Hi List, I am sorry to bother you with this, but I am banging my head for days now and I don't seem to make any progress. I want to supply our users with a way to upload files onto our servers without the hassle of FTP or SCP. DAV seemed like a good idea since a lot of systems already have built-in DAV clients. Also, in order to keep things maintainable, I thought LDAP authentication instead of file based authentication would be the right approach. I have to admit that my ldap knowledge is nowhere near sufficient but it'll take me some time to read the books I've ordered. No FAQ or online HOWTO or mailing-list archive I've read over the last 5 days seems to be of any help. After setting up an openldap server and creating a basic testing structure I tried to get apache to authenticate the DAV location via mod_authz_ldap. This is what I have got so far : ### httpd.conf ### Alias /U000001 "/var/www/webdav/U000001" <Directory "/var/www/webdav/U000001"> Dav On BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On DavMinTimeout 6000 <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Order Allow,Deny Allow from all AuthType Basic AuthzLDAPAuthoritative Off AuthBasicProvider ldap AuthName "DOMAIN DAV Upload" AuthLDAPBindDN "cn=Manager,dc=domain,dc=org" AuthLDAPBindPassword "mysecretpassword"AuthLDAPURL ldap://127.0.0.1:389/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectClass=person)
Require ldap-user U000001 </Limit> </Directory> ################ The test user is U000001 but I am not sure if this is correct as I've founda lot of examples incorporating UID which I have not set in my LDAP structure.
Can't I just use the CN ? ### dav.ldif ### dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org objectclass: person objectClass: inetOrgPerson cn: U000001 sn: U000001 mail: mail@xxxxxxxxxxx userpassword: test ################The modules are loaded and Apache successfully connects to LDAP. As soon as I try to access the DAV folder I can't connect and error_log states the following:
### error_log ###[Tue Jul 10 13:31:32 2007] [error] [client 212.18.3.4] user U000001: authentication failure for "/U000001": Password Mismatch [Tue Jul 10 13:31:36 2007] [warn] [client 212.18.3.4] [20232] auth_ldap authenticate: user U000001 authentication failed; URI /U000001 [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
################# Here's what slapd returns during this phase: ### slapd debug ###=> access_allowed: search access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "objectClass" requested
<= root access granted => access_allowed: search access granted by manage(=mwrscxd)=> access_allowed: search access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested
<= root access granted => access_allowed: search access granted by manage(=mwrscxd)=> access_allowed: read access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "entry" requested
<= root access granted => access_allowed: read access granted by manage(=mwrscxd)=> access_allowed: read access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested
<= root access granted => access_allowed: read access granted by manage(=mwrscxd)=> access_allowed: auth access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "userPassword" requested
=> acl_get: [1] attr userPassword => slap_access_allowed: no res from state (userPassword)=> acl_mask: access to entry "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org", attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= acl_mask: no more <who> clauses, returning =0 (stop)
=> slap_access_allowed: auth access denied by =0
=> access_allowed: no more rules
###################
Here's my first question:
How is the password to be stored in LDAP ? Plain ? SHA ?
I couldn't find any documentation regarding this as most people's
questions I've found in mailing-lists or archives use Active
Directory instead of OpenLDAP.
From my point of view the Basic authentication does the following :
auth_string = base64_encode ("U000001:test");
where "U000001" is the submitted username and "test" the password.
After tcpdumping all traffic the browser submitted "VTAwMDAwMTp0ZXN0"
which I think is the correct base64 encoding for "U000001:test".
So. What is wrong ? Is it my LDAPUrl ? Is it the way I've stored
the userPassword ?
Is there any way to raise the debug level of mod_ldap or auth_ldap
in order to see what exactly the mismatch looks like ?
When I manually query the LDAP with
ldapsearch -W -v -D "cn=Manager,dc=domain,dc=org" -b
"ou=DAV,dc=global,dc=domain,dc=org" "(objectClass=person)"
I get this: ### ldap search ### ldap_initialize( <DEFAULT> ) filter: (objectClass=person) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=DAV,dc=global,dc=domain,dc=org> with scope subtree # filter: (objectClass=person) # requesting: ALL # # U000001, DAV, global.radion.org dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org objectClass: person objectClass: inetOrgPerson cn: U000001 sn: U000001 mail: mail@xxxxxxxxxxx userPassword:: VlRBd01EQXdNVHAwWlhOMCA= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ### I've also tried to store the userPassword in plaintext but apart from being unwanted it didn't work either. If anyone has any hints it would be greatly appreciated so thanks a lot in advance. All the best to you out there and a big thank you for all the efforts put into Apache to make it one of the most popular webservers out there for free ;) Kamil -- Kamil Wencel RADION Imaginery Swakopmunder Str. 1 81827 Munich --------------------------------------------------------- voice office : +49 89 4522058-1 voice mobile : +49 174 3050550 fax-server : +49 89 4522058-9 ---------------------------------------------------------- browser : http://imaginery.radion.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|