You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Tomas Pelka <to...@gmail.com> on 2011/01/21 00:55:18 UTC

[users@httpd] Re: Apache2+LDAP authentication problem

Dooh sorry something wrong happen during post sending

I have some problem with LDAP authentication. Always when I'm trying to
authenticate Apache:


[Fri Jan 21 15:48:00 2011] [error] [client xx.xx.xx.xx] client used
wrong authentication scheme: /~tom/download/
[Fri Jan 21 15:48:12 2011] [warn] [client xx.xx.xx.xx] [14895]
auth_ldap authenticate: user xpelka00 authentication failed; URI
/~tom/download/ [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Fri Jan 21 15:48:12 2011] [error] [client xx.xx.xx.xx] user
xpelka00: authentication failure for "/~tom/download/": Password Mismatch


apache.conf:
------------
        <Directory /home/tom/public_html/download>
        AuthName "Use you MNSB access credentials"
        AuthType Basic
        AuthBasicProvider ldap
        AuthLDAPUrl "ldap://10.8.0.46/ou=People,dc=vpn,dc=xx?uid?sub"
        AuthLDAPBindDN "cn=admin,dc=vnp,dc=xx"
        AuthLDAPBindPassword $PASSWORD
        AuthzLDAPAuthoritative off
        </Directory>
(Require option is in .htaccess)

$PASSWORD is a hash od admin's password, also tried plain text password but with exactly the same result.

slapd.log:
-------------
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 1 descriptor

Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9 busy
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: listen=9, new
connection on 15
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: added 15r (active)
listener=(nil)
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 fd=15 ACCEPT from
IP=10.8.0.1:56055 (IP=0.0.0.0:389)
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 2 descriptors
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:  15r
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 1 descriptor
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:  15r
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: read active on 15
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 op=0 BIND
dn="cn=admin,dc=vnp,dc=xx" method=128
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 op=0 RESULT tag=97
err=49 text=
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 2 descriptors
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:  15r
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 1 descriptor
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:  15r
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: read active on 15
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: connection_read(15): input
error=-2 id=37, closing.
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 op=1 UNBIND
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: removing 15
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 fd=15 closed
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 1 descriptor
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero

Apache is obviously connected but do not get any user password. Even if:

$ ldapsearch -x -D'cn=admin,dc=vpn,dc=xx' -w xxxx -H ldap://10.8.0.46 -b'ou=People,dc=vpn,dc=xx' -s sub 'uid=xpelka00'

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=vpn,dc=xx> with scope subtree
# filter: uid=xpelka00
# requesting: ALL
#

# xpelka00, People, vpn.xx
dn: uid=xpelka00,ou=People,dc=vpn,dc=xx
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: PureFTPdUser
sn: Pelka Tomas
uid: xpelka00
cn: xpelka00@some.email
givenName: xpelka00
gidNumber: 1000
uidNumber: 29708
loginShell: /bin/false
homeDirectory: /srv/ftp/xpelka00
gecos: FTP ucet
userPassword:: xxxx
FTPHomeDir: /srv/ftp/xpelka00
FTPStatus: enabled
FTPgid: 1000
FTPuid: 29708

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

userPassword is a plain text password

Thank you all for feedback.

-- 

Tomas Pelka

Key fingerprint = 06C0 23C6 9EB7 0761 9807  65F4 7F6F 7EAB 496B 28AA
see http://www.gpg.cz/

RE: [users@httpd] Re: Apache2+LDAP authentication problem

Posted by David Long <DL...@Lynden.com>.

Hi David,

I am using LDAP authentication too. I have similar configuration line with yours in httpd.conf file and it works for authentication part.
But I found out that once I authenticated, the credential will stay forever until I close to browser. If I left the browser open over a day, and it leave the page go to yahoo etc then comes back, it will not challenge me for authentication.

I have following line in  httpd.conf
LDAPCacheTTL 600
LDAPOpCacheTTL 600

But it does not seems making any difference.

Does authentication expiration works on your set up?

Thanks in advance.

David Long

From: David (Dave) Donnan [mailto:david.donnan@thalesgroup.com]
Sent: Monday, January 24, 2011 2:30 AM
To: users@httpd.apache.org; Tomas Pelka
Subject: Re: [users@httpd] Re: Apache2+LDAP authentication problem

Tomas hello.

It works for me, I have the following:

httpd.conf:
------------
AuthLDAPURL              "ldaps://<hostname>:636/ou=internal,ou=People,o=group"
# Note the above is simpler than yours
# Note I don't use AuthzLDAPAuthoritative off
...
AuthLDAPBindDN "cn=asdf,...,o=group"
AuthLDAPBindPassword <plain text password>

...
require valid-user
...
Cdlt, Dave
-------

Firstly, sorry that On 21/01/2011 00:55, Tomas Pelka wrote:

AuthzLDAPAuthoritative off

Re: [users@httpd] Re: Apache2+LDAP authentication problem

Posted by "David (Dave) Donnan" <da...@thalesgroup.com>.

Tomas hello.

It works for me, I have the following:

httpd.conf:
------------

    AuthLDAPURL             
    "ldaps://<hostname>:636/ou=internal,ou=People,o=group"
    # Note the above is simpler than yours
    # Note I don't use AuthzLDAPAuthoritative off
    ...
    AuthLDAPBindDN "cn=asdf,...,o=group"
    AuthLDAPBindPassword <plain text password>

    ...
    require valid-user
    ...

Cdlt, Dave
-------

Firstly, sorry that On 21/01/2011 00:55, Tomas Pelka wrote:
> AuthzLDAPAuthoritative off