Re: Problems with ""sequencing" of FakeBasicAuth vs. Require using client certs for Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

We haven't gotten this working but I think that we've made some progress in diagnosing.

First of all, by comparing to a different, working configuration, what I mentioned previously about the sequence of the two denies and the "Faking" log message is probably a red herring.  From that other system that sequence is "normal" and messages with the authentication against the LDAP occur AFTER the "Faking" message.

One of the things we noted, which we're not sure is significant or not, is that the requests are not GETs, but are CONNECT requests, so now we are wondering if maybe it's possible that Apache somehow is skipping the authentication if the request is a CONNECT request.  I know that that is a long shot, but I figured that I'd ask.

Thanks,
Jim


--------------------------------------------
On Wed, 5/4/16, o haya <ohaya@xxxxxxxxx.INVALID> wrote:

 Subject:  Problems with ""sequencing" of FakeBasicAuth vs. Require using client certs for Authentication
 To: users@xxxxxxxxxxxxxxxx
 Cc: ohaya@xxxxxxxxx
 Date: Wednesday, May 4, 2016, 11:39 AM
 
 Hi,
 
 We are trying to use client certs with Apache 2.4.x (2.4.16)
 and to have Apache check the client cert strings against
 users in an LDAP (and OpenDS instance but are encountering
 what appears to be a timing problem between when Apache
 authz_core is doing the authentication vs. when the
 FakeBasicAuth is happening.
 
 We CAN already do username/password (Basic) authentication
 against the LDAP using something like:
 
 AuthType Basic
 AuthName "xyz"
 AuthBasicProvider ldap
 AuthBasicLDAPURL
 AuthBASICLDAPDN
 AuthBASICLDAPPassword
 Require valid-user
 
 and that works fine.
 
 However, if we use client certs and do the following:
 
 SSLVerifyClientCertificate
 SSLOptions +FakeBasicAuth
 AuthType Basic
 AuthName "xyz"
 AuthBasicProvider ldap
 AuthBasicLDAPURL
 AuthBASICLDAPDN
 AuthBASICLDAPPassword
 Require valid-user
 
 then it doesn't work.
 
 Looking at the Apache logs, what we see when this fails is:
 
 mod_authz_core: AH01626: authorization result of Require
 valid-user : denied (no authenticated user yet) then
 mod_authz_core: AH01626: authorization result of
 <RequireAny>: denied (no authenticated user yet) then
 ssl: AH02036: Faking HTTP Basic Auth header: "Authorization:
 Basic xxxxxxxxxxxxx"
 
 From the logging (as above), it seems like mod_authz_core is
 denying the authentication (because there is no
 authenticated user yet) BEFORE the Basic Auth "Faking"
 occurs, and thus, BEFORE the LDAP authentication occurs.
 
 Does anyone know if this interpretation of what is happening
 correct?
 
 And, if so, is there some way to configure Apache so that it
 does the authentication vs. authentication checking in "the
 correct" order/sequence?
 
 Thanks!
 
 Jim
 
 ---------------------------------------------------------------------
 To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
 
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux