You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Brenda Washington <bw...@pnc.edu> on 2006/01/27 19:04:29 UTC
[users@httpd] Apache directives
I upgraded my apache server from apache 1.3 with Openldap-2.0 and mod_ssl-2.0 to apache 2.0. With openldap-2.0 and mod_ssl-2.0 running. I configured the mod_auth_ldap directives AuthLDAPBindAsUser and AuthLDAPcryptPasswords in the apache 1.3 httpd.conf file which worked great with my ldap server and portal. These directives are no longer available for apache 2.0. What directive in apache 2.0 can I replace the directives with that will work with my ldap server and portal? I can connect to the ldap server, but the portal does not work. These are the mod_auth_ldap directives I have in apache 1.3 httpd.conf file.
<Directory "/path/to/cgi-bin/files">
AllowOverride None
order allow,deny
allow from all
AuthName
AuthType Basic
AuthLDAPHosts
AuthLDAPBindAsUser
AuthLDAPBaseDN
AuthLDAPUserKey
AuthLDAPCryptPasswords
require valid-user
These are the mod_auth_ldap directive for apache 2.0 in my ssl.config file.
<Directory "/path/to/cgi-bin/files">
AllowOverride None
order allow,deny
allow from all
AuthName "Faculty"
AuthType Basic
AuthLDAPUrl ldap:// url
AuthLDAPRemoteUserIsDN on
require valid-user
</Directory>
Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
Posted by William Paredes <pa...@aecom.yu.edu>.
Hi!
Moving the mod_auth_mysql module before the mod_auth_ldap does give
mysql priority, however the reverse problem happens. That is, when a
user exists in both databases with different passwords, now
mod_auth_mysql refuses to 'decline'.
I've systematically swapped the load order of mod_auth_mysql,
mod_access, mod_auth, mod_ldap & mod_auth_ldap using all possible
combinations, restarting the server and reloading the browser [flushing
the cache] each time with the result being that one module always
refuses to decline when a user exists in both databases.
-bill
httpd2@karsites.net wrote:
>Hi Wiliam. I've been reading up on modules and
>authentication.
>
>You may need to move the LDAP module so it comes after the
>mysql_auth module, as each module is tested in reverse
>order, i.e. last loaded module is higher priority and comes
>first in the pecking order.
>
>Accordingly, the way you have your modules listed, mysql
>will have priority over the LDAP module. mod_access having
>the lowest priority and being checked last, cause it's
>first in the LoadModule listing.
>
>On Fri, 3 Feb 2006, William Paredes wrote:
>
>
>
>>To: users@httpd.apache.org
>>From: William Paredes <pa...@aecom.yu.edu>
>>Subject: Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
>>
>>Greetings!
>>
>>Using these modules
>>-------------------
>>LoadModule access_module modules/mod_access.so
>>
>>LoadModule auth_module modules/mod_auth.so
>>LoadModule ldap_module modules/mod_ldap.so
>>LoadModule auth_ldap_module modules/mod_auth_ldap.so
>>
>>LoadModule mysql_auth_module modules/mod_auth_mysql.so
>>
>>
>
>Arrange these modules in reverse order with the last
>mentioned module having highest checking priority, and the
>module first in the list has lowest priority, i.e. is tested
>last.
>
>Keith
>
>In theory, theory and practice are the same;
>In practice they are not.
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
Posted by ht...@karsites.net.
Hi Wiliam. I've been reading up on modules and
authentication.
You may need to move the LDAP module so it comes after the
mysql_auth module, as each module is tested in reverse
order, i.e. last loaded module is higher priority and comes
first in the pecking order.
Accordingly, the way you have your modules listed, mysql
will have priority over the LDAP module. mod_access having
the lowest priority and being checked last, cause it's
first in the LoadModule listing.
On Fri, 3 Feb 2006, William Paredes wrote:
> To: users@httpd.apache.org
> From: William Paredes <pa...@aecom.yu.edu>
> Subject: Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
>
> Greetings!
>
> Using these modules
> -------------------
> LoadModule access_module modules/mod_access.so
>
> LoadModule auth_module modules/mod_auth.so
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule auth_ldap_module modules/mod_auth_ldap.so
>
> LoadModule mysql_auth_module modules/mod_auth_mysql.so
Arrange these modules in reverse order with the last
mentioned module having highest checking priority, and the
module first in the list has lowest priority, i.e. is tested
last.
