This fixes https://github.com/nginxinc/nginx-ldap-auth/issues/55.
It was possible to perform successful bind with unknown user with recent
versions of python-ldap, in case when LDAP server returned continuation
object and allowed anonymous bind.
When a nginx-ldap-auth-daemon.py is executed from console, its output
is set to /dev/stdout by default. Otherwise, value of a 'LOG' variable is
used, exported by wrapper script.
Hi,
I faced some problems with 401 message and an Android client.
It yelded because in the WWW-Authenticate header the
Basic ream=<ctx>
wasn't surrouned by ""
In the https://tools.ietf.org/html/rfc7235 it is written that
- Authentication parameters are name=value pairs
- and "auth-param = token BWS "=" BWS ( token / quoted-string )"
- and "For historical reasons, a sender MUST only generate the quoted-string
syntax. Recipients might have to support both token and
quoted-string syntax for maximum interoperability with existing
clients that have been accepting both notations for a long time."
After my modification, the Android worked again (and iOs and PC clients faicing the 401 still worked ;) )
BR,
Arfy
Cf https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html ,
401 is for: auth failed... please retry ;)
-----------
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" [43].
403 is for: more or less auth shouldn't be repeated
-----------
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
Regards,
Pascal
This allows to use anonymous bind, if binddn is not provided. Previous
default setting lead to use of unauthenticated bind, which is usually
disabled in LDAP server configurations.
Timo Stark
Robert Szulist
Vladimir Homutov
Christian Nicolai
Rick Hansen
ArfyFR
Igor Ippolitov
Michał 'rysiek' Woźniak