httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William Paredes <pare...@aecom.yu.edu>
Subject Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X
Date Fri, 03 Feb 2006 17:26:27 GMT
Greetings!

I've managed to completely isolate the multiple authentication 
"symptoms" I'm having. To recap, I'd like to authenticate users against  
an LDAP server with a fail through to a MySQL server. Realms which 
require only LDAP or only MySQL authentication behave correctly. 
However, a realm which requires authentication against both LDAP 
followed by MySQL is problematic in that when a user  exists in LDAP 
[with password 'x']  AND the SAME user exists in MySQL [with password 
'y'] AND the user submits the MySQL password [password 'y'] LDAP refuses 
to "decline" authentication to mod_auth_mysql. See error below:

[Fri Feb 03 10:45:52 2006] [debug] mod_auth_ldap.c(337): [client 
129.xxx.xx.xx] [20821] auth_ldap authenticate: using URL 
ldap://sun.xxxxx.xx.edu/ou=people,dc=xxxxx,dc=xx,dc=edu
[Fri Feb 03 10:45:52 2006] [warn] [client 129.xxx.xx.xx] [20821] 
auth_ldap authenticate: user jones authentication failed; URI 
/ldap_mysql/ [ldap_simple_bind_s() to check user credentials 
failed][Invalid credentials]

The authentication dialog keeps reappearing as LDAP can't authenticate 
and refuses to "decline" authorization.

When a user is in either LDAP or MySQL [but NOT both] and submits their 
name using their MySQL password, mod_auth_ladp correctly "declines" 
authentication to mod_auth_mysql. Likewise, when a user who is in either 
LDAP or MySQL [NOT both] submits their name using their LDAP password, 
LDAP correctly authenticates.

# ################################################
<Directory /usr/local/apache2/htdocs/mysql>
    Options FollowSymLinks
    AuthType Basic
    AuthName "MySQL protected"
  #mod_auth_mysql
    AuthMySQLEnable On
    AuthMySQLHost gentoo.xxxxx.xx.edu
    AuthMySQLUser httpd
    AuthMySQLPassword xxxxxxxx
    AuthMySQLDB http_auth
    AuthMysqlUserTable mysql_auth
    AuthMySQLNameField username
    AuthMySQLPasswordField passwd
    AuthMySQLPwEncryption crypt   
    AuthMysqlGroupTable mysql_groups
    AuthMySQLGroupField groups
    require group administration
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap>
   Options FollowSymLinks
   AuthType Basic
   AuthName "ldap secured"
 #mod_auth_ldap
   AuthLDAPURL ldap://sun.xxxxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
   require valid-user
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap_mysql>
    Options FollowSymLinks
    AuthType Basic
    AuthName "LDAP then MySQL secured"
 #mod_auth_ldap
    AuthLDAPURL ldap://sun.xxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
    AuthLDAPAuthoritative Off
    require valid-user
  #mod_auth_mysql
    AuthMySQLHost gentoo.xxxxx.xx.edu
    AuthMySQLUser httpd
    AuthMySQLPassword xxxxxxxx
    AuthMySQLDB http_auth
    AuthMysqlUserTable mysql_auth
    AuthMysqlGroupTable mysql_groups
    AuthMySQLGroupField groups
    AuthMySQLNameField username
    AuthMySQLPasswordField passwd
    AuthMySQLPwEncryption crypt   
    require group administration
</Directory>
# ################################################

System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]

Using these modules
-------------------
LoadModule access_module modules/mod_access.so

LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

LoadModule mysql_auth_module  modules/mod_auth_mysql.so

LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so

LoadModule php5_module        modules/libphp5.so


Please let me know if you have any thoughts on how to debug this 
problem. I've already rebuilt Apache and mod_auth_mysql from fresh 
downloads to make sure the installation is clean.

regards,
-bill



William Paredes wrote:

> Just before going "live" I noticed that mod_auth_mysql and 
> mod_auth_ldap do not "fail through" properly when protecting the same 
> realm.
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message