Keith
In theory, theory and practice are the same;
In practice they are not.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
Posted by William Paredes <pa...@aecom.yu.edu>.
Greetings!
I've managed to completely isolate the multiple authentication
"symptoms" I'm having. To recap, I'd like to authenticate users against
an LDAP server with a fail through to a MySQL server. Realms which
require only LDAP or only MySQL authentication behave correctly.
However, a realm which requires authentication against both LDAP
followed by MySQL is problematic in that when a user exists in LDAP
[with password 'x'] AND the SAME user exists in MySQL [with password
'y'] AND the user submits the MySQL password [password 'y'] LDAP refuses
to "decline" authentication to mod_auth_mysql. See error below:
[Fri Feb 03 10:45:52 2006] [debug] mod_auth_ldap.c(337): [client
129.xxx.xx.xx] [20821] auth_ldap authenticate: using URL
ldap://sun.xxxxx.xx.edu/ou=people,dc=xxxxx,dc=xx,dc=edu
[Fri Feb 03 10:45:52 2006] [warn] [client 129.xxx.xx.xx] [20821]
auth_ldap authenticate: user jones authentication failed; URI
/ldap_mysql/ [ldap_simple_bind_s() to check user credentials
failed][Invalid credentials]
The authentication dialog keeps reappearing as LDAP can't authenticate
and refuses to "decline" authorization.
When a user is in either LDAP or MySQL [but NOT both] and submits their
name using their MySQL password, mod_auth_ladp correctly "declines"
authentication to mod_auth_mysql. Likewise, when a user who is in either
LDAP or MySQL [NOT both] submits their name using their LDAP password,
LDAP correctly authenticates.
# ################################################
<Directory /usr/local/apache2/htdocs/mysql>
Options FollowSymLinks
AuthType Basic
AuthName "MySQL protected"
#mod_auth_mysql
AuthMySQLEnable On
AuthMySQLHost gentoo.xxxxx.xx.edu
AuthMySQLUser httpd
AuthMySQLPassword xxxxxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMySQLPwEncryption crypt
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
require group administration
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap>
Options FollowSymLinks
AuthType Basic
AuthName "ldap secured"
#mod_auth_ldap
AuthLDAPURL ldap://sun.xxxxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
require valid-user
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap_mysql>
Options FollowSymLinks
AuthType Basic
AuthName "LDAP then MySQL secured"
#mod_auth_ldap
AuthLDAPURL ldap://sun.xxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
AuthLDAPAuthoritative Off
require valid-user
#mod_auth_mysql
AuthMySQLHost gentoo.xxxxx.xx.edu
AuthMySQLUser httpd
AuthMySQLPassword xxxxxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMySQLPwEncryption crypt
require group administration
</Directory>
# ################################################
System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]
Using these modules
-------------------
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule mysql_auth_module modules/mod_auth_mysql.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule php5_module modules/libphp5.so
Please let me know if you have any thoughts on how to debug this
problem. I've already rebuilt Apache and mod_auth_mysql from fresh
downloads to make sure the installation is clean.
regards,
-bill
William Paredes wrote:
> Just before going "live" I noticed that mod_auth_mysql and
> mod_auth_ldap do not "fail through" properly when protecting the same
> realm.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
Posted by William Paredes <pa...@aecom.yu.edu>.
Just before going "live" I noticed that mod_auth_mysql and mod_auth_ldap
do not "fail through" properly when protecting the same realm.
1] The mysql protected area below works as expected. entering a bad
password or unknown user produces the correct response.
[Fri Jan 27 19:34:10 2006] [error] [client 129.98.98.98] user jones:
password mismatch: /area51/
[Fri Jan 27 19:34:18 2006] [error] [client 129.98.98.98] MySQL user not
found: /area51/
2] The LDAP protected area works but it NEEDS to have the mysql
directives in place with AuthMysqlEnable set to off otherwise the server
returns the following error:
[Fri Jan 27 19:15:03 2006] [error] [client 129.98.98.98] MySQL user
jones not found: /area52
[Fri Jan 27 19:15:59 2006] [error] [client 129.98.98.98] MySQL ERROR:
Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
It's as if mod_auth_mysql is "stuck" in memory. With the mysql
directives in place the realm is properly protected.
3] The problem is in the third realm with LDAP not "failing through" to
MYSQL. The server always ignores LDAP regardless of the
AuthLDAPAuthoritative or AuthMySQLAuthoritative settings. Swapping the
order of the LDAP and MYSQL directives has no effect. A bad password
always results in:
[Fri Jan 27 19:52:41 2006] [error] [client 129.98.98.98] user jones:
password mismatch: /area53
. . . which is the mysql error return.
I know that the module load order is NOT supposed to matter but
systematically changing the load order of mod_auth_mysql and
mod_ladp/mod_auth_ldap produces the opposite results. The end result is
that that the MYSQL-LDAP protected realm does not "fail through" properly.
4] I've scoured the web, groups and blogs for any hint in using both
mod_auth_ldap together with mod_auth_mysql to protect a realm. I'm now
considering looking at Apache2.2
Any hint or area to look at would be much appreciated!
System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]
Extracts from http.conf =
-------------------------
# Dynamic Shared Object (DSO) Support
LoadModule mysql_auth_module modules/mod_auth_mysql.so
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule php5_module modules/libphp5.so
<Directory />
Options FollowSymLinks
AllowOverride None
allow from all
</Directory>
<Directory /usr/local/apache2/htdocs/mysqlProtected>
Options FollowSymLinks
AuthType Basic
AuthName "area51-MySQL protected"
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLAuthoritative on
AuthMySQLEnable on
#AuthMySQLNoPasswd off
AuthMySQLPwEncryption crypt
require group administration
</Directory>
<Directory /usr/local/apache2/htdocs/ldapProtected>
Options FollowSymLinks
AuthType Basic
AuthName "ldap secured - area 52"
#Disabled mod_auth_mysql place holder- this has to do with the way
mod_auth_mysql
#sits in memory. Will not work any other way. mysql vs ldap order not
important.
#Very strange.
AuthMySQLAuthoritative off
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLEnable off
#AuthMySQLNoPasswd off
AuthMySQLPwEncryption crypt
require group meduser teaching_faculty testing administration
#allow authenticated access - ldap
AuthLDAPURL ldap://xxxx.xxxx.xxx.xxx:389/ou=people,dc=xxxx,dc=xxx,dc=xxx
AuthLDAPAuthoritative on
require valid-user
</Directory>
<Directory /usr/local/apache2/htdocs/area53>
Options FollowSymLinks
AuthType Basic
AuthName "LDAP and mysql secured area 53"
#mod_auth_ldap
AuthLDAPAuthoritative off
AuthLDAPURL
"ldap://xxxx.xxxx.xxx.xxx:389/ou=people,dc=xxxx,dc=xxx,dc=xxx"
require valid-user
#mod_auth_mysql
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLAuthoritative On
AuthMySQLEnable on
#AuthMySQLNoPasswd on
AuthMySQLPwEncryption crypt
require group administration
</Directory>
Regards,
bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache directives
Posted by Chris D'Ambrosio <cd...@yahoo.com>.
brenda, wish i could help you but i only joined the group to get help myself... not really that knowledgeable yet... still learning. how did you find my email address and is their a larger list of participants so that i might ask my own question? i joined the group but can't find where to ask my question.
thanks.
chris.
Brenda Washington <bw...@pnc.edu> wrote:
I upgraded my apache server from apache 1.3 with Openldap-2.0 and mod_ssl-2.0 to apache 2.0. With openldap-2.0 and mod_ssl-2.0 running. I configured the mod_auth_ldap directives AuthLDAPBindAsUser and AuthLDAPcryptPasswords in the apache 1.3 httpd.conf file which worked great with my ldap server and portal. These directives are no longer available for apache 2.0. What directive in apache 2.0 can I replace the directives with that will work with my ldap server and portal? I can connect to the ldap server, but the portal does not work. These are the mod_auth_ldap directives I have in apache 1.3 httpd.conf file.
<Directory "/path/to/cgi-bin/files">
AllowOverride None
order allow,deny
allow from all
AuthName
AuthType Basic
AuthLDAPHosts
AuthLDAPBindAsUser
AuthLDAPBaseDN
AuthLDAPUserKey
AuthLDAPCryptPasswords
require valid-user
These are the mod_auth_ldap directive for apache 2.0 in my ssl.config file.
<Directory "/path/to/cgi-bin/files">
AllowOverride None
order allow,deny
allow from all
AuthName "Faculty"
AuthType Basic
AuthLDAPUrl ldap:// url
AuthLDAPRemoteUserIsDN on
require valid-user
</Directory>