You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by William Paredes <pa...@aecom.yu.edu> on 2006/02/03 18:26:27 UTC

Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X

Greetings!

I've managed to completely isolate the multiple authentication 
"symptoms" I'm having. To recap, I'd like to authenticate users against  
an LDAP server with a fail through to a MySQL server. Realms which 
require only LDAP or only MySQL authentication behave correctly. 
However, a realm which requires authentication against both LDAP 
followed by MySQL is problematic in that when a user  exists in LDAP 
[with password 'x']  AND the SAME user exists in MySQL [with password 
'y'] AND the user submits the MySQL password [password 'y'] LDAP refuses 
to "decline" authentication to mod_auth_mysql. See error below:

[Fri Feb 03 10:45:52 2006] [debug] mod_auth_ldap.c(337): [client 
129.xxx.xx.xx] [20821] auth_ldap authenticate: using URL 
ldap://sun.xxxxx.xx.edu/ou=people,dc=xxxxx,dc=xx,dc=edu
[Fri Feb 03 10:45:52 2006] [warn] [client 129.xxx.xx.xx] [20821] 
auth_ldap authenticate: user jones authentication failed; URI 
/ldap_mysql/ [ldap_simple_bind_s() to check user credentials 
failed][Invalid credentials]

The authentication dialog keeps reappearing as LDAP can't authenticate 
and refuses to "decline" authorization.

When a user is in either LDAP or MySQL [but NOT both] and submits their 
name using their MySQL password, mod_auth_ladp correctly "declines" 
authentication to mod_auth_mysql. Likewise, when a user who is in either 
LDAP or MySQL [NOT both] submits their name using their LDAP password, 
LDAP correctly authenticates.

# ################################################
<Directory /usr/local/apache2/htdocs/mysql>
    Options FollowSymLinks
    AuthType Basic
    AuthName "MySQL protected"
  #mod_auth_mysql
    AuthMySQLEnable On
    AuthMySQLHost gentoo.xxxxx.xx.edu
    AuthMySQLUser httpd
    AuthMySQLPassword xxxxxxxx
    AuthMySQLDB http_auth
    AuthMysqlUserTable mysql_auth
    AuthMySQLNameField username
    AuthMySQLPasswordField passwd
    AuthMySQLPwEncryption crypt   
    AuthMysqlGroupTable mysql_groups
    AuthMySQLGroupField groups
    require group administration
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap>
   Options FollowSymLinks
   AuthType Basic
   AuthName "ldap secured"
 #mod_auth_ldap
   AuthLDAPURL ldap://sun.xxxxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
   require valid-user
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap_mysql>
    Options FollowSymLinks
    AuthType Basic
    AuthName "LDAP then MySQL secured"
 #mod_auth_ldap
    AuthLDAPURL ldap://sun.xxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
    AuthLDAPAuthoritative Off
    require valid-user
  #mod_auth_mysql
    AuthMySQLHost gentoo.xxxxx.xx.edu
    AuthMySQLUser httpd
    AuthMySQLPassword xxxxxxxx
    AuthMySQLDB http_auth
    AuthMysqlUserTable mysql_auth
    AuthMysqlGroupTable mysql_groups
    AuthMySQLGroupField groups
    AuthMySQLNameField username
    AuthMySQLPasswordField passwd
    AuthMySQLPwEncryption crypt   
    require group administration
</Directory>
# ################################################

System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]

Using these modules
-------------------
LoadModule access_module modules/mod_access.so

LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

LoadModule mysql_auth_module  modules/mod_auth_mysql.so

LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so

LoadModule php5_module        modules/libphp5.so


Please let me know if you have any thoughts on how to debug this 
problem. I've already rebuilt Apache and mod_auth_mysql from fresh 
downloads to make sure the installation is clean.

regards,
-bill



William Paredes wrote:

> Just before going "live" I noticed that mod_auth_mysql and 
> mod_auth_ldap do not "fail through" properly when protecting the same 
> realm.
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X

Posted by William Paredes <pa...@aecom.yu.edu>.

Hi!

Moving the mod_auth_mysql module before the mod_auth_ldap does give 
mysql priority, however the reverse problem happens. That is, when a 
user exists in both databases with different passwords, now 
mod_auth_mysql refuses to 'decline'.
 
I've systematically swapped the load order of mod_auth_mysql, 
mod_access, mod_auth, mod_ldap & mod_auth_ldap using all possible 
combinations, restarting the server and reloading the browser [flushing 
the cache] each time with the result being that one module always 
refuses to decline when a user exists in both databases.

-bill

httpd2@karsites.net wrote:

>Hi Wiliam. I've been reading up on modules and 
>authentication.
>
>You may need to move the LDAP module so it comes after the 
>mysql_auth module, as each module is tested in reverse 
>order, i.e. last loaded module is higher priority and comes 
>first in the pecking order.
>
>Accordingly, the way you have your modules listed, mysql 
>will have priority over the LDAP module. mod_access having 
>the lowest priority and being checked last, cause it's 
>first in the LoadModule listing.
> 
>On Fri, 3 Feb 2006, William Paredes wrote:
>
>  
>
>>To: users@httpd.apache.org
>>From: William Paredes <pa...@aecom.yu.edu>
>>Subject: Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
>>
>>Greetings!
>>
>>Using these modules
>>-------------------
>>LoadModule access_module modules/mod_access.so
>>
>>LoadModule auth_module modules/mod_auth.so
>>LoadModule ldap_module modules/mod_ldap.so
>>LoadModule auth_ldap_module modules/mod_auth_ldap.so
>>
>>LoadModule mysql_auth_module  modules/mod_auth_mysql.so
>>    
>>
>
>Arrange these modules in reverse order with the last 
>mentioned module having highest checking priority, and the 
>module first in the list has lowest priority, i.e. is tested 
>last.
>
>Keith
>
>In theory, theory and practice are the same;
>In practice they are not. 
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>  
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X

Posted by ht...@karsites.net.

Hi Wiliam. I've been reading up on modules and 
authentication.

You may need to move the LDAP module so it comes after the 
mysql_auth module, as each module is tested in reverse 
order, i.e. last loaded module is higher priority and comes 
first in the pecking order.

Accordingly, the way you have your modules listed, mysql 
will have priority over the LDAP module. mod_access having 
the lowest priority and being checked last, cause it's 
first in the LoadModule listing.

On Fri, 3 Feb 2006, William Paredes wrote:

> To: users@httpd.apache.org
> From: William Paredes <pa...@aecom.yu.edu>
> Subject: Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
> 
> Greetings!
> 
> Using these modules
> -------------------
> LoadModule access_module modules/mod_access.so
> 
> LoadModule auth_module modules/mod_auth.so
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule auth_ldap_module modules/mod_auth_ldap.so
> 
> LoadModule mysql_auth_module  modules/mod_auth_mysql.so

Arrange these modules in reverse order with the last 
mentioned module having highest checking priority, and the 
module first in the list has lowest priority, i.e. is tested 
last.

Keith

In theory, theory and practice are the same;
In practice they are not. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org