When I first installed OS X Server a couple of years ago I added some users and groups to the LDAP directory, and through the OS X Server GUI I was able to select from LDAP the users and groups that could access private directories in Apache.
I recently (couple of months ago) reformatted the drive and installed a pristine copy of OSX Server, which should have brought the state of Apache to what it was originally when LDAP used to work. I am thinking that "LoadModule apple_auth_module" is what Apple is using to access the LDAP and approve or deny a login request, but for some reason login is not working properly ? The logs are not much help...
Apache relied on the users and groups defined in OSX Server LDAP, and this used to work fine, but for some reason when the login dialog is presented now I can enter my SYSTEM userID & password and apache lets me in, but if I try to login as another user specified in the <Limit ...> below I get the "Authorization Required" error.
I do not want to use my SYSTEM userID to login to realms in Apache, even though I am forcing any access to private to SSL. Until I get this resolved, I decided to bypass that idea, and use htpasswd to create a password file that allows me to use a non system related password.
HERE's what used to work with the LDAP users and groups <Directory "/etc/apache/htdocs/private"> Order allow,deny Allow from all AuthName "private" AuthType Basic<Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require user robert tommy </Limit> <Limit GET HEAD OPTIONS CONNECT POST> Require group sales maintenance </Limit> </Directory> NOW it generates an error message : Authorization RequiredThis server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
I finally wrote a shell script to create two files, users and groups, which basically duplicates the LDAP users and groups, but is not a good solution, because it adds another level of things to do if there are any changes in LDAP users and groups :
AuthUserFile /etc/apache/users AuthGroupFile /etc/apache/groups I added them as shown below <Directory "/etc/apache/htdocs/private"> Order allow,deny Allow from all AuthName "private" AuthType Basic AuthUserFile /etc/apache/users AuthGroupFile /etc/apache/groups<Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require user robert tommy </Limit> <Limit GET HEAD OPTIONS CONNECT POST> Require group sales maintenance </Limit> </Directory> And life is swell, I can NOW log in as any valid user shown above.When I looked at the disabled modules, I didn't find any with "ldap" in them. I thought perhaps I had turned it off, while I was disabling things I didn't think I would need.
I found http://www.muquit.com/muquit/software/mod_auth_ldap/ mod_auth_ldap.html and thought I would download the LDAP module, but decided to wait until I got a knowledgeable opinion.
I'd be grateful for any insights... Bill Hernandez Plano, Texas I included the modules listed in httpd.conf # Dynamic Shared Object (DSO) Support# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the# directives contained in it are actually available _before_ they are used.
# Please read the file http://httpd.apache.org/docs/dso.html for more# details about the DSO mechanism and run `httpd -l' for the list of already # built-in (statically linked and thus always available) modules in your httpd
# binary.# Note: The order in which modules are loaded is important. Don't change
# the order below without expert advice. # Example: # LoadModule foo_module libexec/mod_foo.so # For Mac OS X Server: Note that the Server Admin application # and the apxs utility enable and disable modules # by removing and adding a comment character. #LoadModule vhost_alias_module libexec/httpd/mod_vhost_alias.so #LoadModule env_module libexec/httpd/mod_env.so LoadModule config_log_module libexec/httpd/mod_log_config.so #LoadModule mime_magic_module libexec/httpd/mod_mime_magic.so LoadModule mime_module libexec/httpd/mod_mime.so LoadModule negotiation_module libexec/httpd/mod_negotiation.so LoadModule status_module libexec/httpd/mod_status.so LoadModule info_module libexec/httpd/mod_info.so LoadModule includes_module libexec/httpd/mod_include.so LoadModule autoindex_module libexec/httpd/mod_autoindex.so LoadModule dir_module libexec/httpd/mod_dir.so LoadModule cgi_module libexec/httpd/mod_cgi.so LoadModule asis_module libexec/httpd/mod_asis.so LoadModule imap_module libexec/httpd/mod_imap.so LoadModule action_module libexec/httpd/mod_actions.so #LoadModule speling_module libexec/httpd/mod_speling.so LoadModule userdir_module libexec/httpd/mod_userdir.so LoadModule alias_module libexec/httpd/mod_alias.so LoadModule rewrite_module libexec/httpd/mod_rewrite.so LoadModule access_module libexec/httpd/mod_access.so LoadModule apple_auth_module libexec/httpd/mod_auth_apple.so #LoadModule anon_auth_module libexec/httpd/mod_auth_anon.so #LoadModule dbm_auth_module libexec/httpd/mod_auth_dbm.so #LoadModule digest_module libexec/httpd/mod_digest.so LoadModule proxy_module libexec/httpd/libproxy.so #LoadModule cern_meta_module libexec/httpd/mod_cern_meta.so LoadModule expires_module libexec/httpd/mod_expires.so #LoadModule headers_module libexec/httpd/mod_headers.so #LoadModule usertrack_module libexec/httpd/mod_usertrack.so #LoadModule unique_id_module libexec/httpd/mod_unique_id.so LoadModule setenvif_module libexec/httpd/mod_setenvif.so LoadModule apple_macbinary_module libexec/httpd/mod_macbinary_apple.so #LoadModule apple_spotlight_module libexec/httpd/mod_spotlight_apple.so #LoadModule perl_module libexec/httpd/libperl.so LoadModule php4_module libexec/httpd/libphp4.so LoadModule hfs_apple_module libexec/httpd/mod_hfs_apple.so LoadModule apple_digest_module libexec/httpd/mod_digest_apple.so #LoadModule bonjour_module libexec/httpd/mod_bonjour.so LoadModule ssl_module libexec/httpd/libssl.so #LoadModule dav_module libexec/httpd/libdav_encoding.so #LoadModule jk_module libexec/httpd/mod_jk.so LoadModule spnego_auth_module libexec/httpd/mod_spnego_apple.so #LoadModule encoding_module libexec/httpd/mod_encoding.so # Reconstruction of the complete module list from all available modules # (static and shared ones) to achieve correct module execution order. # [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO] ClearModuleList #AddModule mod_vhost_alias.c #AddModule mod_env.c AddModule mod_log_config.c #AddModule mod_mime_magic.c AddModule mod_mime.c AddModule mod_negotiation.c AddModule mod_status.c AddModule mod_info.c AddModule mod_include.c AddModule mod_autoindex.c AddModule mod_dir.c AddModule mod_cgi.c AddModule mod_asis.c AddModule mod_imap.c AddModule mod_actions.c #AddModule mod_speling.c AddModule mod_userdir.c AddModule mod_alias.c AddModule mod_rewrite.c AddModule mod_access.c AddModule mod_auth_apple.c #AddModule mod_auth_anon.c #AddModule mod_auth_dbm.c #AddModule mod_digest.c AddModule mod_proxy.c #AddModule mod_cern_meta.c AddModule mod_expires.c #AddModule mod_headers.c #AddModule mod_usertrack.c #AddModule mod_unique_id.c AddModule mod_so.c AddModule mod_setenvif.c AddModule mod_macbinary_apple.c #AddModule mod_spotlight_apple.c #AddModule mod_perl.c AddModule mod_php4.c AddModule mod_hfs_apple.c AddModule mod_digest_apple.c #AddModule mod_bonjour.c AddModule mod_ssl.c #AddModule mod_dav.c #AddModule mod_jk.c AddModule mod_spnego_apple.c #AddModule mod_encoding.c --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|