httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <t...@pc-tony.com>
Subject Re: [users@httpd] Apache 2.2.4 / Auth LDAP / OpenLDAP 2.3.35 User authentication
Date Tue, 10 Jul 2007 22:39:25 GMT
Kamil,

Did you try anything I suggested in my last email?
Wrapping the CN in "'s, i.e   "Tony Stevenson"  or in your case "U000001 "

Also, why dont you create a group per person, and use the group option, 
as my other mail suggested.  Both of these should work.


Tony


Kamil Wencel wrote:
> 
>> LDAP issues aside, is DAV working ok?
> Yes, DAV is working fine as long as I use file based auth.
>>
>>> I have to admit that my ldap knowledge is nowhere near sufficient
>>> but it'll take me some time to read the books I've ordered. No FAQ
>>> or online HOWTO or mailing-list archive I've read over the last
>>> 5 days seems to be of any help.
>>
>> Try this one:
>> http://wiki.apache.org/httpd/UseLDAPToPasswordProtectAFolder
> Okay, I implemented it as described in the Wiki :
> 
> <Directory "/var/www/localhost/htdocs">
> 
>        Options Indexes FollowSymLinks
>        AllowOverride None
>        Order allow,deny
>        Allow from all
> 
>        AuthType Basic
>        AuthName LDAP_Auth_Test
>        AuthBasicProvider ldap
>        AuthzLDAPAuthoritative OFF
>        AuthLDAPBindDN          "cn=Manager,dc=domain,dc=org"
>        AuthLDAPBindPassword    "mysecretpassword"
>        AuthLDAPURL 
> ldap://localhost/ou=DAV,dc=global,dc=domain,dc=org?cn?sub
>        #AuthLDAPURL 
> ldap://localhost/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectClass=person) 
> 
>        Require valid-user
> 
> </Directory>
> 
> No DAV, nothing else, just vanilla config, no other virtual hosts.
> 
> I have tested both AuthLDAPURL strings, because when I ldapsearch on the 
> console without (objectClass=person)
> I get 2 results due to the ou=DAV. I think having more than one result 
> for a given authentication
> should confuse authnz_ldap. Nevertheless, same thing here. No login 
> possible.
> 
> I've also tested a non-existent username to be sure the LDAP query goes 
> through.
> 
> [Tue Jul 10 16:59:45 2007] [warn] [client 10.20.1.2] [20776] auth_ldap 
> authenticate: user U000001 authentication failed; URI / 
> [ldap_simple_bind_s() to check user credentials failed][Invalid 
> credentials]
> [Tue Jul 10 16:59:45 2007] [error] [client 10.20.1.2] user U000001: 
> authentication failure for "/": Password Mismatch
> [Tue Jul 10 16:59:52 2007] [warn] [client 10.20.1.2] [20777] auth_ldap 
> authenticate: user U0001 authentication failed; URI / [User not 
> found][No such object]
> [Tue Jul 10 16:59:52 2007] [error] [client 10.20.1.2] user U0001 not 
> found: /
> 
> So my guess is that the password algorithms don't match. After 
> tcpdumping the LDAP
> communication inbetween apache and LDAP I it seems that the password itself
> is transfered as cleartext password (in this case "test")
> 
> 0000  00 00 00 00 00 00 00 00  00 00 00 00 08 00 45 00   ........ ......E.
> 0010  00 72 47 63 40 00 40 06  f5 20 7f 00 00 01 7f 00   .rGc@.@. . ......
> 0020  00 01 b0 2e 01 85 c4 42  84 a5 c3 b4 15 50 80 18   .......B .....P..
> 0030  20 00 fe 66 00 00 01 01  08 0a a5 18 c3 5f a5 18    ..f.... ....._..
> 0040  c3 5c 30 3c 02 01 03 60  37 02 01 03 04 2c 63 6e   .\0<...` 7....,cn
> 0050  3d 55 30 30 30 30 30 31  2c 6f 75 3d 44 41 56 2c   =U000001 ,ou=DAV,
> 0060  64 63 3d 67 6c 6f 62 61  6c 2c 64 63 3d 72 61 64   dc=globa l,dc=dom
> 0070  69 6f 6e 2c 64 63 3d 6f  72 67 80 04 74 65 73 74   ain,dc=o rg..test
> 
> So, LDAP seems to be getting the password in cleartext, but how does the 
> matching work?
> SHA password didn't work, cleartext didn't either.
> 
>>
>>> After setting up an openldap server and creating a basic
>>> testing structure I tried to get apache to authenticate
>>> the DAV location via mod_authz_ldap.
>>>
>>>
>>> This is what I have got so far :
>>>
>>> ### httpd.conf ###
>>>
>>> Alias /U000001 "/var/www/webdav/U000001"
>>>
>>> <Directory "/var/www/webdav/U000001">
>>> Dav On
>>> BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
>>
>> The above line isn't necessary as you're not using Digest auth (and
>> can't, mod_authnz_ldap doesn't work with Digest in the current
>> version).
> Alright, I thought so too, but as I am stuck I tried any possible switch
> no matter how irrelevant or stupid it may seemed ;)
>>
>>> DavMinTimeout 6000
>>>
>>> <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK 
>>> UNLOCK>
>>
>> This is a mistake. DAV uses more methods than this and in any case I
>> don't see why you'd care which ones are authenticated. Just remove
>> <Limit> altogether. If you did want to apply authentication only to
>> the DAV methods, a better solution would be:
>> <LimitExcept GET POST HEAD OPTIONS>
> Well, I have this line out a DAV HOWTO. For the sake of clarification:
> 
> I don't want anybody doing ANYTHING to the folder EXCEPT
> the authenticated user the share belongs to (U000001 in this case).
> 
> How do I put this in httpd.conf lang ?
> 
>>>
>>>
>>> Here's my first question:
>>>
>>> How is the password to be stored in LDAP ? Plain ? SHA ?
>>
>> There are several methods and AFAIK the encryption type becomes part
>> of the stored password, so you end up with something like
>> "MD5:xxxxx...". That could be your issue.
>>
>>> I couldn't find any documentation regarding this as most people's
>>> questions I've found in mailing-lists or archives use Active
>>> Directory instead of OpenLDAP.
>>>
>>>  From my point of view the Basic authentication does the following :
>>>
>>> auth_string = base64_encode ("U000001:test");
>>>
>>> where "U000001" is the submitted username and "test" the password.
>>> After tcpdumping all traffic the browser submitted "VTAwMDAwMTp0ZXN0"
>>> which I think is the correct base64 encoding for "U000001:test".
>>
>> It is.
> 
> If OpenLDAP can store userpasswords in different hashes how does the
> authnz_ldap know which one to use ? I obviously still don't get it.
> 
> I tried changing my U000001 userpassword to userpassword: {CRYPT}test
> as I thought this was the closest to MD5 but still no luck.
> 
> 
> Now what ? *sigh
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message