On 10/07/07, Kamil Wencel <wencel@xxxxxxxxxx> wrote:
Hi List,
Hi, reply inline..
I am sorry to bother you with this, but I am banging my head for days now and I don't seem to make any progress. I want to supply our users with a way to upload files onto our servers without the hassle of FTP or SCP. DAV seemed like a good idea since a lot of systems already have built-in DAV clients. Also, in order to keep things maintainable, I thought LDAP authentication instead of file based authentication would be the right approach.
LDAP issues aside, is DAV working ok?
I have to admit that my ldap knowledge is nowhere near sufficient but it'll take me some time to read the books I've ordered. No FAQ or online HOWTO or mailing-list archive I've read over the last 5 days seems to be of any help.
Try this one: http://wiki.apache.org/httpd/UseLDAPToPasswordProtectAFolder
After setting up an openldap server and creating a basic testing structure I tried to get apache to authenticate the DAV location via mod_authz_ldap. This is what I have got so far : ### httpd.conf ### Alias /U000001 "/var/www/webdav/U000001" <Directory "/var/www/webdav/U000001"> Dav On BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
The above line isn't necessary as you're not using Digest auth (and can't, mod_authnz_ldap doesn't work with Digest in the current version).
DavMinTimeout 6000 <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
This is a mistake. DAV uses more methods than this and in any case I don't see why you'd care which ones are authenticated. Just remove <Limit> altogether. If you did want to apply authentication only to the DAV methods, a better solution would be: <LimitExcept GET POST HEAD OPTIONS>
Order Allow,Deny Allow from all AuthType Basic AuthzLDAPAuthoritative Off AuthBasicProvider ldap AuthName "DOMAIN DAV Upload" AuthLDAPBindDN "cn=Manager,dc=domain,dc=org" AuthLDAPBindPassword "mysecretpassword" AuthLDAPURL ldap://127.0.0.1:389/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectClass=person) Require ldap-user U000001 </Limit> </Directory> ################ The test user is U000001 but I am not sure if this is correct as I've found a lot of examples incorporating UID which I have not set in my LDAP structure. Can't I just use the CN ? ### dav.ldif ### dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org objectclass: person objectClass: inetOrgPerson cn: U000001 sn: U000001 mail: mail@xxxxxxxxxxx userpassword: test ################
My ldap-foo is weak too so I can't verify this.
The modules are loaded and Apache successfully connects to LDAP. As soon as I try to access the DAV folder I can't connect and error_log states the following: ### error_log ### [Tue Jul 10 13:31:32 2007] [error] [client 212.18.3.4] user U000001: authentication failure for "/U000001": Password Mismatch [Tue Jul 10 13:31:36 2007] [warn] [client 212.18.3.4] [20232] auth_ldap authenticate: user U000001 authentication failed; URI /U000001 [ldap_simple_bind_s() to check user credentials failed][Invalid credentials] ################# Here's what slapd returns during this phase: ### slapd debug ### => access_allowed: search access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: read access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "entry" requested <= root access granted => access_allowed: read access granted by manage(=mwrscxd) => access_allowed: read access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested <= root access granted => access_allowed: read access granted by manage(=mwrscxd) => access_allowed: auth access to "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: no res from state (userPassword) => acl_mask: access to entry "cn=U000001,ou=DAV,dc=global,dc=domain,dc=org", attr "userPassword" requested => acl_mask: to value by "", (=0) <= acl_mask: no more <who> clauses, returning =0 (stop) => slap_access_allowed: auth access denied by =0 => access_allowed: no more rules
I was going to suggest that perhaps the bind password wasn't working but the log says otherwise.
################### Here's my first question: How is the password to be stored in LDAP ? Plain ? SHA ?
There are several methods and AFAIK the encryption type becomes part of the stored password, so you end up with something like "MD5:xxxxx...". That could be your issue.
I couldn't find any documentation regarding this as most people's questions I've found in mailing-lists or archives use Active Directory instead of OpenLDAP. From my point of view the Basic authentication does the following : auth_string = base64_encode ("U000001:test"); where "U000001" is the submitted username and "test" the password. After tcpdumping all traffic the browser submitted "VTAwMDAwMTp0ZXN0" which I think is the correct base64 encoding for "U000001:test".
It is.
So. What is wrong ? Is it my LDAPUrl ? Is it the way I've stored the userPassword ? Is there any way to raise the debug level of mod_ldap or auth_ldap in order to see what exactly the mismatch looks like ?
Not aside from: LogLevel debug
When I manually query the LDAP with ldapsearch -W -v -D "cn=Manager,dc=domain,dc=org" -b "ou=DAV,dc=global,dc=domain,dc=org" "(objectClass=person)" I get this: ### ldap search ### ldap_initialize( <DEFAULT> ) filter: (objectClass=person) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=DAV,dc=global,dc=domain,dc=org> with scope subtree # filter: (objectClass=person) # requesting: ALL # # U000001, DAV, global.radion.org dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org objectClass: person objectClass: inetOrgPerson cn: U000001 sn: U000001 mail: mail@xxxxxxxxxxx userPassword:: VlRBd01EQXdNVHAwWlhOMCA= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ### I've also tried to store the userPassword in plaintext but apart from being unwanted it didn't work either. If anyone has any hints it would be greatly appreciated so thanks a lot in advance. All the best to you out there and a big thank you for all the efforts put into Apache to make it one of the most popular webservers out there for free ;) Kamil -- Kamil Wencel RADION Imaginery Swakopmunder Str. 1 81827 Munich --------------------------------------------------------- voice office : +49 89 4522058-1 voice mobile : +49 174 3050550 fax-server : +49 89 4522058-9 ---------------------------------------------------------- browser : http://imaginery.radion.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- noodl --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx