I have been investigating why mod_authnz_ldap/mod_auth_basic are emitting failed authentication messages even when user and password are correct.
I realized that when the URL ends without the file name (i.e. with a trailing slash - /), and mod_dir has to walk through the DirectoryIndex entries, the LDAP authnz module tries to authenticate with every entry until it finds a file that exists. It raises a message of "invalid credentials" for every missing file even if the credentials are valid. Only when the first valid index file is found it succeeds.
The problem with this is that the user may provide invalid credentials once and the consecutive authentication attempts by Apache may lead to password being locked due to security policies. It has occurred in my tests.
System: Linux SLES 15.5, Apache 2.4.58
URL: https://example.com/this/folder/
Snippet of httpd.conf with a fake entry that I included for testing:
DirectoryIndex fail_here.html index.html index.php home.php
Extract of Apache error log (log level trace2):
[authnz_ldap:info] AH01695: auth_ldap authenticate: user jerry authentication failed; URI /this/folder/fail_here.html [ldap_simple_bind() to check user credentials failed][Invalid credentials]
[auth_basic:error] AH01617: user jerry: authentication failure for "/this/folder/fail_here.html": Password Mismatch
[rewrite:trace1] mod_rewrite.c(493): [perdir /srv/www/htdocs/this/folder/] pass through /srv/www/htdocs/this/folder/index.html
LDAP module config (in .htaccess):
<IfModule mod_authnz_ldap.c>
AuthType Basic
AuthName "My System Authentication"
AuthBasicProvider ldap
AuthLDAPURL ldap://example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=person)
AuthLDAPBindDN USERFORLDAP
AuthLDAPBindPassword "passwordforldap"
AuthBasicFake %{REMOTE_USER} **************
LDAPReferrals Off
AuthUserFile /dev/null
Require valid-user
</IfModule>
After it reaches index.html (which exists) the authentication/authorization succeeds.
Is it possible to configure something to bypass authentication until an existent entry of DirectoryIndex is found? Is there a way to reorder the modules execution to avoid this behavior? (e.g. mod_dir, mod_auth_basic, mod_authnz_ldap)
I tried to include deeper debug levels but they were of no help.
UPDATE:
Removing the line AuthBasicFake %{REMOTE_USER} **************
from .htaccess makes all DirectoryIndex entries accesses GRANTED, even if the files do not exist.
It is an important config for security purposes. I wonder that there may be a bug here?