You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Klaus Darilion <kl...@pernau.at> on 2015/12/02 22:11:20 UTC
[users@httpd] Temporarily authentication errors with auth_dbd and postgres
Hi!
I have a weird problem with Apache basic auth using a DB backend (Apache
2.4.7-1ubuntu4.8 on Ubuntu 14.04 authenticating against a Postgresql 8.4
server).
Usually it works fine:
Browser Apache DB
|--POST w/o credentials ---->| |
|<--------401----------------| |
|--POST w credentials ------>| |
| |---SELECT .. -->|
| |<-- pw-hash ----|
|<--------200----------------| |
But every 10th request (sometimes earlier, sometimes later) I see the
following scenario:
Browser Apache DB
|--POST w/o credentials ---->| |
|<--------401----------------| |
|--POST w credentials ------>| |
| |---SELECT .. -->|
| |<-- pw-hash ----|
|<--------401----------------| |
Although the DB returns the same password-hash as always, and the
browser sends the correct credentials (as in the working scenario),
Apache replies with 401.
I enabled dumpio and set logging to trace7 but could not spot anything
suspect. I also used tcpdump and captured the whole DB-related traffic:
no TCP problems, everthing is fine.
For testing I moved all users to a local AuthUserFile and then
everything works fine.
I had the same setup running for years without problems on Ubuntu 10.04
with Apache 2.2.14, were Apache was running on the same host as the DB.
I would really appreciate any hints what I could add to my debugging to
find the cause of this problem.
Thanks
Klaus
the config is simple:
<VirtualHost 83.136.34.15:443 2a02:850:8::15:443>
...
DBDriver pgsql
DBDParams "dbname=...."
DBDMin 1
DBDKeep 2
DBDMax 20
DBDExptime 300
<Location /soap>
AuthType Basic
AuthName "API"
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT password FROM accounts WHERE
username = %s"
Require valid-user
php_value include_path
".:/usr/share/php:/usr/share/pear:/var/www/api-test"
</Location>
...
</VirtualHost>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Temporarily authentication errors with auth_dbd and postgres
Posted by Jacob Champion <ch...@gmail.com>.
On Dec 18, 2015 6:23 AM, "Klaus Darilion" <kl...@pernau.at>
wrote:
>
> For the records: Since we use Apache 2.4.17 we do not have that problem
> anymore.
Excellent! Glad that seems to have solved it. Thanks for reporting back.
--Jacob
[on mobile; sorry for any formatting annoyances]
Re: [users@httpd] Temporarily authentication errors with auth_dbd and
postgres
Posted by Klaus Darilion <kl...@pernau.at>.
On 04.12.2015 12:30, Klaus Darilion wrote:
>
> On 02.12.2015 23:27, Jacob Champion wrote:
>> My experience was with SQLite, not PostgreSQL, but we also saw
>> nondeterministic authn failures that went away after we cherry-picked
>> several patches from the latest httpd version. If you have the means to
>> update versions easily (or if you just get desperate enough), you might
>> check to see if that fixes your problem.
>
> AFAIS the patches are quite new. Thus, I installed Apache 2.4.17 from
> Ubuntu ppa and will do some testing.
For the records: Since we use Apache 2.4.17 we do not have that problem
anymore.
Thanks
Klaus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Temporarily authentication errors with auth_dbd and
postgres
Posted by Klaus Darilion <kl...@pernau.at>.
On 02.12.2015 23:27, Jacob Champion wrote:
> My experience was with SQLite, not PostgreSQL, but we also saw
> nondeterministic authn failures that went away after we cherry-picked
> several patches from the latest httpd version. If you have the means to
> update versions easily (or if you just get desperate enough), you might
> check to see if that fixes your problem.
AFAIS the patches are quite new. Thus, I installed Apache 2.4.17 from
Ubuntu ppa and will do some testing.
Thanks
Klaus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Temporarily authentication errors with auth_dbd and
postgres
Posted by Jacob Champion <ch...@gmail.com>.
> On 02.12.2015 23:05, Nick Kew wrote:
>> On Wed, 2 Dec 2015 22:11:20 +0100
>> Klaus Darilion <kl...@pernau.at> wrote:
>>
>>> [ ...]
>>
>> A puzzle indeed.
>>
>>> Although the DB returns the same password-hash as always, and the
>>> browser sends the correct credentials (as in the working scenario),
>>> Apache replies with 401.
Klaus,
You should try Nick's suggestions for debugging (varying the parameters)
first. But just in case: I recall that a handful of memory allocation
bugs in authn_dbd (and related code) were fixed earlier this year.
My experience was with SQLite, not PostgreSQL, but we also saw
nondeterministic authn failures that went away after we cherry-picked
several patches from the latest httpd version. If you have the means to
update versions easily (or if you just get desperate enough), you might
check to see if that fixes your problem.
Good luck,
--Jacob
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Temporarily authentication errors with auth_dbd and
postgres
Posted by Klaus Darilion <kl...@pernau.at>.
On 02.12.2015 23:05, Nick Kew wrote:
> On Wed, 2 Dec 2015 22:11:20 +0100
> Klaus Darilion <kl...@pernau.at> wrote:
>
>> [ ...]
>
> A puzzle indeed.
>
>> Although the DB returns the same password-hash as always, and the
>> browser sends the correct credentials (as in the working scenario),
>> Apache replies with 401.
>
> Just to clarify, where are you verifying that the DB returns
> the correct hash? By debug within apache, or from pgsql,
> or from the wire between them?
On the wire with tcpdump (SSL disabled, so I see the clear text)
> I'm not suggesting a solution or even how to find one,
> just hoping to clarify the problem.
>
>> DBDriver pgsql
>> DBDParams "dbname=...."
>> DBDMin 1
>> DBDKeep 2
>> DBDMax 20
>> DBDExptime 300
>
> Does varying those params make any difference at all?
I have not tried, but thanks for the input.
Thanks
Klaus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Temporarily authentication errors with auth_dbd
and postgres
Posted by Nick Kew <ni...@webthing.com>.
On Wed, 2 Dec 2015 22:11:20 +0100
Klaus Darilion <kl...@pernau.at> wrote:
> [ ...]
A puzzle indeed.
> Although the DB returns the same password-hash as always, and the
> browser sends the correct credentials (as in the working scenario),
> Apache replies with 401.
Just to clarify, where are you verifying that the DB returns
the correct hash? By debug within apache, or from pgsql,
or from the wire between them?
I'm not suggesting a solution or even how to find one,
just hoping to clarify the problem.
> DBDriver pgsql
> DBDParams "dbname=...."
> DBDMin 1
> DBDKeep 2
> DBDMax 20
> DBDExptime 300
Does varying those params make any difference at all?
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org