You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rob Sterenborg <ro...@sterenborg.info> on 2006/08/10 10:45:33 UTC
[users@httpd] DBD Authentication using MySQL
Hi all,
It took me a long time but I was finally able to compile Apache with DBD and
get it "working". That is: it seems to authenticate (no errors indicating
otherwise) but it reports an error about an Authoritative handler.
Searching around to resolve that I was pointed to the AuthBasicAuthoritative
directive, which should be On according to this post:
http://mail-archives.apache.org/mod_mbox/httpd-users/200604.mbox/%3ce498c1660604230723q7ce2ebe9wfd2c4077c0b3524c@mail.gmail.com%3e
Below is the config for the "test" directory and the error I get.
As you can see, AuthBasicAuthoritative is not set so should default to On. (No
.htaccess files in use.) I tried both settings, but the same error keeps
showing up.
Can someone please point me to what I'm overlooking?
Thanks,
Rob
==== httpd.conf ====
DBDriver mysql
DBDParams "host=<dbserver> dbname=<dbauth> user=<user> pass=<pass>"
DBDMin 1
DBDKeep 2
DBDMax 10
DBDExptime 60
<Directory /path/to/test>
DirectoryIndex index.php index.html index.html.var
AuthName "TEST area, please logon..."
AuthType Basic
AuthBasicProvider dbd
AuthDBDUserPWQuery "select encrypt(user_passwd) from users where
user_name=%s"
Require group testusers
Options Indexes
IndexOptions FancyIndexing FoldersFirst NameWidth=60
</Directory>
==== error_log ====
[Wed Aug 09 15:46:31 2006] [error] [client 193.173.147.3] access to /test
failed, reason: require directives present and no Authoritative handler.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] DBD Authentication using MySQL
Posted by Rob Sterenborg <ro...@sterenborg.info>.
Nick Kew <ma...@webthing.com> wrote:
> On Saturday 12 August 2006 09:43, Rob Sterenborg wrote:
>
>> But, I'm starting to feel stupid now and here's why.
>> When I point the browser to the url I'm prompted for my user/pass.
>> When I enter that information, there's no telling what Apache will
>> do: it may authenticate, but also it may not. If it authenticates
>> me, it will try to re-authenticate when I press the Refresh button
>> often enough (in both IE and FF). Also, when listing directories, I
>> don't see the full listing.
>
> Random-looking behaviour is _probably_ due to browser cache.
In this case it apparently wasn't.
>> [Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
>> authentication failure for "/mp3/S/index.php": Password Mismatch
>
> That looks clear enough. You are a valid user, but your
> encrypted password in the database doesn't match what your browser
> sent.
I didn't have encrypted passwords because this was only testing and I
wanted to be able to check everything. I used "select encrypt(password)
from ..." which is something I found in a post, don't remember where.
> The easiest way to populate the database is probably to
> create individual entries using htpasswd or htdigest
> (depending on what method you use) and importing the values
> to your SQL. And beware of charset issues if you have
> anything that's not ASCII-compatible.
This was a test where I used plaintext data (for passwd too) but it got
the UTF-8 charset setting when I didn't pay attention.. I changed all
fields into ASCII.
However this doesn't solve the problem.
I created a new field where I store the encrypted version of the
plaintext passwords: now it works..!
Thanks alot for the module and your patience!
Grts,
Rob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DBD Authentication using MySQL
Posted by Nick Kew <ni...@webthing.com>.
On Saturday 12 August 2006 09:43, Rob Sterenborg wrote:
> But, I'm starting to feel stupid now and here's why.
> When I point the browser to the url I'm prompted for my user/pass. When
> I enter that information, there's no telling what Apache will do: it may
> authenticate, but also it may not. If it authenticates me, it will try
> to re-authenticate when I press the Refresh button often enough (in both
> IE and FF). Also, when listing directories, I don't see the full
> listing.
Random-looking behaviour is _probably_ due to browser cache.
> [Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
> authentication failure for "/mp3/S/index.php": Password Mismatch
That looks clear enough. You are a valid user, but your encrypted
password in the database doesn't match what your browser sent.
The easiest way to populate the database is probably to create
individual entries using htpasswd or htdigest (depending on what
method you use) and importing the values to your SQL. And beware
of charset issues if you have anything that's not ASCII-compatible.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] DBD Authentication using MySQL
Posted by Rob Sterenborg <ro...@sterenborg.info>.
Nick Kew <ma...@webthing.com> wrote:
> On Friday 11 August 2006 09:56, Rob Sterenborg wrote:
>> Ah. And I need the files modules/aaa/mod_authz_dbd.* for that I
>> suppose. According to the doc "Available in Apache 2.2 and later".
