httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vincent Bray" <nood...@gmail.com>
Subject Re: [users@httpd] Apache 2.2.4 / Auth LDAP / OpenLDAP 2.3.35 User authentication
Date Tue, 10 Jul 2007 13:53:46 GMT
On 10/07/07, Kamil Wencel <wencel@radion.org> wrote:
> Hi List,

Hi, reply inline..

> I am sorry to bother you with this, but I am banging my head
> for days now and I don't seem to make any progress.
>
> I want to supply our users with a way to upload files onto our
> servers without the hassle of FTP or SCP. DAV seemed like a
> good idea since a lot of systems already have built-in DAV
> clients. Also, in order to keep things maintainable, I thought
> LDAP authentication instead of file based authentication would
> be the right approach.

LDAP issues aside, is DAV working ok?

> I have to admit that my ldap knowledge is nowhere near sufficient
> but it'll take me some time to read the books I've ordered. No FAQ
> or online HOWTO or mailing-list archive I've read over the last
> 5 days seems to be of any help.

Try this one:
http://wiki.apache.org/httpd/UseLDAPToPasswordProtectAFolder

> After setting up an openldap server and creating a basic
> testing structure I tried to get apache to authenticate
> the DAV location via mod_authz_ldap.
>
>
> This is what I have got so far :
>
> ### httpd.conf ###
>
> Alias /U000001 "/var/www/webdav/U000001"
>
> <Directory "/var/www/webdav/U000001">
> Dav On
> BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

The above line isn't necessary as you're not using Digest auth (and
can't, mod_authnz_ldap doesn't work with Digest in the current
version).

> DavMinTimeout 6000
>
> <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>

This is a mistake. DAV uses more methods than this and in any case I
don't see why you'd care which ones are authenticated. Just remove
<Limit> altogether. If you did want to apply authentication only to
the DAV methods, a better solution would be:
<LimitExcept GET POST HEAD OPTIONS>

>
> Order Allow,Deny
> Allow from all
>
> AuthType Basic
> AuthzLDAPAuthoritative Off
> AuthBasicProvider ldap
> AuthName "DOMAIN DAV Upload"
> AuthLDAPBindDN "cn=Manager,dc=domain,dc=org"
> AuthLDAPBindPassword "mysecretpassword"
> AuthLDAPURL
> ldap://127.0.0.1:389/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectClass=person)
>
> Require ldap-user U000001
>
> </Limit>
> </Directory>
>
> ################
>
> The test user is U000001 but I am not sure if this is correct as I've found
> a lot of examples incorporating UID which I have not set in my LDAP
> structure.
> Can't I just use the CN ?
>
> ### dav.ldif ###
>
> dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org
> objectclass: person
> objectClass: inetOrgPerson
> cn: U000001
> sn: U000001
> mail: mail@example.com
> userpassword: test
>
> ################

My ldap-foo is weak too so I can't verify this.

>
> The modules are loaded and Apache successfully connects to LDAP. As soon
> as I
> try to access the DAV folder I can't connect and error_log states the
> following:
>
> ### error_log ###
>
> [Tue Jul 10 13:31:32 2007] [error] [client 212.18.3.4] user U000001:
> authentication failure for "/U000001": Password Mismatch
> [Tue Jul 10 13:31:36 2007] [warn] [client 212.18.3.4] [20232] auth_ldap
> authenticate: user U000001 authentication failed; URI /U000001
> [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
>
> #################
>
> Here's what slapd returns during this phase:
>
> ### slapd debug ###
>
> => access_allowed: search access to
> "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "objectClass" requested
> <= root access granted
> => access_allowed: search access granted by manage(=mwrscxd)
> => access_allowed: search access to
> "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested
> <= root access granted
> => access_allowed: search access granted by manage(=mwrscxd)
> => access_allowed: read access to
> "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "entry" requested
> <= root access granted
> => access_allowed: read access granted by manage(=mwrscxd)
> => access_allowed: read access to
> "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested
> <= root access granted
> => access_allowed: read access granted by manage(=mwrscxd)
> => access_allowed: auth access to
> "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "userPassword" requested
> => acl_get: [1] attr userPassword
> => slap_access_allowed: no res from state (userPassword)
> => acl_mask: access to entry
> "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org", attr "userPassword"
> requested
> => acl_mask: to value by "", (=0)
> <= acl_mask: no more <who> clauses, returning =0 (stop)
> => slap_access_allowed: auth access denied by =0
> => access_allowed: no more rules

I was going to suggest that perhaps the bind password wasn't working
but the log says otherwise.

> ###################
>
>
> Here's my first question:
>
> How is the password to be stored in LDAP ? Plain ? SHA ?

There are several methods and AFAIK the encryption type becomes part
of the stored password, so you end up with something like
"MD5:xxxxx...". That could be your issue.

> I couldn't find any documentation regarding this as most people's
> questions I've found in mailing-lists or archives use Active
> Directory instead of OpenLDAP.
>
>  From my point of view the Basic authentication does the following :
>
> auth_string = base64_encode ("U000001:test");
>
> where "U000001" is the submitted username and "test" the password.
> After tcpdumping all traffic the browser submitted "VTAwMDAwMTp0ZXN0"
> which I think is the correct base64 encoding for "U000001:test".

It is.

> So. What is wrong ? Is it my LDAPUrl ? Is it the way I've stored
> the userPassword ?
>
> Is there any way to raise the debug level of mod_ldap or auth_ldap
> in order to see what exactly the mismatch looks like ?

Not aside from: LogLevel debug

> When I manually query the LDAP with
>
> ldapsearch -W -v -D "cn=Manager,dc=domain,dc=org" -b
> "ou=DAV,dc=global,dc=domain,dc=org" "(objectClass=person)"
>
> I get this:
>
> ### ldap search ###
>
> ldap_initialize( <DEFAULT> )
> filter: (objectClass=person)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base <ou=DAV,dc=global,dc=domain,dc=org> with scope subtree
> # filter: (objectClass=person)
> # requesting: ALL
> #
>
> # U000001, DAV, global.radion.org
> dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org
> objectClass: person
> objectClass: inetOrgPerson
> cn: U000001
> sn: U000001
> mail: mail@example.com
> userPassword:: VlRBd01EQXdNVHAwWlhOMCA=
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> ###
>
> I've also tried to store the userPassword in plaintext but apart
> from being unwanted it didn't work either.
>
> If anyone has any hints it would be greatly appreciated so thanks
> a lot in advance.
>
> All the best to you out there and a big thank you for all the
> efforts put into Apache to make it one of the most popular
> webservers out there for free ;)
>
> Kamil
>
>
> --
> Kamil Wencel
>
> RADION Imaginery
> Swakopmunder Str. 1
> 81827 Munich
> ---------------------------------------------------------
> voice office    :    +49 89  4522058-1
> voice mobile    :    +49 174 3050550
> fax-server      :    +49 89  4522058-9
> ----------------------------------------------------------
> browser         :    http://imaginery.radion.org/
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
noodl

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message