httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff <jlar...@gmail.com>
Subject [users@httpd] mod_auth_ldap - repeated password prompts
Date Wed, 12 Nov 2008 16:04:43 GMT
httpd 2.0.52 on CentOS 4.7 with mod_auth_ldap

We have been using mod_auth_ldap with Active Directory successfully
for quite some time now on our intranet site. But there is one
annoyance that I just can't seem to fix. Users are repeatedly, but
randomly, prompted for their credentials as they navigate the site.

Here is an excerpt of the config

  <Directory />
    Options FollowSymLinks
    AllowOverride None
    AuthLDAPAuthoritative on
    AuthType Basic
    AuthName "Intranet"
    AuthLDAPBindDN cn=xxxxxx,cn=Users,dc=xxx,dc=com
    AuthLDAPBindPassword xxxxxx
    AuthLDAPURL
"ldap://xxx.xxx.com:389/ou=xxxxx,dc=xxx,dc=com?sAMAccountName?sub?(objectClass=*)"
  </Directory>

  <Directory "/var/www/html">
    Options FollowSymLinks ExecCGI
    AllowOverride None
    Require valid-user
  </Directory>

  <Directory /var/www/html/accounting>
    Require group cn=Accounting Reports,ou=Intranet,ou=Access
Control,ou=xxx,dc=xxx,dc=com
  </Directory>

There are many other subdirectories requiring differing group
membership but you get the idea. To access anything on the site, the
user must be authenticated (require valid-user). Some subdirs have no
further requirements, some require specific group membership as shown.

An example session would be starting at the document root, which gives
401, prompts for password, then 200 -- that's all good. Then a user
(with the appropriate group membership) might click on a link to the
/accounting/ folder. They sometimes get a 401 and have to re-submit
their credentials, or sometimes it just works . The unexpected 401 in
the logs does show the current logged in username, so the browser is
still sending that info. This happens with both IE6/7 and FF2/3. In
fact, it also happened when we used to run httpd 2.0.x on Solaris.

So, I'm wondering why we are getting repeated password prompts and how
I can get rid of them. Sure, maybe mod_auth_ldap does not check group
membership on initial authentication for 'require valid-user', but why
does it sometimes not re-use the provided credentials when the various
group requirements are checked?

-- 
Jeff

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message