>
> Hmm, that's not strictly true.
>
> When 2.2.0 was released, it was too new and untested to include.
> It's now had a fair bit of test-driving, but hasn't been included for
> other reasons.
>
> I've just put the mod_authz_dbd version you need for Apache
> 2.2 at the bottom of http://people.apache.org/~niq/dbd.html
Nice! Thanks a bunch!
But, I'm starting to feel stupid now and here's why.
When I point the browser to the url I'm prompted for my user/pass. When
I enter that information, there's no telling what Apache will do: it may
authenticate, but also it may not. If it authenticates me, it will try
to re-authenticate when I press the Refresh button often enough (in both
IE and FF). Also, when listing directories, I don't see the full
listing.
This log example goes for a directory with just subdirs and files and
I'm using the DirectoryIndex option. When I'm denied access, I get the
errors below:
(GET request:
10.0.1.1 - rsterenborg [11/Aug/2006:18:50:38 +0200] "GET /mp3/ HTTP/1.1"
401 393 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US
; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6")
[Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
authentication failure for "/mp3/S/index.php": Password Mismatch
[Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
authentication failure for "/mp3/T/index.php": Password Mismatch
[Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
authentication failure for "/mp3/U/index.php": Password Mismatch
[Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
authentication failure for "/mp3/V/index.php": Password Mismatch
[Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
authentication failure for "/mp3/W/index.php": Password Mismatch
[Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
authentication failure for "/mp3/X/index.php": Password Mismatch
[Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
authentication failure for "/mp3/Y/index.php": Password Mismatch
[Fri Aug 11 18:50:31 2006] [error] [client 10.0.1.1] user <me>:
authentication failure for "/mp3/Z/index.php": Password Mismatch
Showing debug information does not give any more information except some
Zlib lines.
You can see authentication failes for index.php in each subdir of mp3.
There is no such file: this is supposed to be a directory listing.
I've also seen this happen when I didn't have mod_authz_dbd installed
yet and had "Require user <me>" in place. I had 2 separate directories
with the same Directory auth configufation in httpd.conf. In 1 I was
granted access, not in the other.
I'm not sure what other information to give. The Directory config is the
same as what I've posted a few times before.
Grts,
Rob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DBD Authentication using MySQL
Posted by Nick Kew <ni...@webthing.com>.
On Friday 11 August 2006 09:56, Rob Sterenborg wrote:
> On Thu, August 10, 2006 17:48, Nick Kew wrote:
> >> The AuthDBDUserPWQuery directive contains "User". Should it also work
> >> for "Require group"?
> >
> > Nope. If you want to check groups from your database, you'll need
> > mod_authz_dbd and "Require dbd-group admins"
>
> Ah. And I need the files modules/aaa/mod_authz_dbd.* for that I suppose.
> According to the doc "Available in Apache 2.2 and later".
Hmm, that's not strictly true.
When 2.2.0 was released, it was too new and untested to include.
It's now had a fair bit of test-driving, but hasn't been included for
other reasons.
I've just put the mod_authz_dbd version you need for Apache 2.2
at the bottom of http://people.apache.org/~niq/dbd.html
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DBD Authentication using MySQL
Posted by Rob Sterenborg <ro...@sterenborg.info>.
On Thu, August 10, 2006 17:48, Nick Kew wrote:
>> The AuthDBDUserPWQuery directive contains "User". Should it also work for
>> "Require group"?
>
> Nope. If you want to check groups from your database, you'll need
> mod_authz_dbd and "Require dbd-group admins"
Ah. And I need the files modules/aaa/mod_authz_dbd.* for that I suppose.
According to the doc "Available in Apache 2.2 and later".
I downloaded httpd-2.2.3.tar.bz2 some 2 days ago but mod_authz_dbd is not in
there AFAICS, because some files seem to be missing.
I downloaded httpd_20060810102052.tar.gz and it *is* in there.
