtime ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an ii libdb4.2 4.2.52-16 Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.6-8 XML parsing C library - runtime li ii libldap2 2.1.23-1 OpenLDAP libraries ii libmagic1 4.09-1 File type determination library us ii libssl0.9.7 0.9.7d-3 SSL shared libraries ii mime-support 3.26-1 MIME files 'mime.types' & 'mailcap ii net-tools 1.60-10 The NET-3 networking toolkit ii openssl 0.9.7d-3 Secure Socket Layer (SSL) binary a ii ssl-cert 1.0-7 Simple debconf wrapper for openssl ii zlib1g 1:1.2.1.1-3 compression library - runtime -- no debconf information