You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/04/07 03:28:06 UTC
DO NOT REPLY [Bug 46978] New: mod_authz_LDAP displays page not found
when used with mod_auth_kerb
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
Summary: mod_authz_LDAP displays page not found when used with
mod_auth_kerb
Product: Apache httpd-2
Version: 2.2.11
Platform: PC
URL: http://private
OS/Version: FreeBSD
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: garrisot@otc.edu
If using mod_auth_kerb for authentication and mod_authz_ldap for authorization,
a page not found will be displayed if you are authenticated with mod_auth_kerb
but denied access with mod_authz_ldap.
httpd.conf
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.COM
KrbAuthoritative on
Krb5KeyTab /usr/local/etc/apache22/keytab
AuthLDAPBindDN "user@domain.com"
AuthLDAPBindPassword "password"
AuthLDAPUrl
ldap://ADserver:3268/dc=domain,dc=com?userPrincipalName?sub?(objectClass=*)
require ldap-group cn=group,OU=Groups,DC=domain,DC=com
error log
[Mon Apr 06 13:27:33 2009] [debug] src/mod_auth_kerb.c(1628): [client 1.2.3.4]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1628): [client 1.2.3.4]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1240): [client 1.2.3.4]
Acquiring creds for HTTP@server.domain.com
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1385): [client 1.2.3.4]
Verifying client data using KRB5 GSS-API with our SPNEGO lib
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1401): [client 1.2.3.4]
Client didn't delegate us their credential
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1420): [client 1.2.3.4]
GSS-API token of length 129 bytes will be sent back
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(582): [client 1.2.3.4]
ldap authorize: Creating LDAP req structure
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(715): [client 1.2.3.4]
[77101] auth_ldap authorise: require group: testing for group membership in
"cn=group,OU=Groups,DC=domain,DC=com"
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(721): [client 1.2.3.4]
[77101] auth_ldap authorise: require group: testing for member:
CN=user,OU=Accounts,DC=domain,DC=com (cn=group,OU=Groups,DC=domain,DC=com)
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(737): [client 1.2.3.4]
[77101] auth_ldap authorise: require group
"cn=group,OU=Groups,DC=domain,DC=com": authorisation failed [Comparison false
(adding to cache)][Compare False]
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(721): [client 1.2.3.4]
[77101] auth_ldap authorise: require group: testing for uniquemember:
CN=user,OU=Accounts,DC=domain,DC=com (cn=group,OU=Groups,DC=domain,DC=com)
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(737): [client 1.2.3.4]
[77101] auth_ldap authorise: require group
"cn=group,OU=Groups,DC=domain,DC=com": authorisation failed [Comparison no such
attribute (adding to cache)][No such attribute]
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(852): [client 1.2.3.4]
[77101] auth_ldap authorise: authorisation denied
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
--- Comment #2 from Wolfraider <ga...@otc.edu> 2009-04-07 06:06:11 PST ---
httpd-access.log
1.2.3.4 - - [07/Apr/2009:08:00:14 -0500] "GET /viewvc/ HTTP/1.1" 401 401 "-"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"
1.2.3.4 - user@DOMAIN.COM [07/Apr/2009:08:00:20 -0500] "GET /viewvc/ HTTP/1.1"
401 401 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"
lynx does not understand the negotiate header, so I cant test with it
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
Michael <m....@enbw.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #3 from Michael <m....@enbw.com> 2009-10-16 07:18:16 UTC ---
I can confirm that behaviour. Internet explorer displays his own "user friendly
message": The page cannot be displayed. Firefox displays the defined
ErrorDocument 401 or the apache default message "Authorization required". But
in fact apache / mod_authnz_ldap should not send an 401, if the user is
authenticated by mod_auth_kerb, but has no access due to missing ldap group
membership. I would consider a 403 as the correct http status-code, because the
access has to be denied.
I'm using httpd-2.2.13 with mod_auth_kerb 5.4, the configuration is similar to
wolfraider.
AuthType Kerberos
KrbAuthoritative off
KrbMethodNegotiate on
AuthName "Kerberos Login"
Krb5Keytab /etc/apache22/kerberos/server.keytab
KrbAuthRealms DOMAIN
KrbServiceName HTTP/server@DOMAIN
KrbSaveCredentials off
KrbDelegateBasic off
KrbLocalUserMapping on
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://server:389/dc=company,dc=org?sAMAccountName?sub
AuthLDAPRemoteUserAttribute sAMAccountName
AuthLDAPBindDN "cn=user,ou=sys,dc=company,dc=org"
AuthLDAPBindPassword password
require ldap-group CN=MyGroup,OU=WEB,DC=company,DC=org
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
--- Comment #4 from Michael <m....@enbw.com> 2009-10-16 07:31:13 UTC ---
Additional information:
Using "AuthzLDAPAuthoritative on":
[debug] mod_authnz_ldap.c(852): [client xxx] [31060] auth_ldap authorise:
authorisation denied
Using "AuthzLDAPAuthoritative off":
[debug] mod_authnz_ldap.c(847): [client xxx] [30858] auth_ldap authorise:
declining to authorise
[error] [client xxx] access to /xxx/ failed, reason: require directives present
and no Authoritative handler.
In both cases http-status 401 is returned.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
Wolfraider <ga...@otc.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |garrisot@otc.edu
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Eric Covener <co...@gmail.com> 2009-04-06 18:50:01 PST ---
What's a "page not found"? What does your access log say? What does a
command-line client say the response body is?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
--- Comment #7 from Eric Covener <co...@gmail.com> 2011-09-21 11:12:35 UTC ---
LDAP behaves like every other standard authz module, save mod_authz_host which
is unique, by returning 401. This is what lets users try different
credentials when the current ones aren't sufficient.
There is a global switch in trunk
(http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#authzsendforbiddenonfailure)
to turn authz 401s into 403s.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #5 from Eric Covener <co...@gmail.com> 2011-09-17 20:12:21 UTC ---
You both are getting a 401 because authorization failed. 401 is consistent
with other authz modules, since you can change your userid and retry.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
Michael <m....@enbw.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |m.beier@enbw.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46978] mod_authz_LDAP displays page not found when
used with mod_auth_kerb
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
--- Comment #6 from Michael <m....@enbw.com> 2011-09-21 08:42:22 UTC ---
(In reply to comment #5)
> You both are getting a 401 because authorization failed. 401 is consistent
> with other authz modules, since you can change your userid and retry.
In my interpretation authn modules should reply with 401 and authz modules
should reply with 403. In our configuration mod_auth_kerb has the authn role
and mod_authnz_ldap only has the authz role and must not send an 401. Any
reauthentication (and sending 401s) has to be done by mod_auth_kerb.
Please take a minute and consider that.
Thanks,
Michael
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org