==== httpd_200608102052/modules/aaa ====
-rw-r--r-- 1 500 mail 54377 2006-07-12 00:25 mod_authnz_ldap.c
-rw-r--r-- 1 500 mail 4183 2006-07-07 00:17 mod_authnz_ldap.dsp
-rw-r--r-- 1 500 mail 32358 2006-08-05 00:16 mod_authz_core.c
-rw-r--r-- 1 500 mail 4119 2006-07-26 12:16 mod_authz_core.dsp
-rw-r--r-- 1 500 mail 11500 2006-07-12 00:25 mod_authz_dbd.c
-rw-r--r-- 1 500 mail 1009 2006-07-12 00:25 mod_authz_dbd.h
-rw-r--r-- 1 500 mail 9186 2006-07-12 00:25 mod_authz_dbm.c
-rw-r--r-- 1 500 mail 4085 2006-07-07 00:17 mod_authz_dbm.dsp
========
==== httpd-2.2.3/modules/aaa =====
-rw-r--r-- 1 500 500 46945 2006-07-26 15:31 mod_authnz_ldap.c
-rw-r--r-- 1 500 500 4183 2006-04-27 23:51 mod_authnz_ldap.dsp
-rw-r--r-- 1 500 500 9140 2006-07-12 05:38 mod_authz_dbm.c
-rw-r--r-- 1 500 500 4085 2006-04-27 23:51 mod_authz_dbm.dsp
=========
I guess I should have seen mod_authz_dbd.[c|dsp] here.
When I compile the snapshot (yes I supplied buildconf the path to
apr[-util]-1.2.7), PHP complains and must be recompiled.
When I recompile PHP, make complains that it can't find apr.h etc so it won't
compile (haven't had the time yet to look into that).
Is mod_authz_dbd really not in 2.2.3 or am I overlooking something, again?
Grts,
Rob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DBD Authentication using MySQL
Posted by Nick Kew <ni...@webthing.com>.
On Thursday 10 August 2006 15:40, Rob Sterenborg wrote:
> When I use: "Require user <me>"
> I'm authenticated correctly and see the directory listing.
So you've got authn_dbd is working.
> When I use: "Require group admins"
That uses mod_authz_groupfile and an AuthGroupFile directive.
> I get the same error as before:
> [Thu Aug 10 16:13:56 2006] [error] [client 193.173.147.3] access to /test
> failed, reason: require directives present and no Authoritative handler.
... which you haven't got.
> The AuthDBDUserPWQuery directive contains "User". Should it also work for
> "Require group"?
Nope. If you want to check groups from your database, you'll need
mod_authz_dbd and "Require dbd-group admins"
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DBD Authentication using MySQL
Posted by Rob Sterenborg <ro...@sterenborg.info>.
On Thu, August 10, 2006 15:45, Joshua Slive wrote:
...
>> Below is the config for the "test" directory and the error I get.
>> As you can see, AuthBasicAuthoritative is not set so should default to On.
>> (No
>> .htaccess files in use.) I tried both settings, but the same error keeps
>> showing up.
>>
>> Can someone please point me to what I'm overlooking?
>>
>
> Do you have mod_authn_default and mod_authz_default included in your config?
Errm. No, I didn't. I have recompiled Apache with these, put the appropriate
LoadModule lines in the config and restarted httpd.
When I use: "Require user <me>"
I'm authenticated correctly and see the directory listing.
When I use: "Require group admins"
I get the same error as before:
[Thu Aug 10 16:13:56 2006] [error] [client 193.173.147.3] access to /test
failed, reason: require directives present and no Authoritative handler.
In my config I (still) have:
<Directory /path/to/test>
DirectoryIndex index.php index.html index.html.var
AuthName "TEST area, please logon..."
AuthType Basic
AuthBasicProvider dbd
AuthDBDUserPWQuery "select encrypt(user_passwd) from users where
user_name = %s"
# Require user <me>
Require group testusers
Options Indexes
IndexOptions FancyIndexing FoldersFirst NameWidth=60
</Directory>
The AuthDBDUserPWQuery directive contains "User". Should it also work for
"Require group"?
Grts,
Rob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DBD Authentication using MySQL
Posted by Joshua Slive <jo...@slive.ca>.
On 8/10/06, Rob Sterenborg <ro...@sterenborg.info> wrote:
> Hi all,
>
> It took me a long time but I was finally able to compile Apache with DBD and
> get it "working". That is: it seems to authenticate (no errors indicating
> otherwise) but it reports an error about an Authoritative handler.
>
> Searching around to resolve that I was pointed to the AuthBasicAuthoritative
> directive, which should be On according to this post:
> http://mail-archives.apache.org/mod_mbox/httpd-users/200604.mbox/%3ce498c1660604230723q7ce2ebe9wfd2c4077c0b3524c@mail.gmail.com%3e
>
> Below is the config for the "test" directory and the error I get.
> As you can see, AuthBasicAuthoritative is not set so should default to On. (No
> .htaccess files in use.) I tried both settings, but the same error keeps
> showing up.
>
> Can someone please point me to what I'm overlooking?
Do you have mod_authn_default and mod_authz_default included in your config?
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org