httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Hernandez <apa...@mac-specialist.com>
Subject Re: [users@httpd] Instead of getting the login dialog, I get the Forbidden error message
Date Fri, 15 Jun 2007 15:59:28 GMT

On Jun 15, 2007, at 8:23 AM, Joshua Slive wrote:

>> The virtual host contains :
>>
>> <Directory "/etc/apache/htdocs/private">
>>         Order allow,deny
>
>>
>> [Thu Jun 14 20:52:37 2007] [error] [client 34.139.17.xx] client
>> denied by server configuration: /etc/apache/htdocs/private
>
> You'll need an "Allow from all" since the default access state is
> "deny". See the docs for the Order directive.

Joshua,

THANK YOU !

That solved the problem. I had read that section with great care  
about a year ago, but apparently not well enough.

For some reason I thought that the <Limit... statements took care of  
who was allowed, but I can see I was wrong...

<Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH  
MKCOL COPY MOVE LOCK UNLOCK>
	Require user  robert tommy
</Limit>

ONE other question relied on  the users and groups defined in OSX  
Server LDAP, and this used to work fine, but for some reason when the  
login dialog is presented I can enter my system userID & password and  
apache lets me in, but if I try to login as another user specified in  
the <Limit ...> below I get the "Authorization Required" error. This  
authentication used to work fine when I first installed OS X Server a  
couple of years ago.

<Directory "/etc/apache/htdocs/private">
	Order allow,deny
	Allow from all
	AuthName "private"
	AuthType Basic
	<Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH  
MKCOL COPY MOVE LOCK UNLOCK>
		Require user  robert tommy
	</Limit>
	<Limit GET HEAD OPTIONS CONNECT POST>
		Require group  sales maintenance
	</Limit>
</Directory>

Authorization Required

This server could not verify that you are authorized to access the  
document requested. Either you supplied the wrong credentials (e.g.,  
bad password), or your browser doesn't understand how to supply the  
credentials required.

I finally wrote a shell script to create two files, users and groups,  
which basically duplicates the LDAP users and groups, but is not a  
good solution, because it adds another level of things to do if there  
are any changes in LDAP users and groups :

	AuthUserFile /etc/apache/users
	AuthGroupFile /etc/apache/groups

I added them as shown below

<Directory "/etc/apache/htdocs/private">
	Order allow,deny
	Allow from all
	AuthName "private"
	AuthType Basic
	AuthUserFile /etc/apache/users
	AuthGroupFile /etc/apache/groups
	<Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH  
MKCOL COPY MOVE LOCK UNLOCK>
		Require user  robert tommy
	</Limit>
	<Limit GET HEAD OPTIONS CONNECT POST>
		Require group  sales maintenance
	</Limit>
</Directory>

And life is swell, I can NOW log in as any valid user shown above.

When I looked at the disabled modules, I didn't find any with "ldap"  
in them. I thought perhaps I had turned it off, while I was disabling  
things I didn't think I would need.

I found http://www.muquit.com/muquit/software/mod_auth_ldap/ 
mod_auth_ldap.html and thought I would download the LDAP module, but  
decided to wait until I got a knowledgeable opinion.

I recently (couple of months ago) reformatted  the drive and  
installed a pristine copy of OSX Server, which should have brought  
the state of Apache to what it was originally when LDAP used to work.  
I am thinking that "LoadModule apple_auth_module" is what Apple is  
using to access the LDAP and approve or deny a login request, but for  
some reason it is not working properly ? The logs are not much help...

I'd be grateful for any insights...

Bill Hernandez
Plano, Texas

I included the modules listed in httpd.conf

# Dynamic Shared Object (DSO) Support

# To be able to use the functionality of a module which was built as  
a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are  
used.
# Please read the file http://httpd.apache.org/docs/dso.html for more
# details about the DSO mechanism and run `httpd -l' for the list of  
already
# built-in (statically linked and thus always available) modules in  
your httpd
# binary.

# Note: The order in which modules are loaded is important.  Don't  
change
# the order below without expert advice.

# Example:
# LoadModule foo_module libexec/mod_foo.so

# For Mac OS X Server: Note that the Server Admin application
# and the apxs utility enable and disable modules
# by removing and adding a comment character.

#LoadModule vhost_alias_module    libexec/httpd/mod_vhost_alias.so
#LoadModule env_module            libexec/httpd/mod_env.so
LoadModule config_log_module      libexec/httpd/mod_log_config.so
#LoadModule mime_magic_module     libexec/httpd/mod_mime_magic.so
LoadModule mime_module            libexec/httpd/mod_mime.so
LoadModule negotiation_module     libexec/httpd/mod_negotiation.so
LoadModule status_module          libexec/httpd/mod_status.so
LoadModule info_module            libexec/httpd/mod_info.so
LoadModule includes_module        libexec/httpd/mod_include.so
LoadModule autoindex_module       libexec/httpd/mod_autoindex.so
LoadModule dir_module             libexec/httpd/mod_dir.so
LoadModule cgi_module             libexec/httpd/mod_cgi.so
LoadModule asis_module            libexec/httpd/mod_asis.so
LoadModule imap_module            libexec/httpd/mod_imap.so
LoadModule action_module          libexec/httpd/mod_actions.so
#LoadModule speling_module        libexec/httpd/mod_speling.so
LoadModule userdir_module         libexec/httpd/mod_userdir.so
LoadModule alias_module           libexec/httpd/mod_alias.so
LoadModule rewrite_module         libexec/httpd/mod_rewrite.so
LoadModule access_module          libexec/httpd/mod_access.so
LoadModule apple_auth_module      libexec/httpd/mod_auth_apple.so
#LoadModule anon_auth_module      libexec/httpd/mod_auth_anon.so
#LoadModule dbm_auth_module       libexec/httpd/mod_auth_dbm.so
#LoadModule digest_module         libexec/httpd/mod_digest.so
LoadModule proxy_module           libexec/httpd/libproxy.so
#LoadModule cern_meta_module      libexec/httpd/mod_cern_meta.so
LoadModule expires_module         libexec/httpd/mod_expires.so
#LoadModule headers_module        libexec/httpd/mod_headers.so
#LoadModule usertrack_module      libexec/httpd/mod_usertrack.so
#LoadModule unique_id_module      libexec/httpd/mod_unique_id.so
LoadModule setenvif_module        libexec/httpd/mod_setenvif.so
LoadModule apple_macbinary_module libexec/httpd/mod_macbinary_apple.so
#LoadModule apple_spotlight_module  libexec/httpd/mod_spotlight_apple.so
#LoadModule perl_module           libexec/httpd/libperl.so
LoadModule php4_module           libexec/httpd/libphp4.so
LoadModule hfs_apple_module       libexec/httpd/mod_hfs_apple.so
LoadModule apple_digest_module    libexec/httpd/mod_digest_apple.so
#LoadModule bonjour_module libexec/httpd/mod_bonjour.so
LoadModule ssl_module libexec/httpd/libssl.so
#LoadModule dav_module libexec/httpd/libdav_encoding.so
#LoadModule jk_module libexec/httpd/mod_jk.so
LoadModule spnego_auth_module libexec/httpd/mod_spnego_apple.so
#LoadModule encoding_module libexec/httpd/mod_encoding.so

# Reconstruction of the complete module list from all available modules
# (static and shared ones) to achieve correct module execution order.
# [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]

ClearModuleList
#AddModule mod_vhost_alias.c
#AddModule mod_env.c
AddModule mod_log_config.c
#AddModule mod_mime_magic.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_info.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
#AddModule mod_speling.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth_apple.c
#AddModule mod_auth_anon.c
#AddModule mod_auth_dbm.c
#AddModule mod_digest.c
AddModule mod_proxy.c
#AddModule mod_cern_meta.c
AddModule mod_expires.c
#AddModule mod_headers.c
#AddModule mod_usertrack.c
#AddModule mod_unique_id.c
AddModule mod_so.c
AddModule mod_setenvif.c
AddModule mod_macbinary_apple.c
#AddModule mod_spotlight_apple.c
#AddModule mod_perl.c
AddModule mod_php4.c
AddModule mod_hfs_apple.c
AddModule mod_digest_apple.c
#AddModule mod_bonjour.c
AddModule mod_ssl.c
#AddModule mod_dav.c
#AddModule mod_jk.c
AddModule mod_spnego_apple.c
#AddModule mod_encoding.c





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message