Re: Apache2+LDAP authentication problem

[Tomas Pelka <tompelka@xxxxxxxxx>]

Dooh sorry something wrong happen during post sending

I have some problem with LDAP authentication. Always when I'm trying to
authenticate Apache:


[Fri Jan 21 15:48:00 2011] [error] [client xx.xx.xx.xx] client used
wrong authentication scheme: /~tom/download/
[Fri Jan 21 15:48:12 2011] [warn] [client xx.xx.xx.xx] [14895]
auth_ldap authenticate: user xpelka00 authentication failed; URI
/~tom/download/ [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Fri Jan 21 15:48:12 2011] [error] [client xx.xx.xx.xx] user
xpelka00: authentication failure for "/~tom/download/": Password Mismatch


apache.conf:
------------
        <Directory /home/tom/public_html/download>
        AuthName "Use you MNSB access credentials"
        AuthType Basic
        AuthBasicProvider ldap
        AuthLDAPUrl "ldap://10.8.0.46/ou=People,dc=vpn,dc=xx?uid?sub";
        AuthLDAPBindDN "cn=admin,dc=vnp,dc=xx"
        AuthLDAPBindPassword $PASSWORD
        AuthzLDAPAuthoritative off
        </Directory>
(Require option is in .htaccess)

$PASSWORD is a hash od admin's password, also tried plain text password but with exactly the same result.

slapd.log:
-------------
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 1 descriptor

Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9 busy
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: listen=9, new
connection on 15
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: added 15r (active)
listener=(nil)
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 fd=15 ACCEPT from
IP=10.8.0.1:56055 (IP=0.0.0.0:389)
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 2 descriptors
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:  15r
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 1 descriptor
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:  15r
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: read active on 15
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 op=0 BIND
dn="cn=admin,dc=vnp,dc=xx" method=128
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 op=0 RESULT tag=97
err=49 text=
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 2 descriptors
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:  15r
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 1 descriptor
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:  15r
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: read active on 15
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: connection_read(15): input
error=-2 id=37, closing.
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 op=1 UNBIND
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: removing 15
Jan 21 20:55:30 s_all@ldap slapd[27057]: conn=37 fd=15 closed
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on 1 descriptor
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: activity on:
Jan 21 20:55:30 s_all@ldap slapd[27057]:
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jan 21 20:55:30 s_all@ldap slapd[27057]: daemon: epoll: listen=9
active_threads=0 tvp=zero

Apache is obviously connected but do not get any user password. Even if:

$ ldapsearch -x -D'cn=admin,dc=vpn,dc=xx' -w xxxx -H ldap://10.8.0.46 -b'ou=People,dc=vpn,dc=xx' -s sub 'uid=xpelka00'

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=vpn,dc=xx> with scope subtree
# filter: uid=xpelka00
# requesting: ALL
#

# xpelka00, People, vpn.xx
dn: uid=xpelka00,ou=People,dc=vpn,dc=xx
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: PureFTPdUser
sn: Pelka Tomas
uid: xpelka00
cn: xpelka00@xxxxxxxxxx
givenName: xpelka00
gidNumber: 1000
uidNumber: 29708
loginShell: /bin/false
homeDirectory: /srv/ftp/xpelka00
gecos: FTP ucet
userPassword:: xxxx
FTPHomeDir: /srv/ftp/xpelka00
FTPStatus: enabled
FTPgid: 1000
FTPuid: 29708

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

userPassword is a plain text password

Thank you all for feedback.

-- 

Tomas Pelka

Key fingerprint = 06C0 23C6 9EB7 0761 9807  65F4 7F6F 7EAB 496B 28AA
see http://www.gpg.cz/

Attachment: 0x496B28AA.asc
Description: application/pgp-keys

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx