You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by William Paredes <pa...@aecom.yu.edu> on 2006/02/03 18:26:27 UTC
Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
Greetings!
I've managed to completely isolate the multiple authentication
"symptoms" I'm having. To recap, I'd like to authenticate users against
an LDAP server with a fail through to a MySQL server. Realms which
require only LDAP or only MySQL authentication behave correctly.
However, a realm which requires authentication against both LDAP
followed by MySQL is problematic in that when a user exists in LDAP
[with password 'x'] AND the SAME user exists in MySQL [with password
'y'] AND the user submits the MySQL password [password 'y'] LDAP refuses
to "decline" authentication to mod_auth_mysql. See error below:
[Fri Feb 03 10:45:52 2006] [debug] mod_auth_ldap.c(337): [client
129.xxx.xx.xx] [20821] auth_ldap authenticate: using URL
ldap://sun.xxxxx.xx.edu/ou=people,dc=xxxxx,dc=xx,dc=edu
[Fri Feb 03 10:45:52 2006] [warn] [client 129.xxx.xx.xx] [20821]
auth_ldap authenticate: user jones authentication failed; URI
/ldap_mysql/ [ldap_simple_bind_s() to check user credentials
failed][Invalid credentials]
The authentication dialog keeps reappearing as LDAP can't authenticate
and refuses to "decline" authorization.
When a user is in either LDAP or MySQL [but NOT both] and submits their
name using their MySQL password, mod_auth_ladp correctly "declines"
authentication to mod_auth_mysql. Likewise, when a user who is in either
LDAP or MySQL [NOT both] submits their name using their LDAP password,
LDAP correctly authenticates.
# ################################################
<Directory /usr/local/apache2/htdocs/mysql>
Options FollowSymLinks
AuthType Basic
AuthName "MySQL protected"
#mod_auth_mysql
AuthMySQLEnable On
AuthMySQLHost gentoo.xxxxx.xx.edu
AuthMySQLUser httpd
AuthMySQLPassword xxxxxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMySQLPwEncryption crypt
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
require group administration
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap>
Options FollowSymLinks
AuthType Basic
AuthName "ldap secured"
#mod_auth_ldap
AuthLDAPURL ldap://sun.xxxxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
require valid-user
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap_mysql>
Options FollowSymLinks
AuthType Basic
AuthName "LDAP then MySQL secured"
#mod_auth_ldap
AuthLDAPURL ldap://sun.xxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
AuthLDAPAuthoritative Off
require valid-user
#mod_auth_mysql
AuthMySQLHost gentoo.xxxxx.xx.edu
AuthMySQLUser httpd
AuthMySQLPassword xxxxxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMySQLPwEncryption crypt
require group administration
</Directory>
# ################################################
System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]
Using these modules
-------------------
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule mysql_auth_module modules/mod_auth_mysql.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule php5_module modules/libphp5.so
Please let me know if you have any thoughts on how to debug this
problem. I've already rebuilt Apache and mod_auth_mysql from fresh
downloads to make sure the installation is clean.
regards,
-bill
William Paredes wrote:
> Just before going "live" I noticed that mod_auth_mysql and
> mod_auth_ldap do not "fail through" properly when protecting the same
> realm.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
Posted by William Paredes <pa...@aecom.yu.edu>.
Hi!
Moving the mod_auth_mysql module before the mod_auth_ldap does give
mysql priority, however the reverse problem happens. That is, when a
user exists in both databases with different passwords, now
mod_auth_mysql refuses to 'decline'.
I've systematically swapped the load order of mod_auth_mysql,
mod_access, mod_auth, mod_ldap & mod_auth_ldap using all possible
combinations, restarting the server and reloading the browser [flushing
the cache] each time with the result being that one module always
refuses to decline when a user exists in both databases.
-bill
httpd2@karsites.net wrote:
>Hi Wiliam. I've been reading up on modules and
>authentication.
>
>You may need to move the LDAP module so it comes after the
>mysql_auth module, as each module is tested in reverse
>order, i.e. last loaded module is higher priority and comes
>first in the pecking order.
>
>Accordingly, the way you have your modules listed, mysql
>will have priority over the LDAP module. mod_access having
>the lowest priority and being checked last, cause it's
>first in the LoadModule listing.
>
>On Fri, 3 Feb 2006, William Paredes wrote:
>
>
>
>>To: users@httpd.apache.org
>>From: William Paredes <pa...@aecom.yu.edu>
>>Subject: Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
>>
>>Greetings!
>>
>>Using these modules
>>-------------------
>>LoadModule access_module modules/mod_access.so
>>
>>LoadModule auth_module modules/mod_auth.so
>>LoadModule ldap_module modules/mod_ldap.so
>>LoadModule auth_ldap_module modules/mod_auth_ldap.so
>>
>>LoadModule mysql_auth_module modules/mod_auth_mysql.so
>>
>>
>
>Arrange these modules in reverse order with the last
>mentioned module having highest checking priority, and the
>module first in the list has lowest priority, i.e. is tested
>last.
>
>Keith
>
>In theory, theory and practice are the same;
>In practice they are not.
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
Posted by ht...@karsites.net.
Hi Wiliam. I've been reading up on modules and
authentication.
You may need to move the LDAP module so it comes after the
mysql_auth module, as each module is tested in reverse
order, i.e. last loaded module is higher priority and comes
first in the pecking order.
Accordingly, the way you have your modules listed, mysql
will have priority over the LDAP module. mod_access having
the lowest priority and being checked last, cause it's
first in the LoadModule listing.
On Fri, 3 Feb 2006, William Paredes wrote:
> To: users@httpd.apache.org
> From: William Paredes <pa...@aecom.yu.edu>
> Subject: Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
>
> Greetings!
>
> Using these modules
> -------------------
> LoadModule access_module modules/mod_access.so
>
> LoadModule auth_module modules/mod_auth.so
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule auth_ldap_module modules/mod_auth_ldap.so
>
> LoadModule mysql_auth_module modules/mod_auth_mysql.so
Arrange these modules in reverse order with the last
mentioned module having highest checking priority, and the
module first in the list has lowest priority, i.e. is tested
last.
Keith
In theory, theory and practice are the same;
In practice they are not.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org