You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steven Simpson <ss...@comp.lancs.ac.uk> on 2006/09/25 12:24:30 UTC

[users@httpd] DBD(mysql) authentication unreliable on inter-hierarchy traversal?

Hello,

My configuration:

    * Common: Slackware 10.0, mysql 4.1.21
    * Old server: Apache HTTPD 2.0.52, mod_auth_mysql-3.0.0
    * New server: Apache HTTPD 2.2.3, mod_dbd, mod_authn_dbd,
      apr_dbd_mysql.c
    * Testing with Firefox 1.5

I'm trying to migrate from the old server to the new, using the same,
local mysql DB for authentication.  mod_auth_mysql didn't seem to
compile with httpd 2.2.3, but the DBD stuff seems to have obviated it,
so I'm trying that.  I'm still running the old server on port 443, while
testing the new on another port, until I'm certain I can swap it into
proper place.  The root path of the site (via either server) requires no
authentication, but has three subdirectory hierarchies that require
identical authentication.

Authentication on the new server appears to work, but not reliably,
particularly when moving between these distinct hierarchies - a problem
not seen on the old server.  When requesting a page from a secure
hierarchy, the user might experience (as I define them):

    * Success - at worst, the user is requested to confirm cached
      credentials in a pop-up with completed fields.
    * Cache failure - new credentials are requested from the user in a
      blank pop-up, but are accepted (though sometimes after more than
      one try).
    * Persistent failure - new credentials are requested, but each time
      rejected (although there is a suggestion that it will start
      working again after a minute or so; I usually give up before then).

In the logs, these appear to correspond to:

    * Success: an authenticated 200 when moving within a hierarchy; an
      unauthenticated 401 followed by an authenticated 200 when moving
      between hierarchies.
    * Cache failure: two or more 401s, and this in the error log: [user
      <username>: authentication failure for "<virtual path>": Password
      Mismatch].
    * Persistent failure: 401s with the same error-log entry.

Firstly, from a server restart, I experience the following sequence,
with some occasional variation each time I experiment:

    * Entry into a secure hierarchy is usually a success, but
      occasionally a persistent failure.
    * Staying within the same hierarchy usually remains successful.
    * Then, switching back and forth between two hierarchies is also
      usually successful for about two times.
    * Then there is a cache failure, then maybe a couple more successes.
    * Then usually persistent failure.

My configuration is based on the example at
<http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html>, with a few
alterations suggested on this list.  Global DBD settings:

DBDriver mysql

DBDPersist Off
DBDMin 1
DBDKeep 1
DBDMax 1

The site is a virtual host, configured with:

DBDParams "dbname=aaa user=bbb pass=xxxx"

(Aside: the example configuration in the docs gives a DBDParams example
with "password" instead of "pass" - that caused some lengthy
head-scratching.)

I "Include" the following into the <Location> for each of the three
access-controlled hierarchies:

AuthType Basic
AuthName "stuff"
AuthBasicProvider dbd
AuthDBDUserPWQuery "select user_passwd from user_info where user_name = %s"

...and there's a <Location>-specific "Require" directive, usually
"valid-user".

I've tried with DBDParams outside <VirtualHost> with similar results.

I've tried adding "host=localhost" to DBDParams, with no obvious effect.

If I turn DBDPersist on, the user gets a 500, and the error log reports
[Error looking up <username> in database - password - acquire_fn].  I
added the [password - acquire_fn] bit - authn_dbd_password() has
obtained NULL from authn_dbd_acquire_fn(), and googling for this just
listed mainly source code.  I expect that "DBDPersist on", if I can get
it to work at all, will make things more reliable.

If I switch to an old AuthUserFile, I get no problems at all.

Am I missing some obvious configuration requirement?  Are there known
problems with the versions of the components I'm using?  What else could
I investigate?  What other information should I provide?

Thanks for your attention,

Steven

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org