Re: Apache 2.2.4 / Auth LDAP / OpenLDAP 2.3.35 User authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kamil,

Did you try anything I suggested in my last email?
Wrapping the CN in "'s, i.e   "Tony Stevenson"  or in your case "U000001 "

Also, why dont you create a group per person, and use the group option, as my other mail suggested. Both of these should work.


Tony


Kamil Wencel wrote:

LDAP issues aside, is DAV working ok?
Yes, DAV is working fine as long as I use file based auth.

I have to admit that my ldap knowledge is nowhere near sufficient
but it'll take me some time to read the books I've ordered. No FAQ
or online HOWTO or mailing-list archive I've read over the last
5 days seems to be of any help.

Try this one:
http://wiki.apache.org/httpd/UseLDAPToPasswordProtectAFolder
Okay, I implemented it as described in the Wiki :

<Directory "/var/www/localhost/htdocs">

       Options Indexes FollowSymLinks
       AllowOverride None
       Order allow,deny
       Allow from all

       AuthType Basic
       AuthName LDAP_Auth_Test
       AuthBasicProvider ldap
       AuthzLDAPAuthoritative OFF
       AuthLDAPBindDN          "cn=Manager,dc=domain,dc=org"
       AuthLDAPBindPassword    "mysecretpassword"
AuthLDAPURL ldap://localhost/ou=DAV,dc=global,dc=domain,dc=org?cn?sub #AuthLDAPURL ldap://localhost/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectClass=person)
       Require valid-user

</Directory>

No DAV, nothing else, just vanilla config, no other virtual hosts.

I have tested both AuthLDAPURL strings, because when I ldapsearch on the console without (objectClass=person) I get 2 results due to the ou=DAV. I think having more than one result for a given authentication should confuse authnz_ldap. Nevertheless, same thing here. No login possible.

I've also tested a non-existent username to be sure the LDAP query goes through.

[Tue Jul 10 16:59:45 2007] [warn] [client 10.20.1.2] [20776] auth_ldap authenticate: user U000001 authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Invalid credentials] [Tue Jul 10 16:59:45 2007] [error] [client 10.20.1.2] user U000001: authentication failure for "/": Password Mismatch [Tue Jul 10 16:59:52 2007] [warn] [client 10.20.1.2] [20777] auth_ldap authenticate: user U0001 authentication failed; URI / [User not found][No such object] [Tue Jul 10 16:59:52 2007] [error] [client 10.20.1.2] user U0001 not found: /

So my guess is that the password algorithms don't match. After tcpdumping the LDAP
communication inbetween apache and LDAP I it seems that the password itself
is transfered as cleartext password (in this case "test")

0000  00 00 00 00 00 00 00 00  00 00 00 00 08 00 45 00   ........ ......E.
0010  00 72 47 63 40 00 40 06  f5 20 7f 00 00 01 7f 00   .rGc@.@. . ......
0020  00 01 b0 2e 01 85 c4 42  84 a5 c3 b4 15 50 80 18   .......B .....P..
0030  20 00 fe 66 00 00 01 01  08 0a a5 18 c3 5f a5 18    ..f.... ....._..
0040  c3 5c 30 3c 02 01 03 60  37 02 01 03 04 2c 63 6e   .\0<...` 7....,cn
0050  3d 55 30 30 30 30 30 31  2c 6f 75 3d 44 41 56 2c   =U000001 ,ou=DAV,
0060  64 63 3d 67 6c 6f 62 61  6c 2c 64 63 3d 72 61 64   dc=globa l,dc=dom
0070  69 6f 6e 2c 64 63 3d 6f  72 67 80 04 74 65 73 74   ain,dc=o rg..test

So, LDAP seems to be getting the password in cleartext, but how does the matching work?
SHA password didn't work, cleartext didn't either.


After setting up an openldap server and creating a basic
testing structure I tried to get apache to authenticate
the DAV location via mod_authz_ldap.


This is what I have got so far :

### httpd.conf ###

Alias /U000001 "/var/www/webdav/U000001"

<Directory "/var/www/webdav/U000001">
Dav On
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

The above line isn't necessary as you're not using Digest auth (and
can't, mod_authnz_ldap doesn't work with Digest in the current
version).
Alright, I thought so too, but as I am stuck I tried any possible switch
no matter how irrelevant or stupid it may seemed ;)

DavMinTimeout 6000

<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>

This is a mistake. DAV uses more methods than this and in any case I
don't see why you'd care which ones are authenticated. Just remove
<Limit> altogether. If you did want to apply authentication only to
the DAV methods, a better solution would be:
<LimitExcept GET POST HEAD OPTIONS>
Well, I have this line out a DAV HOWTO. For the sake of clarification:

I don't want anybody doing ANYTHING to the folder EXCEPT
the authenticated user the share belongs to (U000001 in this case).

How do I put this in httpd.conf lang ?



Here's my first question:

How is the password to be stored in LDAP ? Plain ? SHA ?

There are several methods and AFAIK the encryption type becomes part
of the stored password, so you end up with something like
"MD5:xxxxx...". That could be your issue.

I couldn't find any documentation regarding this as most people's
questions I've found in mailing-lists or archives use Active
Directory instead of OpenLDAP.

 From my point of view the Basic authentication does the following :

auth_string = base64_encode ("U000001:test");

where "U000001" is the submitted username and "test" the password.
After tcpdumping all traffic the browser submitted "VTAwMDAwMTp0ZXN0"
which I think is the correct base64 encoding for "U000001:test".

It is.

If OpenLDAP can store userpasswords in different hashes how does the
authnz_ldap know which one to use ? I obviously still don't get it.

I tried changing my U000001 userpassword to userpassword: {CRYPT}test
as I thought this was the closest to MD5 but still no luck.


Now what ? *sigh


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux