Re: Apache 2.2.4 / Auth LDAP / OpenLDAP 2.3.35 User authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/07/07, Kamil Wencel <wencel@xxxxxxxxxx> wrote:
Hi List,

Hi, reply inline..

I am sorry to bother you with this, but I am banging my head
for days now and I don't seem to make any progress.

I want to supply our users with a way to upload files onto our
servers without the hassle of FTP or SCP. DAV seemed like a
good idea since a lot of systems already have built-in DAV
clients. Also, in order to keep things maintainable, I thought
LDAP authentication instead of file based authentication would
be the right approach.

LDAP issues aside, is DAV working ok?

I have to admit that my ldap knowledge is nowhere near sufficient
but it'll take me some time to read the books I've ordered. No FAQ
or online HOWTO or mailing-list archive I've read over the last
5 days seems to be of any help.

Try this one:
http://wiki.apache.org/httpd/UseLDAPToPasswordProtectAFolder

After setting up an openldap server and creating a basic
testing structure I tried to get apache to authenticate
the DAV location via mod_authz_ldap.


This is what I have got so far :

### httpd.conf ###

Alias /U000001 "/var/www/webdav/U000001"

<Directory "/var/www/webdav/U000001">
Dav On
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

The above line isn't necessary as you're not using Digest auth (and
can't, mod_authnz_ldap doesn't work with Digest in the current
version).

DavMinTimeout 6000

<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>

This is a mistake. DAV uses more methods than this and in any case I
don't see why you'd care which ones are authenticated. Just remove
<Limit> altogether. If you did want to apply authentication only to
the DAV methods, a better solution would be:
<LimitExcept GET POST HEAD OPTIONS>


Order Allow,Deny
Allow from all

AuthType Basic
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthName "DOMAIN DAV Upload"
AuthLDAPBindDN "cn=Manager,dc=domain,dc=org"
AuthLDAPBindPassword "mysecretpassword"
AuthLDAPURL
ldap://127.0.0.1:389/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectClass=person)

Require ldap-user U000001

</Limit>
</Directory>

################

The test user is U000001 but I am not sure if this is correct as I've found
a lot of examples incorporating UID which I have not set in my LDAP
structure.
Can't I just use the CN ?

### dav.ldif ###

dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org
objectclass: person
objectClass: inetOrgPerson
cn: U000001
sn: U000001
mail: mail@xxxxxxxxxxx
userpassword: test

################

My ldap-foo is weak too so I can't verify this.


The modules are loaded and Apache successfully connects to LDAP. As soon
as I
try to access the DAV folder I can't connect and error_log states the
following:

### error_log ###

[Tue Jul 10 13:31:32 2007] [error] [client 212.18.3.4] user U000001:
authentication failure for "/U000001": Password Mismatch
[Tue Jul 10 13:31:36 2007] [warn] [client 212.18.3.4] [20232] auth_ldap
authenticate: user U000001 authentication failed; URI /U000001
[ldap_simple_bind_s() to check user credentials failed][Invalid credentials]

#################

Here's what slapd returns during this phase:

### slapd debug ###

=> access_allowed: search access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: read access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "entry" requested
<= root access granted
=> access_allowed: read access granted by manage(=mwrscxd)
=> access_allowed: read access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested
<= root access granted
=> access_allowed: read access granted by manage(=mwrscxd)
=> access_allowed: auth access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: no res from state (userPassword)
=> acl_mask: access to entry
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org", attr "userPassword"
requested
=> acl_mask: to value by "", (=0)
<= acl_mask: no more <who> clauses, returning =0 (stop)
=> slap_access_allowed: auth access denied by =0
=> access_allowed: no more rules

I was going to suggest that perhaps the bind password wasn't working
but the log says otherwise.

###################


Here's my first question:

How is the password to be stored in LDAP ? Plain ? SHA ?

There are several methods and AFAIK the encryption type becomes part
of the stored password, so you end up with something like
"MD5:xxxxx...". That could be your issue.

I couldn't find any documentation regarding this as most people's
questions I've found in mailing-lists or archives use Active
Directory instead of OpenLDAP.

 From my point of view the Basic authentication does the following :

auth_string = base64_encode ("U000001:test");

where "U000001" is the submitted username and "test" the password.
After tcpdumping all traffic the browser submitted "VTAwMDAwMTp0ZXN0"
which I think is the correct base64 encoding for "U000001:test".

It is.

So. What is wrong ? Is it my LDAPUrl ? Is it the way I've stored
the userPassword ?

Is there any way to raise the debug level of mod_ldap or auth_ldap
in order to see what exactly the mismatch looks like ?

Not aside from: LogLevel debug

When I manually query the LDAP with

ldapsearch -W -v -D "cn=Manager,dc=domain,dc=org" -b
"ou=DAV,dc=global,dc=domain,dc=org" "(objectClass=person)"

I get this:

### ldap search ###

ldap_initialize( <DEFAULT> )
filter: (objectClass=person)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=DAV,dc=global,dc=domain,dc=org> with scope subtree
# filter: (objectClass=person)
# requesting: ALL
#

# U000001, DAV, global.radion.org
dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org
objectClass: person
objectClass: inetOrgPerson
cn: U000001
sn: U000001
mail: mail@xxxxxxxxxxx
userPassword:: VlRBd01EQXdNVHAwWlhOMCA=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

###

I've also tried to store the userPassword in plaintext but apart
from being unwanted it didn't work either.

If anyone has any hints it would be greatly appreciated so thanks
a lot in advance.

All the best to you out there and a big thank you for all the
efforts put into Apache to make it one of the most popular
webservers out there for free ;)

Kamil


--
Kamil Wencel

RADION Imaginery
Swakopmunder Str. 1
81827 Munich
---------------------------------------------------------
voice office    :    +49 89  4522058-1
voice mobile    :    +49 174 3050550
fax-server      :    +49 89  4522058-9
----------------------------------------------------------
browser         :    http://imaginery.radion.org/




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
noodl

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux