Bug#758513: fails to authenticate if multiple LDAP results match, misleading error message
On 05/10/14 18:56, Stefan Fritsch wrote:
> On Sunday 05 October 2014 12:04:12, Daniel Pocock wrote:
>> The bug report is not for the behavior (I agree it makes sense to
>> deny the login), it is a problem with the error message.
>>
>> The error message says "user daniel not found" - but for this
>> particular case, the error should be something like "multiple
>> entries in the directory match the filter for digest username
>> daniel"
>
> Assuming that this concerns apache2 2.4.x: That message comes from
> mod_auth_basic. There is no API that mod_authnz_ldap could use to pass
> a different error message to mod_auth_basic. mod_authnz_ldap should
> however log a more detailed message at level debug. (Try "Loglevel
> authnz_ldap:debug") Did that not work, did you not try that, or would
> you argue that the message should be at a different log level?
>
I hadn't tried debug logging
I feel that more detail should be available at the level of the error
itself. If that really is impossible, then "user X not found" could
become "error finding user X, enable debug for more detail". "not
found" is misleading.
In my case, this was a system that had been working fine for a long time
and then somebody made a subtle change to the LDAP structure and the
message "user daniel not found" didn't help me locate the root cause of
the problem as quickly as I would have liked.
Reply to: