You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michael Luff <Mi...@mailsource.co.uk> on 2006/08/07 15:48:24 UTC
RE: [users@httpd] mod_auth_mysql
Hello does anyone have any idea where I might look to resolve this
issue?
Many thanks.
I'm using apache v2.0.55 and mod_auth_mysql v3 on a Gentoo Linux
box. Below is a section from my httpd.conf - does it look right?
# These modules provide authentication and authorisation for
# clients. They should not normally be disabled.
#
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
Many thanks,
Michael.
-----Original Message-----
From: paredes [mailto:paredes@aecom.yu.edu]
Sent: 20 July 2006 19:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] mod_auth_mysql
Greetings Michael!
Which versions of apache and mod_auth_mysql are you using? What platform
are you on? When you check your httpd.conf file is mod_auth being
loaded?
Regards,
William Paredes
Computer Based Education
Albert Einstein College of Medicine
Bronx, New York USA
Michael Luff wrote:
> Hi William,
> Thanks for your help on this one. From what you and Elaine have
> written and from what I've read, this really ought to work but I'm
> still stuck with the all or nothing problem.
>
> If I modify my file as you suggest, anyone can get access without
> being prompted for a password, not just the IP I specify; if I comment
> out the 'satisfy any' line, I'm back to passwords for all.
>
> As we agree that the approach is valid, can anyone think of any other
> commands, directives etc somewhere else that might be having an effect
> on this?
>
> Many thanks,
> Michael.
>
> -----Original Message-----
> From: paredes [mailto:paredes@aecom.yu.edu]
> Sent: 19 July 2006 23:52
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] mod_auth_mysql
>
> Greetings Michael!
>
> What should work is the following:
>
> <Directory /var/www/localhost/htdocs>
>
> deny from all
> allow from 10.0.0.72
>
> AuthName "authentication required"
> AuthType Basic
> AuthMySQLHost localhost
> AuthMySQLEnable on
> AuthMySQLUser xxxxxxx
> AuthMySQLPassword xxxxxxx
> AuthMySQLDB auth
> AuthMySQLUserTable users
> AuthMySQLNameField user_name
> AuthMySQLPasswordField user_passwd
> AuthMySQLGroupTable groups
> AuthMySQLGroupField user_group
> Require group user admin
>
> satisfy any
>
> </directory>
>
> William Paredes
> Computer Based education
> Albert Einstein College of Medicine
> Bronx, New York USA
>
>
> Michael Luff wrote:
>
>> Hi Elaine,
>>
>> Many thanks for the help, I've now got:
>>
>> <Directory /var/www/localhost/htdocs>
>>
>> AuthName "authentication required"
>>
>> AuthType Basic
>>
>> AuthMySQLHost localhost
>>
>> AuthMySQLEnable on
>>
>> AuthMySQLUser xxxxxxx
>>
>> AuthMySQLPassword xxxxxxx
>>
>> AuthMySQLDB auth
>>
>> AuthMySQLUserTable users
>>
>> AuthMySQLNameField user_name
>>
>> AuthMySQLPasswordField user_passwd
>>
>> AuthMySQLGroupTable groups
>>
>> AuthMySQLGroupField user_group
>>
>> # This next line controls which group(s) can access the resource
>>
>> AllowOverride none
>>
>> Require group user admin
>>
>> Order allow,deny
>>
>> Allow from 10.0.0.72
>>
>> Satisfy Any
>>
>> </Directory>
>>
>> But now anyone can access it, not just the IUP address I've
specified!
>>
>
>
>> I can't seem to get around this all or nothing problem.
>>
>> Can you see anything I've done wrong?
>>
>> Regards,
>>
>> Michael.
>>
>> *From:* elaine [mailto:elaine@ccuec.unicamp.br]
>> *Sent:* 19 July 2006 13:49
>> *To:* users@httpd.apache.org
>> *Subject:* Re: [users@httpd] mod_auth_mysql
>>
>> Michael,
>>
>> Try to use the "allow" and "satisfy" directives.
>> This is an example, that we use to protect our intranet access :
>> (Note that the IP's and server name were modified, and we use the
>> deny
>>
>
>
>> directive
>> to refuse connections from reception kiosk.)
>>
>> <Limit GET PUT POST>
>>
>> # Allow access only to authenticated users from MySQL # or users that
>> are in the intranet # (except IP xx.xx.xx.xx : reception kiosk)
>>
>> require valid-user
>> Order allow,deny
>> Deny from xxx.xxx.xx.x
>>
>> # Allow access from our internal network without # username and
>> password
>>
>> Allow from example.com
>>
>> Satisfy any
>> </Limit>
>>
>>
>> You can read more details about Satisfy directive :
>>
>> http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
>>
>> Regards,
>> Elaine
>>
>> Michael Luff wrote:
>>
>> Hi All,
>>
>> I've got mod_auth_mysql working nicely but I would like the users on
>> my internal network not to have to enter a username and password,
>> just
>>
>
>
>> people accessing from outside.
>>
>> I've tried various solutions using Order deny,allow; allow from and
>> so
>>
>
>
>> forth but with no luck, I end up with everyone being prompted or
>>
> no-one.
>
>> Here's my unmodified <Directory> command from my httpd.conf that
>> requires everyone to supply a password, can anyone suggest how I can
>> modify it to allow access from 10.0.0?
>>
>> <Directory /var/www/localhost/htdocs>
>>
>> AuthName "authentication required"
>>
>> AuthType Basic
>>
>> AuthMySQLHost localhost
>>
>> AuthMySQLEnable on
>>
>> AuthMySQLUser xxxxxx
>>
>> AuthMySQLPassword xxxxxxx
>>
>> AuthMySQLDB auth
>>
>> AuthMySQLUserTable users
>>
>> AuthMySQLNameField user_name
>>
>> AuthMySQLPasswordField user_passwd
>>
>> AuthMySQLGroupTable groups
>>
>> AuthMySQLGroupField user_group
>>
>> # This next line controls which group(s) can access the resource
>>
>> require group user admin
>>
>> </Directory>
>>
>> Regards,
>>
>> *Michael Luff** *MSc B.Eng (Hons) MIET* **Facilities & Systems
>> Manager *
>>
>> T: +44 (0)20 8614 7604
>> F: +44 (0)20 8614 7601
>> M: +44 (0)7976 404956
>> E: Michael.luff@mailsource.co.uk
>>
> <ma...@mailsource.co.uk>
>
>> *MailSource UK Limited *
>>
>> - Europe's leading specialist in integrated document delivery
>>
> solutions
>
>> - Holders of the RoSPA Health & Safety Gold Medal 2006/2007
>>
>> Northumberland House
>>
>> 15 Petersham Road
>>
>> Richmond-upon-Thames
>>
>> Surrey TW10 6TP
>>
>> *www.mailsource.co.uk <http://www.mailsource.co.uk/>*
>>
>> *MailSource UK Limited *
>>
>> - Europe's leading specialist in integrated document delivery
>>
> solutions
>
>> - Holders of the RoSPA Health & Safety Gold Medal 2006/2007
>>
>> Northumberland House
>>
>> 15 Petersham Road
>>
>> Richmond-upon-Thames
>>
>> Surrey TW10 6TP
>>
>> *www.mailsource.co.uk <http://www.mailsource.co.uk/>*
>>
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> MailSource UK Limited
>
> - Europe's leading specialist in integrated document delivery
> solutions
> - Holders of the RoSPA Health & Safety Gold Medal 2006/2007
>
> Northumberland House
> 15 Petersham Road
> Richmond-upon-Thames
> Surrey TW10 6TP
>
>
> www.mailsource.co.uk
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
MailSource UK Limited
- Europe's leading specialist in integrated document delivery solutions
- Holders of the RoSPA Health & Safety Gold Medal 2006/2007
Northumberland House
15 Petersham Road
Richmond-upon-Thames
Surrey TW10 6TP
www.mailsource.co.uk
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_mysql
Posted by paredes <pa...@aecom.yu.edu>.
Hi Michael!
Set your apache loglevel directive to debug. Then you can open and
monitor your apache error log live [sudo tail -f pathToYourErrorLog] as
you hit your protected page with your browser. You should be able to see
what mod_auth_mysql returns to the logs.
I noticed that you are using auth_dbm_module. How is that module being used.
In my configuration, I only load the module which I need and nothing
else. It makes troubleshooting easier [and the server a bit faster]:
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule mysql_auth_module modules/mod_auth_mysql.so
LoadModule include_module modules/mod_include.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule php5_module modules/libphp5.so
In my configuration [apache2.0.58] which I need to use dual
authentication - mod_auth_ldap with a "failthru" to mod_auth_mysql
[sourceforge ver 3.0] it was by trial and error that I found that
mod_auth_mysql's load order is important. That is why I'm curious how
you are using mod_auth_dbm.
Regards,
William Paredes
Computer Based Education
Albert Einstein College of Medicine
Michael Luff wrote:
> Hello does anyone have any idea where I might look to resolve this
> issue?
> Many thanks.
>
> I'm using apache v2.0.55 and mod_auth_mysql v3 on a Gentoo Linux
> box. Below is a section from my httpd.conf - does it look right?
>
> # These modules provide authentication and authorisation for
> # clients. They should not normally be disabled.
> #
> LoadModule access_module modules/mod_access.so
> LoadModule auth_module modules/mod_auth.so
> LoadModule auth_anon_module modules/mod_auth_anon.so
> LoadModule auth_dbm_module modules/mod_auth_dbm.so
> LoadModule auth_digest_module modules/mod_auth_digest.so
>
> Many thanks,
> Michael.
>
>
> -----Original Message-----
> From: paredes [mailto:paredes@aecom.yu.edu]
> Sent: 20 July 2006 19:01
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] mod_auth_mysql
>
> Greetings Michael!
>
> Which versions of apache and mod_auth_mysql are you using? What platform
> are you on? When you check your httpd.conf file is mod_auth being
> loaded?
>
> Regards,
>
> William Paredes
> Computer Based Education
> Albert Einstein College of Medicine
> Bronx, New York USA
>
>
> Michael Luff wrote:
>
>> Hi William,
>> Thanks for your help on this one. From what you and Elaine have
>>
>
>
>> written and from what I've read, this really ought to work but I'm
>> still stuck with the all or nothing problem.
>>
>> If I modify my file as you suggest, anyone can get access without
>> being prompted for a password, not just the IP I specify; if I comment
>>
>
>
>> out the 'satisfy any' line, I'm back to passwords for all.
>>
>> As we agree that the approach is valid, can anyone think of any other
>> commands, directives etc somewhere else that might be having an effect
>>
>
>
>> on this?
>>
>> Many thanks,
>> Michael.
>>
>> -----Original Message-----
>> From: paredes [mailto:paredes@aecom.yu.edu]
>> Sent: 19 July 2006 23:52
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] mod_auth_mysql
>>
>> Greetings Michael!
>>
>> What should work is the following:
>>
>> <Directory /var/www/localhost/htdocs>
>>
>> deny from all
>> allow from 10.0.0.72
>>
>> AuthName "authentication required"
>> AuthType Basic
>> AuthMySQLHost localhost
>> AuthMySQLEnable on
>> AuthMySQLUser xxxxxxx
>> AuthMySQLPassword xxxxxxx
>> AuthMySQLDB auth
>> AuthMySQLUserTable users
>> AuthMySQLNameField user_name
>> AuthMySQLPasswordField user_passwd
>> AuthMySQLGroupTable groups
>> AuthMySQLGroupField user_group
>> Require group user admin
>>
>> satisfy any
>>
>> </directory>
>>
>> William Paredes
>> Computer Based education
>> Albert Einstein College of Medicine
>> Bronx, New York USA
>>
>>
>> Michael Luff wrote:
>>
>>
>>> Hi Elaine,
>>>
>>> Many thanks for the help, I've now got:
>>>
>>> <Directory /var/www/localhost/htdocs>
>>>
>>> AuthName "authentication required"
>>>
>>> AuthType Basic
>>>
>>> AuthMySQLHost localhost
>>>
>>> AuthMySQLEnable on
>>>
>>> AuthMySQLUser xxxxxxx
>>>
>>> AuthMySQLPassword xxxxxxx
>>>
>>> AuthMySQLDB auth
>>>
>>> AuthMySQLUserTable users
>>>
>>> AuthMySQLNameField user_name
>>>
>>> AuthMySQLPasswordField user_passwd
>>>
>>> AuthMySQLGroupTable groups
>>>
>>> AuthMySQLGroupField user_group
>>>
>>> # This next line controls which group(s) can access the resource
>>>
>>> AllowOverride none
>>>
>>> Require group user admin
>>>
>>> Order allow,deny
>>>
>>> Allow from 10.0.0.72
>>>
>>> Satisfy Any
>>>
>>> </Directory>
>>>
>>> But now anyone can access it, not just the IUP address I've
>>>
> specified!
>
>>>
>>>
>>
>>
>>> I can't seem to get around this all or nothing problem.
>>>
>>> Can you see anything I've done wrong?
>>>
>>> Regards,
>>>
>>> Michael.
>>>
>>> *From:* elaine [mailto:elaine@ccuec.unicamp.br]
>>> *Sent:* 19 July 2006 13:49
>>> *To:* users@httpd.apache.org
>>> *Subject:* Re: [users@httpd] mod_auth_mysql
>>>
>>> Michael,
>>>
>>> Try to use the "allow" and "satisfy" directives.
>>> This is an example, that we use to protect our intranet access :
>>> (Note that the IP's and server name were modified, and we use the
>>> deny
>>>
>>>
>>
>>
>>> directive
>>> to refuse connections from reception kiosk.)
>>>
>>> <Limit GET PUT POST>
>>>
>>> # Allow access only to authenticated users from MySQL # or users that
>>>
>
>
>>> are in the intranet # (except IP xx.xx.xx.xx : reception kiosk)
>>>
>>> require valid-user
>>> Order allow,deny
>>> Deny from xxx.xxx.xx.x
>>>
>>> # Allow access from our internal network without # username and
>>> password
>>>
>>> Allow from example.com
>>>
>>> Satisfy any
>>> </Limit>
>>>
>>>
>>> You can read more details about Satisfy directive :
>>>
>>> http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
>>>
>>> Regards,
>>> Elaine
>>>
>>> Michael Luff wrote:
>>>
>>> Hi All,
>>>
>>> I've got mod_auth_mysql working nicely but I would like the users on
>>> my internal network not to have to enter a username and password,
>>> just
>>>
>>>
>>
>>
>>> people accessing from outside.
>>>
>>> I've tried various solutions using Order deny,allow; allow from and
>>> so
>>>
>>>
>>
>>
>>> forth but with no luck, I end up with everyone being prompted or
>>>
>>>
>> no-one.
>>
>>
>>> Here's my unmodified <Directory> command from my httpd.conf that
>>> requires everyone to supply a password, can anyone suggest how I can
>>> modify it to allow access from 10.0.0?
>>>
>>> <Directory /var/www/localhost/htdocs>
>>>
>>> AuthName "authentication required"
>>>
>>> AuthType Basic
>>>
>>> AuthMySQLHost localhost
>>>
>>> AuthMySQLEnable on
>>>
>>> AuthMySQLUser xxxxxx
>>>
>>> AuthMySQLPassword xxxxxxx
>>>
>>> AuthMySQLDB auth
>>>
>>> AuthMySQLUserTable users
>>>
>>> AuthMySQLNameField user_name
>>>
>>> AuthMySQLPasswordField user_passwd
>>>
>>> AuthMySQLGroupTable groups
>>>
>>> AuthMySQLGroupField user_group
>>>
>>> # This next line controls which group(s) can access the resource
>>>
>>> require group user admin
>>>
>>> </Directory>
>>>
>>> Regards,
>>>
>>> *Michael Luff** *MSc B.Eng (Hons) MIET* **Facilities & Systems
>>> Manager *
>>>
>>> T: +44 (0)20 8614 7604
>>> F: +44 (0)20 8614 7601
>>> M: +44 (0)7976 404956
>>> E: Michael.luff@mailsource.co.uk
>>>
>>>
>> <ma...@mailsource.co.uk>
>>
>>
>>> *MailSource UK Limited *
>>>
>>> - Europe's leading specialist in integrated document delivery
>>>
>>>
>> solutions
>>
>>
>>> - Holders of the RoSPA Health & Safety Gold Medal 2006/2007
>>>
>>> Northumberland House
>>>
>>> 15 Petersham Road
>>>
>>> Richmond-upon-Thames
>>>
>>> Surrey TW10 6TP
>>>
>>> *www.mailsource.co.uk <http://www.mailsource.co.uk/>*
>>>
>>> *MailSource UK Limited *
>>>
>>> - Europe's leading specialist in integrated document delivery
>>>
>>>
>> solutions
>>
>>
>>> - Holders of the RoSPA Health & Safety Gold Medal 2006/2007
>>>
>>> Northumberland House
>>>
>>> 15 Petersham Road
>>>
>>> Richmond-upon-Thames
>>>
>>> Surrey TW10 6TP
>>>
>>> *www.mailsource.co.uk <http://www.mailsource.co.uk/>*
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>> MailSource UK Limited
>>
>> - Europe's leading specialist in integrated document delivery
>> solutions
>> - Holders of the RoSPA Health & Safety Gold Medal 2006/2007
>>
>> Northumberland House
>> 15 Petersham Road
>> Richmond-upon-Thames
>> Surrey TW10 6TP
>>
>>
>> www.mailsource.co.uk
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>>
> Project.
>
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> MailSource UK Limited
>
> - Europe's leading specialist in integrated document delivery solutions
> - Holders of the RoSPA Health & Safety Gold Medal 2006/2007
>
> Northumberland House
> 15 Petersham Road
> Richmond-upon-Thames
> Surrey TW10 6TP
>
>
> www.mailsource.co.uk
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org