Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings!

I've managed to completely isolate the multiple authentication "symptoms" I'm having. To recap, I'd like to authenticate users against an LDAP server with a fail through to a MySQL server. Realms which require only LDAP or only MySQL authentication behave correctly. However, a realm which requires authentication against both LDAP followed by MySQL is problematic in that when a user exists in LDAP [with password 'x'] AND the SAME user exists in MySQL [with password 'y'] AND the user submits the MySQL password [password 'y'] LDAP refuses to "decline" authentication to mod_auth_mysql. See error below:

[Fri Feb 03 10:45:52 2006] [debug] mod_auth_ldap.c(337): [client 129.xxx.xx.xx] [20821] auth_ldap authenticate: using URL ldap://sun.xxxxx.xx.edu/ou=people,dc=xxxxx,dc=xx,dc=edu [Fri Feb 03 10:45:52 2006] [warn] [client 129.xxx.xx.xx] [20821] auth_ldap authenticate: user jones authentication failed; URI /ldap_mysql/ [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]

The authentication dialog keeps reappearing as LDAP can't authenticate and refuses to "decline" authorization.

When a user is in either LDAP or MySQL [but NOT both] and submits their name using their MySQL password, mod_auth_ladp correctly "declines" authentication to mod_auth_mysql. Likewise, when a user who is in either LDAP or MySQL [NOT both] submits their name using their LDAP password, LDAP correctly authenticates.

# ################################################
<Directory /usr/local/apache2/htdocs/mysql>
   Options FollowSymLinks
   AuthType Basic
   AuthName "MySQL protected"
 #mod_auth_mysql
   AuthMySQLEnable On
   AuthMySQLHost gentoo.xxxxx.xx.edu
   AuthMySQLUser httpd
   AuthMySQLPassword xxxxxxxx
   AuthMySQLDB http_auth
   AuthMysqlUserTable mysql_auth
   AuthMySQLNameField username
   AuthMySQLPasswordField passwd
AuthMySQLPwEncryption crypt AuthMysqlGroupTable mysql_groups
   AuthMySQLGroupField groups
   require group administration
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap>
  Options FollowSymLinks
  AuthType Basic
  AuthName "ldap secured"
#mod_auth_ldap
  AuthLDAPURL ldap://sun.xxxxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
  require valid-user
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap_mysql>
   Options FollowSymLinks
   AuthType Basic
   AuthName "LDAP then MySQL secured"
#mod_auth_ldap
   AuthLDAPURL ldap://sun.xxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
   AuthLDAPAuthoritative Off
   require valid-user
 #mod_auth_mysql
   AuthMySQLHost gentoo.xxxxx.xx.edu
   AuthMySQLUser httpd
   AuthMySQLPassword xxxxxxxx
   AuthMySQLDB http_auth
   AuthMysqlUserTable mysql_auth
   AuthMysqlGroupTable mysql_groups
   AuthMySQLGroupField groups
   AuthMySQLNameField username
   AuthMySQLPasswordField passwd
AuthMySQLPwEncryption crypt require group administration
</Directory>
# ################################################

System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]

Using these modules
-------------------
LoadModule access_module modules/mod_access.so

LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

LoadModule mysql_auth_module  modules/mod_auth_mysql.so

LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so

LoadModule php5_module        modules/libphp5.so


Please let me know if you have any thoughts on how to debug this problem. I've already rebuilt Apache and mod_auth_mysql from fresh downloads to make sure the installation is clean.

regards,
-bill



William Paredes wrote:

Just before going "live" I noticed that mod_auth_mysql and mod_auth_ldap do not "fail through" properly when protecting the same realm.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux