[Fwd: Apache::AuthenNTLM]
Original Message Subject:Apache::AuthenNTLM Date: Tue, 6 Jan 2004 13:46:16 +0100 (CET) From: Wiebe Kloosterman <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Hallo, I do have problems running Apache::AuthenNTLM i am running the folowing config in httpd.conf PerlAuthenHandler Apache::AuthenNTLM AuthType "ntlm" AuthName testntlm require valid-user PerlAddVar ntdomain "XXX XX100A XX0001" PerlSetVar defaultdomain XXX PerlSetVar ntlmdebug 1 and this wat i get in the error_log [15380] AuthenNTLM: Config Domain = xxx pdc = XX100A bdc = XX0001 [15380] AuthenNTLM: Config Default Domain = XXX [15380] AuthenNTLM: Config Fallback Domain = [15380] AuthenNTLM: Config AuthType = ntlm AuthName = testntlm [15380] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [15380] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [15380] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [15380] AuthenNTLM: Authorization Header [Tue Jan 6 13:24:49 2004] [error] access to /ntlm/ failed for , reason: Bad/Missing NTLM/Basic Authorization Header for /ntlm/ [15381] AuthenNTLM: Config Domain = xxx pdc = XX100A bdc = XX0001 [15381] AuthenNTLM: Config Default Domain = XXX [15381] AuthenNTLM: Config Fallback Domain = [15381] AuthenNTLM: Config AuthType = ntlm AuthName = testntlm [15381] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [15381] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [15381] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [15381] AuthenNTLM: Authorization Header NTLM [15381] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=3, domain offset=38, host length=6, host offset=32, host=WS0185, domain=XXX [15381] AuthenNTLM: Connect to pdc = XX100A bdc = XX0001 domain = xxx [15381] AuthenNTLM: timed out while waiting for lock (key = 23754) [15381] AuthenNTLM: leave lock [15381] AuthenNTLM: charencoding = 1 [15381] AuthenNTLM: flags2 = 130 [15381] AuthenNTLM: Send header: NTLM ... when i do change PerlSetVar ntlmdebug to 2 than i get this [20641] AuthenNTLM: Config Domain = xxx pdc = XX100A bdc = XX0001 [20641] AuthenNTLM: Config Default Domain = XXX [20641] AuthenNTLM: Config Fallback Domain = [20641] AuthenNTLM: Config AuthType = ntlm AuthName = testntlm [20641] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [20641] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [20641] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [20641] AuthenNTLM: Authorization Header [Tue Jan 6 13:43:19 2004] [error] access to /ntlm/ failed for , reason: Bad/Missing NTLM/Basic Authorization Header for /ntlm/ [20642] AuthenNTLM: Config Domain = xxx pdc = XX100A bdc = XX0001 [20642] AuthenNTLM: Config Default Domain = XXX [20642] AuthenNTLM: Config Fallback Domain = [20642] AuthenNTLM: Config AuthType = ntlm AuthName = testntlm [20642] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [20642] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [20642] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [20642] AuthenNTLM: Authorization Header NTLM TlRMTVNTUAABB7IAAAMAAwAmBgAGACBXUzAxODVSWkc= [20642] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 0 3 0 3 0 38 0 0 0 6 0 6 0 32 0 0 0 87 83 48 49 56 53 82 90 71 [20642] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=3, domain offset=38, host length=6, host offset=32, host=WS0185, domain=XXX [20642] AuthenNTLM: Connect to pdc = XX100A bdc = XX0001 domain = xxx [20642] AuthenNTLM: timed out while waiting for lock (key = 23754) [20642] AuthenNTLM: leave lock [20642] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0 0 1 130 0 0 103 190 213 45 246 110 141 69 0 0 0 0 0 0 0 0 [20642] AuthenNTLM: charencoding = 1 [20642] AuthenNTLM: flags2 = 130E [20642] AuthenNTLM: Send header: NTLM TlRMTVNTUAACACgBggAAZ77VLfZujUUAAA== Any ideas? Wiebe Kloosterman -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
[MP ANNOUNCE] Apache-AuthzPasswd-0.12
The uploaded file Apache-AuthzPasswd-0.12.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthzPasswd-0.12.tar.gz size: 4916 bytes md5: cfa207588fb4b8d97147711aad23fffd This is an announcement of the newest version of Apache-AuthzPasswd. This version has added: 1. a test for primary group in the /etc/passwd file 2. allowing the update of REMOTE_GROUP to authorized group Thanks to Fredrik Ax for the patch! speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: Apache::AuthenNTLM]
Hi! Sorry for not getting back sooner!! We have been busy getting to know our 2 month old baby :) when i do change PerlSetVar ntlmdebug to 2 than i get this [20641] AuthenNTLM: Config Domain = xxx pdc = XX100A bdc = XX0001 [20641] AuthenNTLM: Config Default Domain = XXX [20641] AuthenNTLM: Config Fallback Domain = [20641] AuthenNTLM: Config AuthType = ntlm AuthName = testntlm [20641] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [20641] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [20641] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [20641] AuthenNTLM: Authorization Header [Tue Jan 6 13:43:19 2004] [error] access to /ntlm/ failed for , reason: Bad/Missing NTLM/Basic Authorization Header for /ntlm/ [20642] AuthenNTLM: Config Domain = xxx pdc = XX100A bdc = XX0001 [20642] AuthenNTLM: Config Default Domain = XXX [20642] AuthenNTLM: Config Fallback Domain = [20642] AuthenNTLM: Config AuthType = ntlm AuthName = testntlm [20642] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [20642] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [20642] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [20642] AuthenNTLM: Authorization Header NTLM TlRMTVNTUAABB7IAAAMAAwAmBgAGACBXUzAxODVSWkc= [20642] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 0 3 0 3 0 38 0 0 0 6 0 6 0 32 0 0 0 87 83 48 49 56 53 82 90 71 [20642] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=3, domain offset=38, host length=6, host offset=32, host=WS0185, domain=XXX [20642] AuthenNTLM: Connect to pdc = XX100A bdc = XX0001 domain = xxx [20642] AuthenNTLM: timed out while waiting for lock (key = 23754) Looks like the ntlmsemtimeout isn't long enough... =head2 PerlSetVar ntlmsemtimout This set the timeout value used to wait for the semaphore. The default is two seconds. It is very small because during the time Apache waits for the semaphore, no other authentication request can be sent to the windows server. Also Apache::AuthenNTLM only asks the windows server once per keep-alive connection, this timeout value should be as small as possible. Try increasing that and see if that helps. speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: Apache::AuthenNTLM]
Quoting Wiebe Kloosterman <[EMAIL PROTECTED]>: > i have set "PerlSetVar ntlmsemtimout" but no change in syslog for timeout. hmmm... Maybe I need a bit more information about the problem that you are having. The logs point to a problem with a timeout that is put into place to keep multiple auth cycles from starting at the same time... (One connection is not releasing the lock on the semaphore before the timeout of the second request.) I would tend to start thinking like Jason on this. Have you tried using another smb client, (such as smbclient), to connect from your web server machine? Does it also fail? > small typo in help, must be "PerlSetVar ntlmsemtimeout" but that did also > not help me. Thanks for catching this. I will fix it in the next release. -- Shannon Eric Peevey Computer Systems Manager UNT - Central Web Support (940)369-8876 - This mail sent through IMP: http://horde.org/imp/ -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: Apache::AuthenNTLM]
Wiebe Kloosterman wrote: Shannon, I found my problem, KeepAlive wasn't turned on. i am sorry Wiebe Kloosterman No problem. Thanks for letting us know the solution. speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
[Fwd: NTLM Authentcation]
Original Message Subject:NTLM Authentcation Date: Thu, 15 Jan 2004 20:14:51 + From: Darryl L Miles <[EMAIL PROTECTED]> Organization: E-Smart Integrations Ltd To: [EMAIL PROTECTED] Hi, Sorry to trouble you but you're name has cropped up in many modperl forums I've been researching for a solution to my problem, and I also note you're listed as the author of Apache::AuthenNTLM on CPAN but not in the documentation. I have a problem in IE6 connects to Apache, apache returns a 401. that my Win2000 machine received smbclient is able to connect to an authenticated share on the same server from the same Linux host using the same credentials I'm trying from the browser. I have also confirmed with TCPDUMP that a connection is being made from the Linux host to Win2000. But I suspect Win2000 is sending back a response meaning its not willing to hand out a "nonce" value to start the authentication process off. There is nothing in the documentation that indicates I have to configure the Win2000 server in any special way to allow permissions for my Linux/Apache host to verify credentials. The current output: [2058] AuthenNTLM: Config Domain = office.domain.com pdc = 172.16.48.3 bdc = [2058] AuthenNTLM: Config Domain = domain pdc = 172.16.48.3 bdc = [2058] AuthenNTLM: Config Default Domain = office.domain.com [2058] AuthenNTLM: Config Fallback Domain = [2058] AuthenNTLM: Config AuthType = ntlm AuthName = / [2058] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [2058] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [2058] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [2058] AuthenNTLM: Authorization Header [Thu Jan 15 19:34:52 2004] [error] access to /login_ntlm/process/ failed for , reason: Bad/Missing NTLM/Basic Authorization Header for /login_ntlm/process/ [2059] AuthenNTLM: Config Domain = office.domain.com pdc = 172.16.48.3 bdc = [2059] AuthenNTLM: Config Domain = domain pdc = 172.16.48.3 bdc = [2059] AuthenNTLM: Config Default Domain = office.domain.com [2059] AuthenNTLM: Config Fallback Domain = [2059] AuthenNTLM: Config AuthType = ntlm AuthName = / [2059] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [2059] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [2059] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [2059] AuthenNTLM: Authorization Header NTLM [2059] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIAT E_OEM,REQUEST_TARGET), flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=11, domain offset=35, host length=3, host offset=32, host=SAM, domain=DOMAIN [2059] AuthenNTLM: Connect to pdc = 172.16.48.3 bdc = domain = domain [2059] AuthenNTLM: enter lock [Thu Jan 15 19:34:52 2004] [error] access to /login_ntlm/process/ failed for , reason: Connect to SMB Server faild (pdc = 172.16.48.3 bdc = domain = domain error = -11/0) for /login_ntlm/process/ [2059] AuthenNTLM: leave lock [Thu Jan 15 19:34:52 2004] [error] access to /login_ntlm/process/ failed for , reason: Cannot get nonce Typo "faild" domain error = -11/0: means nothing to me TCPDUMP proof of Apache/Linux trying to authenticate with Win2000: 20:07:52.594266 arp who-has 172.16.48.3 tell 172.16.48.4 20:07:52.594369 arp reply 172.16.48.3 is-at 0:5:5d:6a:ac:5e 20:07:52.594382 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: S 4239341864:4239341864(0) win 5840 (DF) 20:07:52.594489 172.16.48.3.netbios-ssn > 172.16.48.4.37850: S 4062526081:4062526081(0) ack 4239341865 win 64240 (DF) 20:07:52.594510 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: . ack 1 win 5840 (DF) 20:07:52.594606 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: P 1:73(72) ack 1 win 5840 NBT Packet (DF) 20:07:52.595567 172.16.48.3.netbios-ssn > 172.16.48.4.37850: FP 1:6(5) ack 73 win 64168 NBT Packet (DF) 20:07:52.595943 172.16.48.4.32775 > 172.16.48.3.domain: 26938+ A? . (17) (DF) 20:07:52.596129 172.16.48.3.domain > 172.16.48.4.32775: 26938 ServFail 0/0/0 (17) 20:07:52.634290 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: . ack 7 win 5840 (DF) 20:07:52.664060 172.16.48.4.37850 > 172.16.48.3.netbios-ssn: F 73:73(0) ack 7 win 5840 (DF) 20:07:52.664169 172.16.48.3.netbios-ssn > 172.16.48.4.37850: . ack 74 win 64168 (DF) I also note that Apache tries to do a DNS lookup for "." and that fails. My .htaccess file: PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm #,basic AuthName "/" require valid-user #domain pdcbdc PerlAddVar ntdomain "office.domain.com 172.16.48.3" PerlAddVar ntdomain "domain 172.16.48.3" PerlSetVar defaultdomain office.domain.com PerlSetVar ntlmdebug 1 Just a suggestion is maybe worth confirming the version number of Apache::AuthenNTLM maybe it higher debug level, as I've installed version 0.23 before and have installed your 2.04 over the top and restarted the HTTP servers. Now I'm not sure if its 2.04 I'm actually running. Your help or pointers woul
Re: [Fwd: NTLM Authentcation]
Sorry to trouble you but you're name has cropped up in many modperl
forums I've been researching for a solution to my problem, and I also
note you're listed as the author of Apache::AuthenNTLM on CPAN but not
in the documentation.
I have just taken over maintenance :)
There is nothing in the documentation that indicates I have to
configure the Win2000 server in any special way to allow permissions
for my Linux/Apache host to verify credentials.
I wouldn't think so.
The current output:
could you set ntlmdebug = 2 and send that output ? Also, what does this
return?
use Authen::Smb;
my $authResult = Authen::Smb::authen('myUser',
'myPassword',
'myPDC',
'myBDC',
'myNTDomain');
if ( $authResult == Authen::Smb::NO_ERROR ) {
print "User successfully authenticated.\n";
} else {
print "User not authenticated with error level $authResult\n";
}
Typo "faild"
thanks for catching that :)
domain error = -11/0: means nothing to me
it's actually error = -11/0. This is defined in the smbval library.
My .htaccess file:
PerlAuthenHandler Apache::AuthenNTLM
AuthType ntlm
#,basic
AuthName "/"
require valid-user
#domain pdcbdc
PerlAddVar ntdomain "office.domain.com 172.16.48.3"
PerlAddVar ntdomain "domain 172.16.48.3"
PerlSetVar defaultdomain office.domain.com
PerlSetVar ntlmdebug 1
Do we know for sure that the smb server is listening for the DOMAIN ==
office.domain.com || DOMAIN == domain?
Just a suggestion is maybe worth confirming the version number of
Apache::AuthenNTLM maybe it higher debug level, as I've installed
version 0.23 before and have installed your 2.04 over the top and
restarted the HTTP servers. Now I'm not sure if its 2.04 I'm actually
running.
good idea.
let me know,
speeves
cws
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
[Fwd: [Fwd: Apache::AuthenNTLM-2.04 Problems..]]
--- Begin Message ---
Speeves,
I've been trying to send this email to the modperl list 2 times now and
have a query open with the list owner as to why my subscribed address
can not post it. I would be greatful if you could fwd it to the list,
since that seems to work for you. But some more background information
on the problem.
NB - The Samba server is not even listening to the domain DOMAIN but it
still authenticates.
NB2 - I have also found the problem with the DNS lookup for an Address
(A) record for "." that happens when there is no BDC server listed.
Maybe this is a bug, as-in the config should detect the lack of BDC and
no try any other server. To get around this where there is no BDC I
have use the same IP address twice for PDC and BDC. It simply tries 2
times and fails.
Original Message
Subject: Apache::AuthenNTLM-2.04 Problems..
Date: Fri, 16 Jan 2004 17:44:41 +
From: Darryl Miles <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
NB: 2nd send to list.
Hi,
I'm getting the error:
SNIPPED
[3527] AuthenNTLM: Authorization Header NTLM
[3527] AuthenNTLM: protocol=NTLMSSP, type=1,
flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET),
flags2=130(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=0,
domain offset=0, host length=0, host offset=0, host=, domain=
[3527] AuthenNTLM: Connect to pdc = 172.16.48.3 bdc = domain =
office.domain.com
[3527] AuthenNTLM: enter lock
[Fri Jan 16 00:13:20 2004] [error] access to /login_ntlm/process failed
for , reason: Connect to SMB Server faild (pdc = 172.16.48.3 bdc =
domain = office.domain.com error = -11/0) for /login_ntlm/process
[3527] AuthenNTLM: leave lock
[Fri Jan 16 00:13:20 2004] [error] access to /login_ntlm/process failed
for , reason: Cannot get nonce
I take is that the "Authorization Header NTLM" is the IE6 client
indicating it would like to use NTLM authentication, and therfore the
Apache server should start the process off by passing the nonce value in
the next response.
I have investigated this problem and managed to tie down the problem to
Authen::Smb I have use the example demo code:
#!/usr/bin/perl
#
#
use Authen::Smb;
my $authResult = Authen::Smb::authen('username', 'password',
'172.16.32.3', '172.16.32.4', 'DOMAIN');
if ( $authResult == Authen::Smb::NO_ERROR ) {
print "User successfully authenticated.\n";
} else {
print "User not authenticated with error level $authResult\n";
}
I always get the output of:
User not authenticated with error level 1
Now if I use my PDC = Win2000 SP3, BDC = Linux/Samba.
The Linux Samba server will authenticate without a problem, running
'strace -s 512 ./smb.pl' illustrates what happens:
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(139),
sin_addr=inet_addr("172.16.32.3")}, 16) = 0
writev(3, [{"\201\0\0D DBDHDCCODBDGCODDDCCODDCACACACACA\0
EPEEEJEOCOEIEPENEFCOEEEBFCFCFJEM\0", 72}], 1) = 72
read(3, "\203\0\0\1", 4)= 4
read(3, "\202", 1) = 1
uname({sys="Linux", node="odin.mydomain.org", ...}) = 0
getpid()= 6456
getgid32() = 0
That was the attempt with Win2000 SP3, it returns 5 bytes of data,
interestingly it leaves the connection open. I've no idea what the
response 0x83 0x00 0x00 0x01 0x82 means.
Now when talking to Linux/Samba:
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(139),
sin_addr=inet_addr("172.16.32.4")}, 16) = 0
writev(4, [{"\201\0\0D DBDHDCCODBDGCODDDCCODECACACACACA\0
EPEEEJEOCOEIEPENEFCOEEEBFCFCFJEM\0", 72}], 1) = 72
read(4, "\202\0\0\0", 4)= 4
writev(4, [{"\0\0\0\244", 4},
{"\377SMBr\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0008\31\0\0008\31\0\201\0\2PC
NETWORK PROGRAM 1.0\0\2MICROSOFT NETWORKS 1.03\0\2MICROSOFT NETWORKS
3.0\0\2LANMAN1.0\0\2LM1.2X002\0\2Samba\0\2NT LM 0.12\0\2NT LANMAN
1.0\0", 164}], 2) = 168
read(4, "\0\0\0T", 4) = 4
read(4,
"\377SMBr\0\0\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0008\31\0\0008\31\21\7\0\0032\0\1\0\4A\0\0\0\0\1\0009\31\0\0\371\343\0\0\200\255\273J\320\333\303\1\0\0\10\17\0mmy\211\177\204\214\215DARRYL\0",
84) = 84
writev(4, [{"\0\0\0\215", 4},
{"\377SMBs\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0008\31\0\0008\31\r\377\0\0\0\377\377\0\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0P\0\177\r\30\201;nQ\264\22,>p?\343\371)\232b\235n\300\37\231\202loki\0WINTWOK\0UNIX
of some type\0SMBlib LM2.1 minus a bit\0", 141}], 2) = 145
read(4, "\0\0\0B", 4) = 4
read(4,
"\377SMBs\0\0\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0008\31d\0008\31\3\377\0\0\0\0\0\31\0Unix\0Samba
2.2.8a\0DARRYL\0", 66) = 66
close(4)= 0
write(1, "User successfully authenticated.\n", 33User successfully
authenticated.
) = 33
exit_group(0) = ?
The intial response is just 0x82 0x00 0x00 0x00.
Do I habe to configure my Win2000 SP3 box i
Re: [Fwd: [Fwd: Apache::AuthenNTLM-2.04 Problems..]]
Shannon Eric Peevey wrote: I always get the output of: User not authenticated with error level 1 Hmmm... I was testing against my win2003 server, and was getting a positive. (Using this same code). So there may be a problem on your win2000 box. (Now, I do get the same error from the AuthenNTLM mod, when it tries to authenticate. When I investigated further, it seems that Gerald Richter stole some methods from the mod_ntlm code, and it is this call, (Authen::Smb::Valid_User_Connect), that is kicking our butt... Will investigate further over the next few days.) speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
[Fwd: Apache-AuthenNTLM-2.04]
Original Message Subject: Apache-AuthenNTLM-2.04 Date: Wed, 21 Jan 2004 10:37:34 -0800 From: Dooley, Michael <[EMAIL PROTECTED]> To: '[EMAIL PROTECTED]' <[EMAIL PROTECTED]>, '[EMAIL PROTECTED]' <[EMAIL PROTECTED]> Hello, I seem to have a problem and am unable to find any forums for some help. Was wondering if you could help point me in the proper direction. When a user goes to a webpage I am trying to set it up so they are automatically authenticated, then based on the username they get accepted or denied. I have read your docs on AuthenNTLM and also I don't see much in the way of examples I think I have it set up properly. I have the prereq module already installed. Was curious if you have ever had this error before. It is using a default setup for httpd.conf. And I have no special configuration for mod_perl it is also the default. Apache Ver: Apache/2.0.48 (Unix) mod_perl/1.99_12 Perl/v5.8.0 (This is a Solaris 8 on E3500) PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm require valid-user PerlAddVar ntdomain "CONWAY QGATS006 CNFQS022" PerlSetVar defaultdomain CONWAY PerlSetVar ntlmdegub 2 Everytime I goto http://myunixmachine.com/test I get this error in my error_log. [error] [client 10.40.11.138] Can't locate object method "port_get" via package "APR::SockAddr" at /usr/local/lib/perl5/site_perl/5.8.0/sun4-solaris/Apache/AuthenNTLM.pm line 519. Mike -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: [Fwd: Apache-AuthenNTLM-2.04]
Shannon Eric Peevey wrote: I seem to have a problem and am unable to find any forums for some help. The [EMAIL PROTECTED] list has people who are familiar with this module, and help maintain it. :) I have read your docs on AuthenNTLM and also I don't see much in the way of examples I think I have it set up properly. Apache Ver: Apache/2.0.48 (Unix) mod_perl/1.99_12 Perl/v5.8.0 (This is a Solaris 8 on E3500) PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm require valid-user PerlAddVar ntdomain "CONWAY QGATS006 CNFQS022" PerlSetVar defaultdomain CONWAY PerlSetVar ntlmdegub 2 Everytime I goto http://myunixmachine.com/test I get this error in my error_log. [error] [client 10.40.11.138] Can't locate object method "port_get" via package "APR::SockAddr" at /usr/local/lib/perl5/site_perl/5.8.0/sun4-solaris/Apache/AuthenNTLM.pm line 519. Mike Besides a few typos, your config looks good (ntlmdegub) ;) Thanks for pointing this out. APR::SockAddr::port_get has been deprecated in mod_perl/1.99_12, in favor of APR::SockAddr::port. I have made the changes locally, and after a bit more testing, will upload the new version later today, or tomorrow. Thanks for the heads-up!! speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthenNTLM-2.05
The uploaded file Apache-AuthenNTLM-2.05.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthenNTLM-2.05.tar.gz size: 51753 bytes md5: 21b172f8d9ec971741d6f989e3ac946d - This version fixes the APR::SockAddr::port_get name change in mod_perl-1.99_12 (found by Michael Dooley) - Fixes some typos (found by Darryl Miles) thanks ya'll!! speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: New to Apache::AuthenNTLM
What am I missing? Hi! Could I get the versions of apache, mod_perl and apache-authenntlm? You can use the following link as a guide: http://perl.apache.org/docs/2.0/user/help/help.html#Reporting_Problems thanks, speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: Re: Apache::AuthenNTLM-2.04 Problems..]
Original Message
Subject:Re: Apache::AuthenNTLM-2.04 Problems..
Date: Wed, 28 Jan 2004 02:31:22 +
From: Darryl Miles <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
CC: Shannon Eric Peevey <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
NB - Speeves, Please forward to modperl list since I don't think the
list robot is accepting any of my submissions.
AuthenNTLM.
Right I have managed to sort out the "Can not get NONCE" error. The
NONCE is the random data intiality retrieved from the WIN32 authorative
host, this nonce value is then sent in the Authorization HTTP header to
the browser. The Browser then modifies its value using the username and
password the user inputs. The AuthenNTLM passes this back to the WIN32
authorative host to get a yes/no response for authentication.
My problem was that you can not use a raw IP address (in dotted quad
format) for the PDC or BDC arguments in your httpd.conf in the
"PerlAddVar ntdomain" config line. This causes this dotted quad format
to be the called name which will never match your servers
pre-Windows2000 network ID.
You should also NOT try and use the post-Windows2000 full servers domain
name (unless the complete FQDN is 16 chars or less), since this gets
truncated to 16 bytes (that is what the pre-Windows2000 maximum name
length is) and will never match your WIN32 servers FQDN.
Now because you have to use the hostname in the httpd.conf line, and you
can not put in the FQDN you have to put in just the hostname part of the
FDQN (that is all the characters upto the first fullstop in the FQDN).
You then need to make sure the Apache server host can resolve this name
to the IP address. One way of doing this would be to add the domain
name part into the "search" line of /etc/resolv.conf, another way might
be to use /etc/hosts file and/or /etc/host.conf to resolve this its IP
(this is untested by me).
Maybe this information above can be added into the README of the
Apache::AuthenNTLM package to further assist the next person.
Now I am getting past the "Can not get NONCE" error and getting an IE
error "The page cannot be displayed", "Cannot find server or DNS Error
Internet Explorer". This IE error does not make any sense in this context.
The last lines in the log are:
[5572] AuthenNTLM: Config Domain = domain pdc = winserv bdc = winserv
[5572] AuthenNTLM: Config Default Domain = domain
[5572] AuthenNTLM: Config Fallback Domain =
[5572] AuthenNTLM: Config AuthType = ntlm AuthName = /
[5572] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[5572] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on
[5572] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[5572] AuthenNTLM: Authorization Header
[Wed Jan 28 02:28:16 2004] [error] access to /login_ntlm/process failed
for , reason: Bad/Missing NTLM/Basic Authorization Header for
/login_ntlm/process
[5573] AuthenNTLM: Config Domain = domain pdc = winserv bdc = winserv
[5573] AuthenNTLM: Config Default Domain = domain
[5573] AuthenNTLM: Config Fallback Domain =
[5573] AuthenNTLM: Config AuthType = ntlm AuthName = /
[5573] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[5573] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on
[5573] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[5573] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAABB7IAoAsACwAlBQAFACBDQkNPU0NSWVNUQUxCTFVF
[5573] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 11 0
11 0 37 0 0 0 5 0 5 0 32 0 0 0 67 66 67 79 83 67 82 89 83 84 65 76 66 76
85 69
[5573] AuthenNTLM: protocol=NTLMSSP, type=1,
flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET),
flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=11,
domain offset=37, host length=5, host offset=32, host=winserv, domain=domain
[5573] AuthenNTLM: Connect to pdc = winserv bdc = winserv domain = domain
[5573] AuthenNTLM: enter lock
[5573] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0 0
1 130 0 0 230 21 15 88 242 175 242 123 0 0 0 0 0 0 0 0
[5573] AuthenNTLM: charencoding = 1
[5573] AuthenNTLM: flags2 = 130
[5573] AuthenNTLM: nonce=æXò¯ò{
[5573] AuthenNTLM: Send header: NTLM
TlRMTVNTUAACACgBggAA5hUPWPKv8nsAAA==
Any more ideas on this next problem ?
Regards
Darryl L Miles
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: [Fwd: Re: Apache::AuthenNTLM-2.04 Problems..]
AuthenNTLM. Right I have managed to sort out the "Can not get NONCE" error. The NONCE is the random data intiality retrieved from the WIN32 authorative host, this nonce value is then sent in the Authorization HTTP header to the browser. The Browser then modifies its value using the username and password the user inputs. The AuthenNTLM passes this back to the WIN32 authorative host to get a yes/no response for authentication. My problem was that you can not use a raw IP address (in dotted quad format) for the PDC or BDC arguments in your httpd.conf in the "PerlAddVar ntdomain" config line. This causes this dotted quad format to be the called name which will never match your servers pre-Windows2000 network ID. You should also NOT try and use the post-Windows2000 full servers domain name (unless the complete FQDN is 16 chars or less), since this gets truncated to 16 bytes (that is what the pre-Windows2000 maximum name length is) and will never match your WIN32 servers FQDN. Right-O :) Good explanation and call. Now that I have a windows machine to test against, I find this to be true. This is not true of Samba, though. (As of version 3.0.1-2 on Debian unstable) You can use IP Addresses to define your pdc and bdc. Now because you have to use the hostname in the httpd.conf line, and you can not put in the FQDN you have to put in just the hostname part of the FDQN (that is all the characters upto the first fullstop in the FQDN). You then need to make sure the Apache server host can resolve this name to the IP address. One way of doing this would be to add the domain name part into the "search" line of /etc/resolv.conf, another way might be to use /etc/hosts file and/or /etc/host.conf to resolve this its IP (this is untested by me). /etc/hosts works fine on my machine. Maybe this information above can be added into the README of the Apache::AuthenNTLM package to further assist the next person. I will definitely put it in the next release. Now I am getting past the "Can not get NONCE" error and getting an IE error "The page cannot be displayed", "Cannot find server or DNS Error Internet Explorer". This IE error does not make any sense in this context. Any more ideas on this next problem ? Not really, but do you have a firewall misconfigured somewhere? speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: New to Apache::AuthenNTLM
Altaf Rupani wrote: The version of mod_perl is 1.99_09. Hi! The newest version of Apache::AuthenNTLM (2.05) needs mod_perl 1.99_12 to set the Global variable MP2. let me know if that works :) speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authen::NTLM
Hi! Am forwarding this to the modperl list. Unfortunately, I don't have a mac to test this on :( speeves cws Joep Mathijssen wrote: We're using Authen::NTLM within an Intranet. The server runs Apache 1.3 and mod_perl-1.29. Everything works like a dream. Even Mozilla's and Safari's etc connect fine. But IE 5.2 on a Mac is unable to login. Below a part of the logfile: [569] AuthenNTLM: Start NTLM Authen handler pid = 569, connection = 138518492 conn_http_hdr = Keep-Alive main = cuser = remote_ip = 195.81.24.250 remote_port = remote_host = <> version = 2.04 [569] AuthenNTLM: Setup new object [569] AuthenNTLM: Config Domain = abc pdc = abcdata01 bdc = abcdata01 [569] AuthenNTLM: Config Default Domain = abc [569] AuthenNTLM: Config Fallback Domain = abc [569] AuthenNTLM: Config AuthType = ntlm,basic AuthName = Intranet [569] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 1 [569] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [569] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [569] AuthenNTLM: Authorization Header NTLM [569] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), flags2=130(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=0, domain offset=0, host length=0, host offset=0, host=, domain= [569] AuthenNTLM: Connect to pdc = abcdata01 bdc = abcdata01 domain = abc [569] AuthenNTLM: enter lock [569] AuthenNTLM: charencoding = 1 [569] AuthenNTLM: flags2 = 130 [569] AuthenNTLM: Send header: NTLM ... [569] AuthenNTLM: Start NTLM Authen handler pid = 569, connection = 138518492 conn_http_hdr = Keep-Alive main = cuser = remote_ip = 195.81.24.250 remote_port = remote_host = < > version = 2.04 [569] AuthenNTLM: Object exists user = \ [569] AuthenNTLM: Authorization Header NTLM [569] AuthenNTLM: protocol=NTLMSSP, type=3, user=jco, host=, domain=, msg_len=0 [569] handler type == 3 [569] AuthenNTLM: Verify user jco via smb server [569] AuthenNTLM: leave lock [Mon Feb 2 14:18:31 2004] [error] access to / failed for , reason: Wrong password/user (rc=3/1/327681): abc\jco for / [569] AuthenNTLM: rc = 3 ntlmhash = ^T<93>$%è«5^S <94>Õ<90>ÆJ^RðG<80><9e>Õê^Lã2 It appears that the loginname is corrupted. It should be 'jaccos' and not 'jco'. Do you have any clue? greetings Joep Mathijssen --- clickhere interactive --- J.P. Coenstraat 32 http://www.clickhere.nl 3531 EV Utrecht E. [EMAIL PROTECTED] The NetherlandsT. (+31) 030 2731 769 F. (+31) 030 2719 403 -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: [mp2] Any way to reload perl modules w/o restarting Apache?
Beau E. Cox wrote: Hi - I have a serious development effort going w/mp2. I am coding and testing a lot of perl modules for use within the project. Is there any way to reload perl modules w/o restarting Apache? I'm getting tired of the wait :) between module fixes and retesting while A[ache recycles. Hi! Check out: Apache2 http://perl.apache.org/docs/2.0/api/Apache/Reload.html According to: http://perl.apache.org/docs/2.0/user/porting/compat.html#C_Apache__StatINC_ this will work for both versions of modperl. cheers, speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: Net-NIS-0.34 // Apache-AuthenNIS-0.11 - possible bug.]
Original Message Subject:Net-NIS-0.34 // Apache-AuthenNIS-0.11 - possible bug. Date: Wed, 4 Feb 2004 16:54:07 +0100 From: <[EMAIL PROTECTED]> Organization: http://freemail.web.de/ To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Hello, I am using Apache::AuthenNIS for NIS authentification. I have found that it fails to authenticate a valid user (with a valid passwd) when the passwd contains the pattern: $0 e.g. our standard user (default) passwd is user$99, user$00, ..., user$03, user$04 depending on what year the user is created. We are using: apache_1.3.28 / mod_perl-1.29 / Apache-AuthenNIS-0.11 / Net-NIS-0.34 Can you help? Phil -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: Re: Apache::AuthzNIS ... problem?]
Original Message Subject:Re: Apache::AuthzNIS ... problem? Date: Fri, 06 Feb 2004 09:33:20 -0700 From: Ed Santiago <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] CC: ShannonEricPeevey <[EMAIL PROTECTED]>, [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> >Pointers? Have tried various combinations and all fail ... Well, one pointer is: can you give a _wee_ bit more detail than "all fail"? As you no doubt know from your users, saying "it doesn't work" doesn't make for an easy time tracking down a problem... Helpful details would include the symptoms seen on the browser, and probably the relevant entries from logs/error_log. > require valid-user > require group user52 You don't want the first line. The require conditions are OR'ed, not ANDed. ^E -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: Re: Net-NIS-0.34 // Apache-AuthenNIS-0.11 - possible bug.]
Original Message
Subject:Re: Net-NIS-0.34 // Apache-AuthenNIS-0.11 - possible bug.
Date: Wed, 04 Feb 2004 09:27:58 -0700
From: Ed Santiago <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
Hmmm. I can't reproduce on my end, nor can I see any reason why
it would fail: Apache::AuthenNIS 1.11 [1] doesn't use $sent_pwd
in any context in which dollar-interpolation could take place,
and Net::NIS doesn't even know there's a dollar sign in there.
[1] http://search.cpan.org/src/SPEEVES/Apache-AuthenNIS-0.11/AuthenNIS.pm
I suspect that the encrypted password is not what it seems. Here
are some things to try:
* For a given user 'joebob', can you run 'ypmatch joebob passwd'
and see the encrypted passwd entry in field 2? To make sure,
here's a way to check: ypmatch joebob passwd|cut -d: -f2
* Is the encrypted password exactly 13 characters? Pipe the
above command through "wc -c", and make sure it returns 14
(13 + newline). If it's anything else, crypt() won't work.
You may have inadvertently set up MD5 passwords, or shadow
passwords, or (if you hand-edit passwd) perhaps inadvertently
gotten the passwd colon fields out of sequence.
* Are you sure the encrypted password is what it should be?
Try the following, replacing $clear and $expect with your
own values of the cleartext & encrypted password respectively:
perl -e '$clear=q{joebob$0}; $expect=q{ZRiRSCe67JKpY}; $result=crypt($clear,$expect); printf "%s %s\n",$result, ($result eq $expect ? "ok" : "MISMATCH!")'
(just in case it needs to be mentioned: don't muck with the
quotes above - you don't want the shell to see the '$'s.)
* Who sets the password? Is it a human, or a script? If human,
can you try setting it again (to check for typos)? If a script,
perhaps there's dollar-interpolation happening somewhere before
the password is encrypted?
* Perhaps stupid question: there aren't any colons in the username,
are there? Just being thorough :-)
Best of luck,
^E
--
Ed SantiagoMaintainer, Net::NIS [EMAIL PROTECTED]
On Wed, 4 Feb 2004 16:54:07 +0100, [EMAIL PROTECTED] wrote:
>Hello,
>
>I am using Apache::AuthenNIS for NIS authentification. I have found that it fails to authenticate a valid user (with a valid passwd) when the passwd contains the pattern: $0
>
>e.g. our standard user (default) passwd is user$99, user$00, ..., user$03, user$04 depending on what year the user is created.
>
>We are using:
>
>apache_1.3.28 / mod_perl-1.29 / Apache-AuthenNIS-0.11 / Net-NIS-0.34
>
>Can you help?
>
>Phil
>
>
>
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: Apache::AuthzNIS ... problem?]
Original Message
Subject:Apache::AuthzNIS ... problem?
Date: Fri, 6 Feb 2004 17:24:55 +0100
From: <[EMAIL PROTECTED]>
Organization: http://freemail.web.de/
To: EdSantiago <[EMAIL PROTECTED]>, ShannonEricPeevey <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
Hello Guys
Me again with a different problem - but I think this time it is more for Shannon. I am no success with Apache::AuthzNIS (HPUX 11i).
My httpd.conf reads:
AuthName "NIS Authentification"
AuthType Basic
PerlAuthenHandler Apache::AuthenNIS
PerlAuthenHandler Apache::AuthzNIS
require valid-user
require group user52
My understanding is the following:
1. The user will validated as a NIS user or rather "authenticated" as a NIS user.
2. If the user is not a member of the "user52" group, the "authorisation" fails.
Pointers? Have tried various combinations and all fail ...
Phil
Shannon Eric Peevey <[EMAIL PROTECTED]> schrieb am 04.02.04 18:09:28:
Ed Santiago wrote:
Hmmm. I can't reproduce on my end, nor can I see any reason why
it would fail: Apache::AuthenNIS 1.11 [1] doesn't use $sent_pwd
in any context in which dollar-interpolation could take place,
and Net::NIS doesn't even know there's a dollar sign in there.
[1] http://search.cpan.org/src/SPEEVES/Apache-AuthenNIS-0.11/AuthenNIS.pm
I suspect that the encrypted password is not what it seems. Here
are some things to try:
* For a given user 'joebob', can you run 'ypmatch joebob passwd'
and see the encrypted passwd entry in field 2? To make sure,
here's a way to check: ypmatch joebob passwd|cut -d: -f2
* Is the encrypted password exactly 13 characters? Pipe the
above command through "wc -c", and make sure it returns 14
(13 + newline). If it's anything else, crypt() won't work.
You may have inadvertently set up MD5 passwords, or shadow
passwords, or (if you hand-edit passwd) perhaps inadvertently
gotten the passwd colon fields out of sequence.
* Are you sure the encrypted password is what it should be?
Try the following, replacing $clear and $expect with your
own values of the cleartext & encrypted password respectively:
perl -e '$clear=q{joebob$0}; $expect=q{ZRiRSCe67JKpY}; $result=crypt($clear,$expect); printf "%s %s\n",$result, ($result eq $expect ? "ok" : "MISMATCH!")'
(just in case it needs to be mentioned: don't muck with the
quotes above - you don't want the shell to see the '$'s.)
* Who sets the password? Is it a human, or a script? If human,
can you try setting it again (to check for typos)? If a script,
perhaps there's dollar-interpolation happening somewhere before
the password is encrypted?
* Perhaps stupid question: there aren't any colons in the username,
are there? Just being thorough :-)
Best of luck,
^E
Hi!
Can I forward this to the modperl list? These are great troubleshooting
tips!!
thanks,
speeves
cws
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: Re: Apache::AuthzNIS ... problem?]
Original Message Subject:Re: Apache::AuthzNIS ... problem? Date: Fri, 6 Feb 2004 17:42:21 +0100 From: <[EMAIL PROTECTED]> Organization: http://freemail.web.de/ To: EdSantiago <[EMAIL PROTECTED]>, [EMAIL PROTECTED] CC: [EMAIL PROTECTED], "ShannonEricPeevey" <[EMAIL PROTECTED]> OK, I accept your point(er!). I _assumed_ these were ANDed. However, when I use the following lines: AuthName "NIS Authentification" AuthType Basic PerlAuthenHandler Apache::AuthenNIS #require valid-user PerlAuthenHandler Apache::AuthzNIS require group user52 ... with user: ryanp52, [deuxvi54:/pkg/vdc52/home/ryanp52][ryanp52]$ id uid=40646(ryanp52) gid=52300(user52) [deuxvi54:/pkg/vdc52/home/ryanp52][ryanp52]$ it still fails. The login authentification box continuously prompts me for a password despite me having supplied a valid passwd. The directive: "require valid-user" works for this user and indeed others I have tested. Log entries of interest are: [Fri Feb 6 17:38:29 2004] [error] access to /ddts/ddts_main failed for 10.120.50.38, reason: Apache::AuthzNIS - user ryanp52: not authorized Hope this helps! Phil Ed Santiago <[EMAIL PROTECTED]> schrieb am 06.02.04 17:33:27: >Pointers? Have tried various combinations and all fail ... Well, one pointer is: can you give a _wee_ bit more detail than "all fail"? As you no doubt know from your users, saying "it doesn't work" doesn't make for an easy time tracking down a problem... Helpful details would include the symptoms seen on the browser, and probably the relevant entries from logs/error_log. > require valid-user > require group user52 You don't want the first line. The require conditions are OR'ed, not ANDed. ^E -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: Re: Apache::AuthzNIS ... problem?]
Original Message
Subject:Re: Apache::AuthzNIS ... problem?
Date: Fri, 06 Feb 2004 10:13:30 -0700
From: Ed Santiago <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED], "ShannonEricPeevey" <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
From a quick look at the source to AuthzNIS.pm, it looks like the
module cannot handle 'group XXX' if XXX is your default group
(i.e. the one in your passwd entry). It only seems to handle
logins explicitly mentioned in the 'group' YP map.
One solution might be to add code like this to AuthzNIS.pm :
...
my $name = MP2 ? $r->user : $r->connection->user;
+ FIXME: to be consistent, maybe use yp_match() instead of getpwnam?
+ my @pwent = getpwnam($name)
+ or (FIXME: log error, then return failure? continue?)
+ my $default_gid = $pwent[3];
.
- my @names = split /\,/, $entry;
- $names[0] =~ s/^.*:.*:.*://;
+ my (undef, undef, $gid, $names) = split ':', $entry, 4;
+ # Is this the remote user's default group, per passwd? Allow.
+ if ($gid == $default_gid) {
+ return MP2 ? Apache::OK : Apache::Constants::OK;
+ }
+ # Not user's default group. See if s/he is enumerated in group entry.
+ my @names = split /\,/, $names;
foreach my $oneuser (@names) {
On Fri, 6 Feb 2004 17:42:21 +0100, [EMAIL PROTECTED] wrote:
>OK, I accept your point(er!).
>
>I _assumed_ these were ANDed. However, when I use the following lines:
>
>
>
> AuthName "NIS Authentification"
> AuthType Basic
> PerlAuthenHandler Apache::AuthenNIS
> #require valid-user
> PerlAuthenHandler Apache::AuthzNIS
> require group user52
>
>
>
> ... with user: ryanp52,
>
>[deuxvi54:/pkg/vdc52/home/ryanp52][ryanp52]$ id uid=40646(ryanp52) gid=52300(user52)
>[deuxvi54:/pkg/vdc52/home/ryanp52][ryanp52]$
>
>it still fails. The login authentification box continuously prompts me for a password despite me having supplied a valid passwd. The directive: "require valid-user" works for this user and indeed others I have tested.
>
>Log entries of interest are:
>
>[Fri Feb 6 17:38:29 2004] [error] access to /ddts/ddts_main failed for 10.120.50.38, reason: Apache::AuthzNIS - user ryanp52: not authorized
>
>Hope this helps!
>
>Phil
>
>
>
>
>
>
>
>
>Ed Santiago <[EMAIL PROTECTED]> schrieb am 06.02.04 17:33:27:
>
> >Pointers? Have tried various combinations and all fail ...
>
>Well, one pointer is: can you give a _wee_ bit more detail than "all fail"?
>As you no doubt know from your users, saying "it doesn't work" doesn't
>make for an easy time tracking down a problem...
>
>Helpful details would include the symptoms seen on the browser,
>and probably the relevant entries from logs/error_log.
>
> > require valid-user
> > require group user52
>
>You don't want the first line. The require conditions are OR'ed, not ANDed.
>
>^E
>
>
>
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: Re: Net-NIS-0.34 // Apache-AuthenNIS-0.11 - possible bug.]
Original Message Subject:Re: Net-NIS-0.34 // Apache-AuthenNIS-0.11 - possible bug. Date: Wed, 04 Feb 2004 14:21:22 -0700 From: Ed Santiago <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] CC: ShannonEricPeevey <[EMAIL PROTECTED]>, [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> >Content-type: text/html; Hint: you may want to configure your mailreader to send plaintext email, or at least multipart/alternative with a plaintext part. My spam filters discard or flag all email sent as html-only. Many other people have spam filters set up the same way. >One question: when you say I could have activated MD5 passwords, >where do you mean? Apache? This one is really unlikely. The only way I can think of this happening is if someone set the password manually using passwd(1) on a Linux system, on a local account, then cut&pasted the hash from /etc/shadow. Or some variation thereof. If the hashed passwd string looks like '$1$xxx...$yyy...', where 'xxx...' is 8 chars and 'yyy...' 22, and '$' and '1' are literal dollar sign and numeral one respectively, it's an MD5 password and crypt() won't help. Again, the probability of this happening is close to zero. I only mentioned it because it's often easier to write a list of (even absurd) possibilities than to spend a few hours back-and-forth over email... Again, good luck, ^E -- Ed Santiago Toolsmith [EMAIL PROTECTED] -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authen::NTLM
Joep Mathijssen wrote: I set NTLMDEBUG to 2 and send the results attached to this mail. Hi! Can you cut-n-paste the relevant part of the logs into an email for me? I am not sure where to look in the logs. thanks, speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Post Request - content-length = 0 with IE
Bippes, Arne wrote:
Hello list,
I'm trying to override AuthenNTML (PerlAuthenHandler).
Ae you trying to build a module using AuthenNTLM? I am a bit confused :P
While doing this i'm having the Problem that all my Post-Variables
somehow disappear in MS Internet Explorer (V 6.0). Posting the same
page with Mozilla, everything works fine.
Looking further even with
handler {
$r = shift;
return OK;
}
no Post Variables can be found.
Have you run this through the Perl debugger? That should show you where
your variables disappear... Check out:
http://perl.apache.org/docs/1.0/guide/debug.html#Interactive_mod_perl_Debugging
for more info on how to do this.
speeves
cws*
*
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: AW: Post Request - content-length = 0 with IE
More detailled explanation: I'm having dramatic performance Problems using AuthenNTLM (many Seconds to answear a request), Have you checked out the number of connections to the smb server? This seems to be a problem across the board for auth modules. The answer would be to check out: http://search.cpan.org/~cgilmore/Apache-AuthenCache-1.00/AuthenCache.pm This module caches the auth information, so your connections to the smb server are limited. so I'm writing another PerlAuthenHandler which looks for a Cookie and checks permission. Have you checked out: http://search.cpan.org/~llap/Apache-AuthCookieNTLM-0.06/lib/Apache/AuthCookieNTLM.pm Leo Lapworth has already written a module that does exactly what you want (it seems). HTH, speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache::AuthenNTLM 2.05 ntlm+basic
Dooley, Michael wrote: On the inTRAnet side of this it works fine, and authenticates agenst a PDC/BDC. on the inTERnet side of this it fails. prompts for user/pass/domain. What I am trying to do is if the user is on the network use NTLM. if he is on the internet use basic and have them sign in via user/passwd created w/ htpasswd. am I not using authenNTLM properly? am I missing something? It sets NTLM and basic by the browser response. (IE => NTLM, everything else => basic) A way around this, is to do something like AuthNetLDAP, where we return DECLINED if we want to allow an alternative authentication, which will send the request to the next AuthenHandler, which could be what ever you would like it to be. (Except that IE would still try to authenticate using NTLM... :( ) Hmmm You would probably have to setup a handler before the authen phase to test the ip address of the end-user, and then send the request to the correct authen handler... Does anyone know if there is already some code for this out there? speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache-AuthenNTLM and domain prefix
Michael Zehrer wrote: Hi, I tried your Apache::AuthenNTLM module and it really works great. But there's one thing I would like to have. Would it be possible to have an option to strip off the domain prefix (mydomain//) before returning the username to apache. We have some perl applications that just can't handle this, Hi! Will do. this seems to be a problem across the board with windows xp/2003 and the authen modules. I will add code in here for the next release. thanks, -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[Fwd: RE: AuthenNTLM/Smb problem]
Original Message Subject:RE: AuthenNTLM/Smb problem Date: Fri, 20 Feb 2004 06:45:15 -0700 From: David Schneider <[EMAIL PROTECTED]> To: 'Shannon Eric Peevey' <[EMAIL PROTECTED]> Ah! I should have thought about that. Yes, that would be wonderful if you did that! Thank you so very much! I hope you have a great day! david -Original Message----- From: Shannon Eric Peevey [mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 3:18 AM To: David Schneider Subject: Re: AuthenNTLM/Smb problem David Schneider wrote: Hello! I am so sorry to bother you, but was hoping that you could point me in the right direction. I am about at my wit's end, assuming, of course that I had a lot of wits to end I am trying to run the AuthenNTLM module on a Windows 2000 machine with Apache and ModPerl (and OpenSSL, too, but I actually managed to get that to work!) When I put everything together, and run a web page, I get the message "can't locate loadable object for module Authen::Smb". What I thought I had to do is place Apache::AuthenNTML in a directory called "Apache" in c:\perl\site\lib, and Authen::Smb in a directory called Authen in c:\perl\site\lib. Just for yucks, I created a directory under Apache as well called "perl\Apache\" and "perl\Authen". Same results. If I go to the directory where Smb is at and try test.PL I get the same message. I have tried locating the Smb.pm in various places to no avail. If I try to make Smb, then it complains that it doesn't know how to make valid.o. Sigh. I am missing something really, really simple here? Any pointers would be most appreciated. The internet is strangely quiet on this topic. Server: Apache/2.0.48 (Win32) mod_perl/1.99_12 Perl/v5.8.3 mod_ssl/2.0.48 OpenSSL/0.9.7c Server at david Port 80. AuthenNTLM version is 2.05. Thank you so much for your time, and I hope you have a great day! david Can I forward this to the modperl list? There are some great windows folks that read it, and they would probably be able to help better than I :P -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: mod_perl-xxx.rpm not a better choice?
B. Fongo wrote: Are there any reasons why one shouldn’t use rpm version of mod_perl? I’m on Red Hat 8.0, and for unknown reason, mod_perl is behaving strangely. The binary packages of mod_perl are good for what they are. Unfortunately, they are compiled with a set of flags that are seen as the most useful for the majority. Therefore, if you want, or need, any special options, then it is best to use the tarball. (Also, the binary package may, or may not, include the newest version of the tarball) 'sup to you :) -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: PATCH to Apache::AuthNetLDAP 0.26
Nick Urbanik wrote: Dear Folks, Sorry, GPG munged the patch. Here is an unmunged patch. Is this the right place to send it? Yes, thanks! I was just getting ready to implement ldaps support in it, but you beat me to the punch. You can expect the next version to be out during the next month. thanks, -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: PATCH to Apache::AuthNetLDAP 0.26
Nick Urbanik wrote: How about the filter and scope support? Is the documentation okay? I haven't had a chance to look at it in depth, but I'll let you know when I do. thanks again :) -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: PATCH to Apache::AuthNetLDAP 0.26
How about the filter and scope support? I wonder if the filter and scope support might be more appropriate in the authz handler... What do you all think? -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Trouble with AuthenSmb
Lehman, Jason (Registrar's Office) wrote: I am getting the error below in my apache logs when someone can’t be authenticated. If they are authenticated there are no problems. Can't locate object method "log_reason" via package "Apache::RequestRec" at /usr/lib/perl5/site_perl/5 .8.0/Apache/AuthenSmb.pm line 99.! This box is a Redhat AS 3 box with apache 2 and mod_perl. Hi! Make sure that you are using: Apache::AuthenSmb-0.70 That is the newest version of AuthenSmb which works with mp2. For more information on this, check out: http://perl.apache.org/products/apache-modules.html#Porting_CPAN_modules_to_mod_perl_2_0_Status thanks, -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache::AuthenNTLM v2.04 - Apache hangs on authentication
[EMAIL PROTECTED] wrote: Hi, Hope I am emailing the right people - appologies if not :) We have been using modperl & Apache::AuthenNTLM on HP-UX for a few months now, and it works just peachy most of the time. However, every now and then we get a problem with the web server hanging when trying to load a page. If I check the netstat -a output I can see there is an established connection to our domain server with a netbios session - which I assume is Apache trying to authenticate the user. If you could set the ntlmdebug to 2 and send the bit of the logfile that shows the hung connections, we could see if we can catch this bad boy in action. (A capture of packets would be great too :) ) I recall reading somewhere that there is some issue whereby the domain server and web server fail to communicate properly, and are left in a state where each is listening for the other - a recipe for hung processes if ever there was one ... unfortunately I can't remember what the cause of this was, nor what the resolution was (if any). Anyone know what I'm on about ? I seem to remember the semaphore being a possible cause for hanging the server. Have you increased/decreased the "semtimeout" value to see if that helped? One peculiarity of our system (well, I assume it's us being peculiar, but you never know) ... we don't actually authenticate against a genuine domain comtroller, but are using a regular NT server that is trusted by the domain controllers for all our domains. This came about because the AuthenNTLM module (or Apache itself) could not correctly identify the domain in order to choose the correct domain controller - it always uses the "default" or "fallback" domains. Works fine for domain FOO when that domain is the fallback domain, but then users in domian BAR won't authenticate - and vice versa. The only way it works (and it does) is to set the fallback domain to a generic NT server that is trusted by both FOO and BAR domain controllers, and somehow it works out who to authenticate against which controller (apparently this is a kosher bit of NT functionality). Still, I can't help but wonder if this is causing our hanging problem ... any thoughts folks? Could you expand on this? You are saying that: #domain pdcbdc PerlAddVar ntdomain "name_domain1 name_of_pdc1" PerlAddVar ntdomain "other_domain pdc_for_domainbdc_for_domain" Won't allow you to authenticate against both FOO and BAR domain controllers? thanks, -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Groups, Multiple Domains, and AuthenSmb
I think I mentioned this a while back, I modified Apache::AuthenSMB to allow users to specify the domain in the username field, such as, Domain\Username. We have various domains by regions, "hard-coding" the Domain in the configuration was too restrictive for our user base. Would anyone be interested in the patch? I would be interested in the patch. I will check it out, and see if we should implement it in AuthenSMB. thanks, speeves cws -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Trouble with AuthenSmb
I have mp2 (the 1.99 thru me off), that came from a Red Hat enterprise
Package, along with Apache 2 and I do have your 70 version of
Authen_Smb. I am getting the "Can't locate object method log_reason
via Apache::RequestRec at
/usr/lib/perl5/site_perl/5.8.0/Apache/Authen_Smb.pm" only when it is
an actual windows user that isn't in the valid user list. If I use
just a made up name and password that doesn't exist it works fine and
tells me that they are not authorized. Is this a bug or an issue on
my side?
Good on you. I'm glad you were persistent! I found the error, and I
had just missed one line when porting the module. Change:
$r->log_reason("user $name: not authorized", $r->uri);
with:
MP2 ? $r->log_error("user $name: not authorized", $r->uri) : $r->log_reason("user $name: not authorized", $r->uri);
I will update the module and upload it as soon as possible.
thanks,
speeves
cws
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[MP ANNOUNCE] Apache-AuthenSmb-0.71
The uploaded file Apache-AuthenSmb-0.71.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthenSmb-0.71.tar.gz size: 4054 bytes md5: 811c3b758fae5698bf06b4fec1cf00b9 This includes the fix for the authz function found by Jason Lehman. (thanks!) (Missing MP2 check to swap out $r->log_error for $r->log_reason) speeves cws -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Groups, Multiple Domains, and AuthenSmb
Lehman, Jason (Registrar's Office) wrote: If Carlos hasn't gotten back to you I wanted to send you a link to his referenced mail to the group originally. http://marc.theaimsgroup.com/?l=apache-modperl&m=106809701925690&w=2 And do you think you are going to try to incorporate these changes? Because I will hold off adding them if you think they are going to make it in to a release soon. I have just uploaded: Apache-AuthenSmb-0.71 This fixes the $r->log_reason/$r->log_error problem in version 0.70. Thanks for the thread, but I feel that it would be more appropriate to use Apache::AuthenCache for the purposes stated in the thread. http://search.cpan.org/~cgilmore/Apache-AuthenCache-1.00/AuthenCache.pm Carlos, if you have a different patch for the domain issue, please, send that on. thanks, speeves cws -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Groups, Multiple Domains, and AuthenSmb
Carlos Ramirez wrote: Oops, I sent the wrong diff. I also updated the module on my site. http://www.quantumfx.com/software/modules/Apache-AuthenSmb.pm Thanks! Unfortunately, I am enjoying my spring break vacation, (one of the perks of the job ), so am not going to think about this until next week ;) (I will get right on it then :) ) take care, -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[MP ANNOUNCE] Apache-AuthNetLDAP-0.27
The uploaded file Apache-AuthNetLDAP-0.27.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthNetLDAP-0.27.tar.gz size: 6539 bytes md5: 00e47e129bae1949a53e06ee42a4a6e2 This release incorporates Nick Urbanik's patch into Apache-AuthNetLDAP. This adds TLS encryption between web server and ldap server, an ldap filter, and a search scope. He also has added great documentation to explain the usage of each new function. (Thanks, Nick!!) -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Groups, Multiple Domains, and AuthenSmb
Carlos Ramirez wrote: Oops, I sent the wrong diff. I also updated the module on my site. http://www.quantumfx.com/software/modules/Apache-AuthenSmb.pm -Carlos Carlos Ramirez wrote: Included is the diff of the current 0.71 version the my mods. The mods include the following mods: * Allows user to use Domain\Username to authenticate. Actually, I'm also allowing Domain/Username. This eliminates alot of the problems experienced by our users not remembering to use the 'back slash' instead of the 'forward slash'. This is fantastic, and should probably be added to the other authen/authz mods, as well! * Allows 'require group groupname1 groupname2 ... groupnameN'. This feature requires Apache::Htgroup, but in order to avoid problems, I only 'use' this module whenever 'require group' is present, instead of loading it at the beginning. Is this okay? 'use' tries to load the module at compile time, and therefore, would fail the make test, as well as, fail with an "internal server error" when any call to the module is made. Therefore, in keeping with making the function optional, we need to 'require' the module. More specific information can be found at: http://perl.apache.org/docs/general/perl_reference/perl_reference.html#use__ http://perl.apache.org/docs/general/perl_reference/perl_reference.html#require__ Now, that being said, I am not sure that we need this functionality built into the authz function here. (This is a question that I am bringing up for debate). If we want to use a groupfile, etc. for authorizing a user, shouldn't we just let apache take care of it? (By adding a PerlSetVar to make the authz function in this module optional, as well). Then we just bypass the authz function, and apache grabs the group file, etc. by allowing us to specify this in the conf/htaccess file. (Using AuthGroupFile, etc.) What do you think? * Adds a 'PerlSetVar authzUsername' configuration parameter that allows you to configure the format of the "username" for the authorization phase (the name of this variable is up for suggestions). The value can be one of two values: userid or domain\userid. The default value is set to 'userid', which is the current implmentation. I think this is a good idea, based on what we decide above. (And, we could actually use this in other modules that need this same functionality) Hope this is not too confusing. This is a great explanation! thanks, -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthNetLDAP-0.28
The uploaded file Apache-AuthNetLDAP-0.28.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthNetLDAP-0.28.tar.gz size: 6670 bytes md5: 36baba851233d47ebe8fa1e57d8b4b81 This release includes code from Carlos Ramirez that splits the domain off of the username. (This is in response to windows machines that throw the DOMAIN\username into $r->user without you asking ;) ) -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthenSmb-0.72
The uploaded file Apache-AuthenSmb-0.72.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthenSmb-0.72.tar.gz size: 5526 bytes md5: 510d7da1dfbdb99c65b99fe9a9198aae Additions to this release are: - split domain\username so that one can manipulate one or all members of the array - added htgroup check for "require group" capabilities (All thanks to Carlos Ramirez. Thanks!!) - Added documentation to include PerlSetVar items - Cleaned up code a bit - Added Apache::Htgroup as a prereq for this module in the Makefile.PL -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: [ANNOUNCE] Apache-AuthenSmb-0.72
A long time ago I wrote this: my problem: I'm running a reverse proxy with apache 1.3.x and mod_proxy on debian. For the authentication libapache-authensmb is used, so there's a connection to the domain controller present and working. Everything is fine, but for each request sent by the browser, the module needs to authenticate on the nt-domain. As I was told, the domain controller can't handle all the requests, so it's compareble with an DOS-attack. Because of this, the browser opens multiple times the popup for filling in the authentication data (although it's not necessary). To prevent this, I tried the following ideas I have found in the web: a) exclude images from being authenticated b) AuthenCache c) AuthzCache Nothing helped... Has this been fixed in the meanwhile? Hmm... My thought would have been that Apache::AuthenCache would do the trick... What are the exact symptoms when you use AuthenCache? Are you still hitting the Domain controller for every request? Another option would be to use $r->is_initial_req like: my $r = shift; return OK unless $r->is_initial_req; What happens when you add this to the module? (I'm not sure that this would be appropriate in the main module on CPAN, but you could just add the line everytime you downloaded it... (What does everyone else think? Maybe set a PerlSetVar to turn this on and off?)) -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
module name discussion [apache::authzhtgroup]
Hi! Please, don't flame me!! ;) Just wondering if there is a use for this module to be available on CPAN Apache::AuthzHtgroup -- This module was written so that we could hijack the Authz phase from Apache and modify values that are passed to the Authz Handler with perl. The initial concept was to deal with a problem that we are seeing from winXP boxes that are sending forward DOMAIN\username to Apache. These obviously fail when checked against an authentication, or authorization, scheme where the syntax is simply username. Just let me know if this would be useful. thanks, -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: [ANNOUNCE] Apache-AuthenSmb-0.72
Tauber, Mathias HDP wrote:
Sorry for the late answer...
Hmm... My thought would have been that Apache::AuthenCache
would do the
trick... What are the exact symptoms when you use
AuthenCache? Are you
still hitting the Domain controller for every request?
Yes, still like DoS...
:(
Haven't tried this, but I was told to add this to the module:
(Version 0.6, Debian Release)
sub authen {
my @args = @_;
# Truncate everything to length 80 to avoid poor coding practices in the
# smbvalid.a (buffer overflows) PMK--fixme in smbvalid.a when possible.
for my $i ( 0..$#args ) {
$args[$i] = substr($args[$i], 0, 80);
}
my($username, $password, $server, $backup, $domain) = @args;
#new: open L, "> /tmp/AuthenSmb.lck" or die "Can't open /tmp/AuthenSmb.lck:
$!\n";
#new: flock L, LOCK_EX;
my $res = Valid_User($username, $password, $server, $backup, $domain);
#new: close L;
return $res
}
This changes work, but I don't know how secure this solution is.
How secure is 'return OK unless $r->is_initial_req;'? What's the
(technical) difference between the initial and the rest? Isn't
it easy to fake at this point?=
The excerpt from X, (sorry, I forgot their name :( ), uses a semaphore
to maintain the connection, where
'return OK unless $r->is_initial_req;'
uses a flag in the request object to bypass the authentication module if the flag is set. (It is set after the first successful pass through the module. Therefore, you have an increase in efficiency, (no I/O calls), and you are playing within Apache and mod_perl. (Plus, the username/password and server information are not left lying around in storage for someone to find ;) )
HTH,
--
Shannon Eric Peevey => "speeves"
Dyno-Mite! System Administrator => [EMAIL PROTECTED]
Central Web Support => (940) 369-8876
University of North Texas => http://web2.unt.edu
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: [ANNOUNCE] Apache-AuthenSmb-0.72
How is the first request identified? Is there a http-session set, or is it IP-based? How is a client identified? Basically, this only deals with subrequests for each individual request. This doesn't set a session for the whole time the user is interfacing with your application. If you need something that does that, then you should look at programmatically creating a session through a cookie, (apache::authcookientlm comes to mind), or some other tool that is used to maintain state during the user's session. Apache-AuthenSmb only authenticates the user, it doesn't maintain state. (It is beyond the scope of the module) -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthzSplitDomainUser-0.01
The uploaded file Apache-AuthzSplitDomainUser-0.01.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthzSplitDomainUser-0.01.tar.gz size: 4241 bytes md5: a5e1a63f212884e2885b3bd8ea65041b This module basically pulls the authz handler from Apache::AuthenSmb, so that it can be used with other authentication mechanisms. (In our case, Apache::AuthNetLDAP) It is the first release, so should be considered beta until more people have beat on it. At this time, it simply checks the username, from $r->user, for a backslash, as found in DOMAIN\username. It then allows you to either check the htgroup files with "username", or "DOMAIN\username", for correct authorization. This namespace is not finalized, but has been applied for. Thanks to Geoff Y. for the idea for a better name :) -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthenNIS-0.13
The uploaded file Apache-AuthenNIS-0.13.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthenNIS-0.13.tar.gz size: 4517 bytes md5: 4135dec36ef4e032ea20fec782483d55 This version adds the ability to fall back to an alternative authen module, if the user is not found in the NIS map. -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthenNTLM-2.07
The uploaded file Apache-AuthenNTLM-2.07.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthenNTLM-2.07.tar.gz size: 55379 bytes md5: 27c2f1126cabef88f16cf349931acc4d This release fixes the lazy finger problem in the previous module. (Thanks for catching it Dan Roegelein!) -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Fwd: CPAN Upload: S/SP/SPEEVES/Apache-AuthenNTLM-2.06.tar.gz
- Forwarded message from PAUSE <[EMAIL PROTECTED]> - Date: Sat, 1 May 2004 17:19:42 +0200 From: PAUSE <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Subject: CPAN Upload: S/SP/SPEEVES/Apache-AuthenNTLM-2.06.tar.gz To: Shannon Eric Peevey <[EMAIL PROTECTED]> The uploaded file Apache-AuthenNTLM-2.06.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthenNTLM-2.06.tar.gz size: 55327 bytes md5: 357678c8ebedae04fb9fe132c0dbafe5 This version of Apache-AuthenNTLM includes a patch by Michael Zehrer that splits the domain\user, if so desired. It also has some great documentation brought about by a conversation with Darryl Miles explaining differences in configuring AuthenNTLM for use with a windows smb server, and a Samba server. thanks, ya'll! -- Shannon Eric Peevey Computer Systems Manager UNT - Central Web Support (940)369-8876 - This mail sent through IMP: http://horde.org/imp/ -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthNetLDAP-0.29
The uploaded file Apache-AuthNetLDAP-0.29.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthNetLDAP-0.29.tar.gz size: 6952 bytes md5: 66f557af1f2c443d8219be32200bed60 This release incorporates the ability to specify an alternative attribute as the password field... -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: AuthCookieNTLM and browser hangs
All, We are testing AuthCookieNTLM to secure our Intranet. We are running Apache 1.3, mod_perl, and AuthCookieNTLM. Our requests are also rewritten using mod_rewrite. If we hit the server quickly enough, and with enough requests, the browsers start to hang. This problem only occurs in our UAT environment, while the module works really well in dev. Some of our users are logged into a different domain and do get prompted for their credentials on the domain we authenticate against. However, if enough of these users attempt to log in to the intranet at once, the browsers start to hang during the authentication process. Once one browser is hung, I can point a new browser window at our intranet and the first browser window kicks back into life, and the new browser window hangs. It seems like the lock is getting stuck somewhere. Once the authentication is complete, and the authentication cookie issued, the user can continue to browse the intranet successfully. Has anybody else experienced a similar problem with this module? Gerald wrote this in the body of the module: # we cannot attach our object to the connection record. Since in # Apache 1.3 there is only one connection at a time per process # we can cache our object and check if the connection has changed. # The check is done by slightly changing the remote_host member, which # persists as long as the connection does # This has to be reworked to work with Apache 2.0 I'm assuming that this can be fixed in a threaded mpm, but haven't looked into it yet. At this time, the only way to work around this would be to shorten the: =head2 PerlSetVar ntlmsemtimeout it defaults to 2 seconds, but can be specified. Try that, and let us know if you see some improvement. thanks, -- Shannon Eric Peevey => "speeves" Dyno-Mite! System Administrator => [EMAIL PROTECTED] Central Web Support => (940) 369-8876 University of North Texas => http://web2.unt.edu -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: AuthCookieNTLM and browser hangs
Brett Beaumont wrote: I tried reducing ntlmsemtimeout to 1, but did not see any change in the behaviour. I have also managed to get this module to hang under our development environment now, though I'm not sure how come. Can you sniff the packets, and send a copy of the capture? Then we should be able to see what is happening. thanks, -- Shannon Eric Peevey EriKin Team Leader [EMAIL PROTECTED] http://www.erikin.com -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache::AuthenNTLM behind a proxy
Andrew Green wrote: Hi, I've got a problem trying to set up Apache::AuthenNTLM to secure the administration area for our (mod_perl-based) CMS. The server setup is as follows: * A lightweight port-80 instance of Apache, which deals with all requests for static content, and proxies everything else over to... * A mod_perl-centric, port-8080 instance of Apache, which deals with all the dynamic, mod_perl-generated content I've setup the authentication on the administration area in the httpd.conf file for the backend, port-8080 server to use AuthenNTLM. When I access a test script directly on the port:8080 server, the authentication works a dream. This seems to confirm, to me, that the settings are basically correct. However, when I try to access the authenticated area through the frontend, port-80 server, the authentication doesn't work. The client gets a variation on the "little grey box" of Basic Authentication, this time with a "domain" field added. Entering details into the box only brings the box back, however. According to this Microsoft Knowledge Base Article, http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q198/1/16.ASP&NoWebContent=1 : When a proxy server is inserted into the system, between the Web browser and the Web publishing server, NTLM authentication between the client browser and the WEB publishing server will no longer work. In fact any authentication method relying on implicit end-to-end state (such as NTLM) will cease working. The HTTP 1.1 specification states that all state is hop-by-hop only. End- to-end state can be achieved using a cookie or some other token distinct from HTTP. The most obvious symptom of this failing is client browsers receiving a message about authentication failure, such as "Access Denied." Therefore, you will be limited to using Basic Authentication with AuthenNTLM :( -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com <https://support.erikin.com/horde/services/go.php?url=http%3A%2F%2Fwww.erikin.com> -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Authen::NTLM
Phipps, Jeff wrote: Hello, I am having a problem with the Authen:NTLM module 2.07. I am not sure if these are bugs, or I am trying to implement it incorrectly. Problem 1: If it is using a pre-existing user connection, it does not recall the map_user function I am using the map_user function to setup environment variables that I query from the ADS using LDAP, so the application does not have to handle quering such information as email address, etc... This is because NTLM HTTP authentication is connection-oriented, rather than request-oriented. Therefore, each subsequent request will not carry any authentication information that would prompt for an authentication request from the server. (This is true except when submitting a POST request). http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication Problem 2: Can't login from a remote Windows PC The module seems to only try NTLM if the client is a windows machine, and if you are not part of the domain, it will not authorize you. Should this try using Basic if NTLM fails to allow non member machines to authenticate against the domain like a netscape browser would do? Yes, NTLM will really only work with Internet Explorer. (Though there are rumors of other browsers(???) that might have NTLM support implemented now...) I would test with basic. If that works, make sure that you are setting the Keep-Alive header, (HTTP 1.0), or using HTTP 1.1, for the transaction. Also, check to see if you have a proxy between the client and the server. This will stop any NTLM authentication attempts, as well. (Check out this thread: http://www.gossamer-threads.com/lists/modperl/modperl/69976 ) take care, -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthExpire-0.39
The uploaded file Apache-AuthExpire-0.39.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthExpire-0.39.tar.gz size: 7843 bytes md5: 2195ebc7ec82c8c11b8de4275584a49b No action is required on your part Request entered by: SPEEVES (Shannon Eric Peevey) Request entered on: Mon, 02 Aug 2004 11:24:14 GMT Request completed: Mon, 02 Aug 2004 11:24:58 GMT This was a heavy rewrite of the Apache-AuthExpire module. The changes include: 0.39 Thursday July 29, 2004 - bcw - Modified to account for proxy redirection that could result in the get_remote_host() fctn always returning 127.0.0.1. - bcw - I have modified the module to return DECLINED rather than OK. This allows other various authenTication schemes to operate. - bcw - Added a new configuration PerlSetVar variable "TimeoutPurge". This variable specifies the number of hours to wait before considering a timeout file to be too old to have come from the same session. This allows for someone to successfully use the AuthExpire to implement session timeouts and clean up old authentication timeout files after an extended period of time has elapsed. - speeves - updated my contact information and included Brandon's patches - fixed README and added up-to-date information - Added PerlSetVar variable 'AllowAlternateAuth' to allow for you to chain authenhandlers... - moved the dir_config variable declarations to the top of the handler subroutine and cleaned up the code that needed it in response to these changes - modified proxy patch to check for _any_ proxy server and return "real" client address - added PerlSetVar variable 'TimeFileDir' to allow you to specify an alternate location for your timeout files - added a lot of documentation with more information on each feature, as well as installation information. - changed the timeout file default directory to /logs/authexpire - updated the README to reflect the new changes. thanks, -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com This message was sent using IMP, the Internet Messaging Program. -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: AuthenNTLM and login
Quoting Arnaud Blancher <[EMAIL PROTECTED]>: hi, i use authenNtlm on debian whith an Active directory. the module is ok (good job !) But some time the connection to AD is so slow, In those cases (no connection to AD aviable), i try to extract the login of the remote user. Do you know if it possible ? or if i absolute need AD active for that ? Hi! I am assuming that the inability to access Active Directory is a network issue, right? Is there any way to deal with the problem on that front first? If not, I see that we can add a PerlSetVar that will allow the module to send DECLINED if the failure to the smb server fails. (This would allow you to chain authenhandlers to deal with this situation...) Let me know if this would help. thanks, -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com This message was sent using IMP, the Internet Messaging Program. -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: AuthenNTLM and login
Quoting Arnaud Blancher <[EMAIL PROTECTED]>: Hi! I am assuming that the inability to access Active Directory is a network issue, right? not really. the cluster is to heavy loaded (!!!) and he refuse new connection. clearly the AD don't work as is suppose to do ... but i cant change anything else in AD. So, i would like to get the magic login of authenNTLM (and the password if it possible) and do the autentification on another system (not define yet) Is there any way to deal with the problem on that front first? If not, I see that we can add a PerlSetVar that will allow the module to send DECLINED if the failure to the smb server fails. (This would allow you to chain authenhandlers to deal with this situation...) yes, it ll be good. In this case, could i know the login (or does it need AD ?) Hi! I don't think that a modification to the module would be the best solution here. It seems that the best solution is going to be at the directory services cluster. If we were to allow the AuthenNTLM module to DECLINE and use another alternative authentication method, then you will need to mirror the AD passwords in some other location... Is it possible to bring up a Backup Directory services server outside of the cluster? You could then specify the backup as the failover server, and authentication would always failover there, if the main cluster was unreachable. If you can't have a backup server, then you would need to choose another authentication scheme, (such as LDAP, NIS, etc.), the problem being that it obviates the whole concept behind a directory service anyways. Sorry that I can't be of more help :( -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com This message was sent using IMP, the Internet Messaging Program. -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: AuthenNTLM and login
Quoting Arnaud Blancher <[EMAIL PROTECTED]>: I'll use an openldap server or a local bdd in this case. BUT i wish get the login (and password) without demand again to user (they must log only once on their window) When the AD is down, do you know a way to get login (and pasword) ? Not that I know of... You might be able to manipulate it into openldap using Net::LDAP, but that is for another list ;) I would check out the homepage at: http://ldap.perl.org/ -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com This message was sent using IMP, the Internet Messaging Program. -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
modperl@perl.apache.org
Hi!
I am in the midst of porting Apache::AuthenCache to mp2, and am having some
issues getting any method from Apache::Module.
I have downloaded the newest CVS snapshot:
modperl-2.0_20040819104308.tar.gz
Am running:
Apache/2.0.50
mod_perl/1.99_15-dev
Perl/v5.8.4
If I run MethodLookup, it correctly displays the methods available from the
module:
speeves3:/usr/local/tarball/modperl-2.0# perl -MApache2 -MModPerl::MethodLookup
-e print_module Apache::Module
Module 'Apache::Module' contains the following XS methods:
Method Invoked on object type
cmds Apache::Module
find_linked_module Apache::Module
get_config Apache::Module
loaded Apache::Module
minor_versionApache::Module
module_index Apache::Module
name Apache::Module
next Apache::Module
remove_loaded_module Apache::Module
top_module Apache::Module
version Apache::Module
But, when I run make test I get:
Undefined subroutine &Apache::Module::loaded called at
blib/lib/Apache/AuthenCache.pm line 476.
I have found that various docs show different syntax for the new
Apache::Module::loaded, so I tried Apache::Module->loaded as well, which throws
a different error:
Can't locate object method "loaded" via package "Apache::Module"
I am using:
use Apache::Module;
if (Apache::Module::loaded('Apache::Status')) {
# $r->log->debug("status: launching menu");
Apache::Status->menu_item('AuthenCache' => 'AuthenCache Menu Item',
\&status_menu);
}
How do I go about debugging this thing?
thanks,
--
Shannon Eric Peevey
President - EriKin Corporation
[EMAIL PROTECTED]
(940) 391-6777
http://www.erikin.com
This message was sent using IMP, the Internet Messaging Program.
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
modperl@perl.apache.org
Quoting Stas Bekman <[EMAIL PROTECTED]>:
I am using:
use Apache::Module;
if (Apache::Module::loaded('Apache::Status')) {
# $r->log->debug("status: launching menu");
Apache::Status->menu_item('AuthenCache' => 'AuthenCache Menu Item',
\&status_menu);
}
Looks right to me.
How do I go about debugging this thing?
Do all the tests pass for you? This test: t/response/TestAPI/module.pm
tests this interface. You can run it with:
t/TEST -v t/api/module.t
That's the kicker... I think that they all passed, but I will double-check in
the morning when I get back to the office. I had the same problem with
1.99_14, so wanted to double-check with a newer CVS copy.
thanks,
--
Shannon Eric Peevey
President - EriKin Corporation
[EMAIL PROTECTED]
(940) 391-6777
http://www.erikin.com
This message was sent using IMP, the Internet Messaging Program.
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
modperl@perl.apache.org
Quoting Geoffrey Young <[EMAIL PROTECTED]>: Shannon Eric Peevey wrote: Hi! I am in the midst of porting Apache::AuthenCache to mp2, and am having some issues getting any method from Apache::Module. I'd check the archives - john groenveld already started this and we had some discussions on list about the way to approach various sticking points. you might want to coordinate with john as well to avoid duplicating work. Will do. Long story short, I got patches for Apache::AuthenSmb and Apache::AuthenCache from a third-party. So I essentially have a ported AuthenCache in hand, and was just doing some polishing... I have contacted Christian Gilmore, and am waiting for his reply. I'll contact John and see what his plans were too. thanks, -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com This message was sent using IMP, the Internet Messaging Program. -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
[ANNOUNCE] Apache-AuthenNTLM-2.08
The uploaded file Apache-AuthenNTLM-2.08.tar.gz has entered CPAN as file: $CPAN/authors/id/S/SP/SPEEVES/Apache-AuthenNTLM-2.08.tar.gz size: 51878 bytes md5: d9332572b46e9174e473c1384e37e07d No action is required on your part Request entered by: SPEEVES (Shannon Eric Peevey) Request entered on: Mon, 04 Oct 2004 17:16:02 GMT Request completed: Mon, 04 Oct 2004 17:17:01 GMT 2.08 04. Oct 2004 - Applied patch from Chris Hughes, which changes the modification of $conn -> remote_host(), (which became read-only in mod_perl-1.99_15.) -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: why AuthenNTLM prompt for password/user when user in domain
william lai wrote: *Hi speeves, i'm trying Apache::AuthenNTLM 2.07 modules with a NT PDC, mod_perl-1.19_12, Apache/2.0.51., After Hi! Just a note, the newest version of mod_perl is 1.99_17, and Apache 2.0.51 had a security hole that is fixed in 2.0.52. (Though I have been seeing a mention of a new vulnerability in 2.0.52 on bugtraq, though haven't seen it confirmed yet). configuration, i browsers the page that protect by AuthenNTLM and it prompt me for password/user, however it always said the user/passwordis wrong. is it true that NTLM don't need to enter password/user when user login in the domain? **and i also set keepalive= on in httpd.conf. I have searched for a week why it prompt me for password/user, but stil can't solve. * If I am understanding this correctly, AuthenNTLM doesn't check for existing credentials from IE. It simply checks a local cache to see if the user already has a session, then throws a 401 Unauthorized if a cached session is not found. thanks, -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: why AuthenNTLM prompt for password/user when user in domain
william lai wrote: Hi, Thanks for your reply. then user/password will promt user/password for the first time accessing the page even though user logined, am i right? Yes. Do i need a samba server in apache which use the AuthenNTLM. No, this module works with both Samba and Windows. (See the docs for some small differences in configuration). And how do i know the the user/usernthash is right between the apache and PDC? Since my problem is whatever i enter in the user/password prompt, it always says wrong password(rc=3). I would check out these links to help you get down to the packet level communication: http://davenport.sourceforge.net/ntlm.html http://www.innovation.ch/java/ntlm.html Both of these pages have great information on reading the packet for information pertinent to NTLM authentication. BTW, when I look back at your original email, I notice you have splitdomainprefix set to 1, which will only send username forward to the domain controller. This was really added to the module to deal with users that were not part of a domain, or were falling through to another auth module that didn't need the DOMAIN prefix added to the username. If you remove this line, then AuthenNTLM will send forward DOMAIN\user, which should auth correctly for you. take care, -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Problems with Apache::AuthenNTLM on Apache 2
Hess, Fraser wrote: Here is the log. 9599 is the transaction when I first call the web page in the browser. 9600 is when I try on log on when the realm is blank. 9601 is from when I successfully authenicate, using basic it seems. [9600] AuthenNTLM: protocol=NTLMSSP, type=3, [EMAIL PROTECTED]@[EMAIL PROTECTED]@s <mailto:[EMAIL PROTECTED]@[EMAIL PROTECTED]@s>^@, [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@2 <mailto:[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@2>^@, domain=, msg_len=0[9600] handler type == 3 [Tue Dec 28 09:27:38 2004] [error] SMB Server connection not open in state 3 for / I saw this error myself, and believe that it is caused by the patch that we applied on the last version of AuthenNTLM. What SMB server are you authenticating against? -- Shannon Eric Peevey President - EriKin Corporation [EMAIL PROTECTED] (940) 391-6777 http://www.erikin.com -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache-AuthenNTLM-2.04
Keven Murphy wrote: Shannon, I am trying to get your module to work with Apache 1.2.28 & mod_perl 1.28. I am getting the error below. Any idea what it means? The server is only accepting NTLMv2. It would appear to me that the module does not support that version yet. Thank you for any help, K Murphy [EMAIL PROTECTED] [13573] AuthenNTLM: Start NTLM Authen handler pid = 13573, connection = 135651588 conn_http_hdr = keep-alive main = cuser = remote_ip = 192.1.69.6 remote_port = remote_host = <> version = 2.04 [13573] AuthenNTLM: Setup new object [13573] AuthenNTLM: Config Domain = ls pdc = 192.1.4.6 bdc = 192.1.4.7 [13573] AuthenNTLM: Config Default Domain = LS [13573] AuthenNTLM: Config Fallback Domain = [13573] AuthenNTLM: Config AuthType = ntlm,basic AuthName = QAAR LS DOMAIN Directory Authentication [13573] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 1 [13573] AuthenNTLM: Config NTLMAuthoritative = off BasicAuthoritative = off [13573] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [13573] AuthenNTLM: Authorization Header Basic [13573] AuthenNTLM: basic auth username = LS\murphyk [13573] AuthenNTLM: Connect to pdc = 192.1.4.6 bdc = 192.1.4.7 domain = ls [13573] AuthenNTLM: enter lock [Wed Oct 8 15:16:00 2003] [error] access to / failed for , reason: Connect to SMB Server faild (pdc = 192.1.4.6 bdc = 192.1.4.7 domain = ls error = -11/0) for / [13573] AuthenNTLM: leave lock [Wed Oct 8 15:16:00 2003] [error] access to / failed for , reason: Cannot get nonce for / Hi! You are making me dust off the cobwebs!!! ;) Anyways, I think that the problem is not the version of NTLM, but the browser that you are using. Your browser is sending: [13573] AuthenNTLM: Authorization Header Basic When it should be sending something like: [505] AuthenNTLM: Authorization Header NTLM TlRMTVNTUAABB4IAoAB= It looks to me as if you are not using Internet Explorer... What happens when you try it from IE? speeves cws
Re: Apache-AuthenNTLM-2.04
speeves wrote: Keven Murphy wrote: On Thu, 2003-10-09 at 10:59, Shannon Eric Peevey wrote: Hi! You are making me dust off the cobwebs!!! ;) Anyways, I think that the problem is not the version of NTLM, but the browser that you are using. Your browser is sending: [13573] AuthenNTLM: Authorization Header Basic When it should be sending something like: [505] AuthenNTLM: Authorization Header NTLM TlRMTVNTUAABB4IAoAB= It looks to me as if you are not using Internet Explorer... What happens when you try it from IE? First off, I appreciate your time in looking at this. I have tried both Netscape 7 and IE 6+. Both did not work. Can you run both again, and send me the logs for both of those two sessions? speeves cws BTW, I have tested this modules against a Samba server that was only allowing NTLMv2 connections with success. (I don't have access to a win32 machine that I could test this against, so maybe...) Also, when you run the test above, can you change: AuthType ntlm,basic to: AuthType ntlm This should return a 401 unauthorized for the non-IE browser, and force an NTLM auth header from IE. let me know, speeves cws
Re: Apache-AuthenNTLM-2.04
On Sun, 2003-10-12 at 00:36, Shannon Eric Peevey wrote: BTW, I have tested this modules against a Samba server that was only allowing NTLMv2 connections with success. (I don't have access to a win32 machine that I could test this against, so maybe...) Also, when you run the test above, can you change: AuthType ntlm,basic to: AuthType ntlm This should return a 401 unauthorized for the non-IE browser, and force an NTLM auth header from IE. I tried that too. Still no go. Here is what I did to generate the logs I have attached. I tried to get into the website using Netscape 7.1. After that I tried using IE 6. Both of these tests are on the same machine. The machine does not log into the LS domain. The last test in the the logs is from a machine that does log into the LS domain (using IE6). I have also attached the httpd.conf file if it helps. Thank you for your help, -- K Murphy CISSP, GCIA, GCIH, GCFA [EMAIL PROTECTED] I looked at the files that you sent, and I saw this in the conf file: PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm AuthUserFile htpasswd AuthAuthoritative on and: configuration error: couldn't check user. No user file?: / in the error_log. Though I don't have time to recreate it right now, I would say that the: AuthUserFile htpasswd is throwing everything off. Remove it, and see what happens. speeves cws
Re: how to forward emails
Stas Bekman wrote: Here is how I normally do that, YMMV. It's pretty clear that I didn't write the message below ;) You may want to strip the CC and other headers... Original Message Subject: Re: [Fwd: Re: [Fwd: Apache::AuthenSmb]] Date: Wed, 15 Oct 2003 11:24:46 -0500 From: speeves <[EMAIL PROTECTED]> To: Ged Haywood <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED],mod_perl Mailing List <[EMAIL PROTECTED]> Ged Haywood wrote: >Hello again, > >On Wed, 15 Oct 2003, speeves wrote: ... __ Stas BekmanJAm_pH --> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com Thanks, ya'll :) speeves cws
[Fwd: Re: Stupid question of the day...] Apache-AuthenNIS
Original Message Subject:Re: Stupid question of the day... Date: Mon, 20 Oct 2003 18:28:04 - From: Randy Trahan <[EMAIL PROTECTED]> To: Shannon Eric Peevey <[EMAIL PROTECTED]> Hi Shannon, I was reading your post from June 25 concerning authenNIS. I am on a Linux 8 machine and I am running Apache. I am trying to have NIS authenticate users who try to access a certian directory. I installed authenNIS and I put the appropriate directive in the main apache config file, but I don't even get an error message when I go to my "/protectected" directory in my file structure. Did you ever have this problem? Thanks! Randy --- In [EMAIL PROTECTED], Shannon Eric Peevey <[EMAIL PROTECTED]> wrote: Randy Kobes wrote: >On Wed, 25 Jun 2003 [EMAIL PROTECTED] wrote: > > > >>I've built and installed a new Apache (2.0.46) with mod_ssl and >>mod_perl... My goal is authentication via NIS, so I have the >>following in an .htaccess file: >> >>AuthName TEST >>AuthType Basic >>PerlAuthenHandler Apache::AuthenNIS; >>require valid-user >> >>My efforts, however, have been thwarted by the following error message: >> >>Wed Jun 25 15:44:54 2003] [error] failed to resolve handler >>`Apache::AuthenNIS;' [Wed Jun 25 15:44:55 2003] [error] [client >>xxx.xxx.xxx.xxx] Can't locate object method "boot" via package >>"mod_perl::boot" at /opt/apache/lib/perl/Apache/Constants.pm >>line 8. Compilation failed in require at >>/opt/apache/lib/perl/Apache/AuthenNIS.pm line 4. BEGIN >>failed--compilation aborted at >>/opt/apache/lib/perl/Apache/AuthenNIS.pm line 4. Compilation >>failed in require at (eval 6) line 1. >> >> > >Apache::Constants is a mod_perl 1 package, whereas you're using >mod_perl 2 (for Apache 2). If use of Apache::compat isn't enough >to get this working, some porting of the module may be required - >see the discussion of porting Apache Perl modules from mod_perl 1 >to 2 at http://perl.apache.org/. > > > Feel free to contact me, as well. I have contacted the author about porting the module, and if I can use you as a test environment, I can this ported rather quickly :) (I don't have a NIS environment for me to test on, but I can make the changes, and you can test the install for me, and then we can get this mod to work for both versions of modperl...) Anyone have an installation of apache 1 that is using NIS for authentication? (I will need to be able to test the ported mod for compatibility with modperl 1, as well.) speeves cws PS We should probably attack Apache::AuthzNIS at the same time... It isn't much more work :)
Re: [Fwd: Re: Stupid question of the day...] Apache-AuthenNIS
Shannon Eric Peevey wrote: Original Message Subject: Re: Stupid question of the day... Date: Mon, 20 Oct 2003 18:28:04 - From: Randy Trahan <[EMAIL PROTECTED]> To: Shannon Eric Peevey <[EMAIL PROTECTED]> Hi Shannon, I was reading your post from June 25 concerning authenNIS. I am on a Linux 8 machine and I am running Apache. I am trying to have NIS authenticate users who try to access a certian directory. I installed authenNIS and I put the appropriate directive in the main apache config file, but I don't even get an error message when I go to my "/protectected" directory in my file structure. Did you ever have this problem? Thanks! Randy Hi! Can you send the config and/or .htaccess from that directory? Sounds like you probably don't have AuthType set... speeves cws PS Please, copy the list on your reply. Thanks :)
Re: [Fwd: Re: Stupid question of the day...] Apache-AuthenNIS
Randy wrote: Shannon, Thank you for getting back to me! I am running a newer version of apache that only has the httpd.conf configuration file. The text that I placed in the file is as follows: # # Stuff added by Randy alias /protected "/var/www/protected/" # This is the standard authentication stuff AuthName "Foo Bar Authentication" AuthType Basic PerlAuthenHandler Apache::AuthenNIS # Standard require stuff, NIS users or groups, and # "valid-user" all work OK require user username require valid-user # The following is actually only needed when authorizing # against NIS groups. This is a separate module. #PerlAuthzHandler Apache::AuthzNIS # As far as the .htaccess file is concerned, I only did a "touch .htaccess" to create the file in the /protected directory. I did not find any documentation on WHAT needed to be put into the file. Also, should there be a .so module file for authenNIS in my httpd.conf file? Again, Thanks! Randy Hi! Finally had a chance to take a look at your stuff, and I think this is more of an Apache config problem than anything. If you throw something like: require valid-user AuthName "Foo Bar Authentication" AuthType Basic into a .htaccess file in the directory, it will respond with the appropriate 401 header. (For some reason this same code in the directive is not being read, (I have never aliased a directory without a .htaccess, so maybe that is it... You can probably try: http://httpd.apache.org/userslist.html. (I'm using apache1.3.27 for these tests). BTW, Apache-AuthenNIS only queries the passwd.byname file at this time, which probably won't work in your environment, as most distros use shadow passwords at the very least now. I need to get excited about getting this working using the shadow.byname, so that we can find a real use for it nowadays... ;) HTH, speeves cws
[Fwd: AuthenNTLM and slow web server]
Original Message Subject:AuthenNTLM and slow web server Date: Thu, 30 Oct 2003 17:59:49 +0100 From: Stefano Ciancio <[EMAIL PROTECTED]> Organization: Italia On Line To: [EMAIL PROTECTED] Hi, I am using the apache module Apache-AuthenNTLM-2.04 with apache 1.3, but I am having some problem with it. I view some time_wait session to windows pdc and many error in apache's error.log. Moreover this also seems to cause the web server to go _very_ slow. My httpd.conf configuration is standard PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm,basic AuthName test require valid-user PerlAddVar ntdomain "name_domain1 name_of_pdc1" PerlAddVar ntdomain "other_domain pdc_for_domainbdc_for_domain" PerlSetVar defaultdomain wingr1 PerlSetVar ntlmdebug 0 with keepAlive setted to On. Have you an an idea why this is happening? Thanks, Stefano
Re: [Fwd: AuthenNTLM and slow web server]
Shannon Eric Peevey wrote: Original Message Subject: AuthenNTLM and slow web server Date: Thu, 30 Oct 2003 17:59:49 +0100 From: Stefano Ciancio <[EMAIL PROTECTED]> Organization: Italia On Line To: [EMAIL PROTECTED] Hi, I am using the apache module Apache-AuthenNTLM-2.04 with apache 1.3, but I am having some problem with it. I view some time_wait session to windows pdc and many error in apache's error.log. Moreover this also seems to cause the web server to go _very_ slow. My httpd.conf configuration is standard PerlAuthenHandler Apache::AuthenNTLMAuthType ntlm,basic AuthName test require valid-user PerlAddVar ntdomain "name_domain1 name_of_pdc1" PerlAddVar ntdomain "other_domain pdc_for_domain bdc_for_domain" PerlSetVar defaultdomain wingr1 PerlSetVar ntlmdebug 0 with keepAlive setted to On. Have you an an idea why this is happening? Thanks, Stefano Hi! Can you set "ntlmdebug" = 2 and send me the sections of the error_log that you are talking about? thanks, speeves cws BTW, did you have this working correctly with any other version Apache-AuthenNTLM?
[Fwd: Apache::AuthenNTLM]
Original Message Subject:Apache::AuthenNTLM Date: Mon, 3 Nov 2003 10:56:26 - From: francoise dehinbo <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Hi Shannon, I was hoping you might be able to help me with a problem I'm currently having with this module. Below is a list of the system versions we are currently using in our quest to authenticate users and store their details in a cookie as they access the intranet: Apache 1.3.22 mod_perl 1 perl 5.6.1 Apache::AuthenNTLM 0.01-0.13 IE 6.0 This is the config that I've added to the modperl http.conf: PerlAuthenHandler Apache::AuthenNTLM AuthType ntlm AuthName test require valid-user # domain pdc bdc PerlAddVar ntdomain "foxtons itfilep01 adbdc" PerlSetVar defaultdomain FOXTONS PerlSetVar ntlmdebug 2 The problem is that when I open a page, I am prompted to enter my username and password instead of retrieving my login details from the browser. My details are then authenticated and I am then taken to the correct page. When I open the page, the following message is added to the error log: [28323] AuthenNTLM: Start NTLM Authen handler pid = 28323, connection = 143478676 conn_http_hdr = Keep-Alive main = cuser = remote_ip = 172.18.12.60 remote_port = 44050 remote_host = <> version = 0.23 [28323] AuthenNTLM: Setup new object [28323] AuthenNTLM: Config Domain = foxtons pdc = itfilep01 bdc = adbdc [28323] AuthenNTLM: Config Default Domain = FOXTONS [28323] AuthenNTLM: Config Fallback Domain = [28323] AuthenNTLM: Config AuthType = ntlm AuthName = test [28323] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [28323] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [28323] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [28323] AuthenNTLM: Authorization Header [Mon Nov 3 11:11:29 2003] [error] access to / failed for , reason: Bad/Missing NTLM/Basic Authorization Header for / The message was added to the log after a successful login: [28323] AuthenNTLM: Start NTLM Authen handler pid = 28323, connection = 143478676 conn_http_hdr = Keep-Alive main = cuser = remote_ip = 172.18.12.60 remote_port = 44050 remote_host = <> version = 0.23 [28323] AuthenNTLM: Setup new object [28323] AuthenNTLM: Config Domain = foxtons pdc = itfilep01 bdc = adbdc [28323] AuthenNTLM: Config Default Domain = FOXTONS [28323] AuthenNTLM: Config Fallback Domain = [28323] AuthenNTLM: Config AuthType = ntlm AuthName = test [28323] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [28323] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [28323] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [28323] AuthenNTLM: Authorization Header NTLM TlRMTVNTUAABB4IIoAA= [28323] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 130 8 160 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 [28323] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), flags2=130(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=0, domain offset=0, host length=0, host offset=0, host=, domain= [28323] AuthenNTLM: Connect to pdc = itfilep01 bdc = adbdc domain = foxtons [28323] AuthenNTLM: enter lock [28323] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0 0 1 130 0 0 91 43 72 34 185 122 217 71 0 0 0 0 0 0 0 0 [28323] AuthenNTLM: charencoding = 1 [28323] AuthenNTLM: flags2 = 130 [28323] AuthenNTLM: nonce=[+H"¹zÙG [28323] AuthenNTLM: Send header: NTLM TlRMTVNTUAACACgBggAAWytIIrl62UcAAA== [28323] AuthenNTLM: Start NTLM Authen handler pid = 28323, connection = 143478676 conn_http_hdr = Keep-Alive main = cuser = remote_ip = 172.18.12.60 remote_port = 44050 remote_host = < > version = 0.23 [28323] AuthenNTLM: Object exists user = \ [28323] AuthenNTLM: Authorization Header NTLM TlRMTVNTUAADGAAYALIYABgAygAAAD4APgBAIgAiAH4SABIAoADiBYIAAG0AcAAuAG4AZQB3AGQAZQB2AC4AZABpAGcAaQB0AGEAbAAuAGYAbwB4AHQAbwBuAHMALgBjAG8ALgB1AGsAZgByAGEAbgBjAG8AaQBzAGUALgBkAGUAaABpAG4AYgBvAE0AQQBJAE4AQgBPAEEAUgBEAPqTpbgMNu7kbZm+E49d4f8B3VLCWVfTCzSpyVGdTBqG/xHBXjsndIfyhnyB5nycaA== [28323] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 3 0 0 0 24 0 24 0 178 0 0 0 24 0 24 0 202 0 0 0 62 0 62 0 64 0 0 0 34 0 34 0 126 0 0 0 18 0 18 0 160 0 0 0 0 0 0 0 226 0 0 0 5 130 0 0 109 0 112 0 46 0 110 0 101 0 119 0 100 0 101 0 118 0 46 0 100 0 105 0 103 0 105 0 116 0 97 0 108 0 46 0 102 0 111 0 120 0 116 0 111 0 110 0 115 0 46 0 99 0 111 0 46 0 117 0 107 0 102 0 114 0 97 0 110 0 99 0 111 0 105 0 115 0 101 0 46 0 100 0 101 0 104 0 105 0 110 0 98 0 111 0 77 0 65 0 73 0 78 0 66 0 79 0 65 0 82 0 68 0 250 147 165 184 12 54 238 228 109 153 190 19 143 93 225 255 1 221 82 194 89 87 211 11 52 169 201 81 157 76 26 134 255 17 193 94 59 39 116 135 242 134 124 129 230 124 156 104 [28323] AuthenNTLM: protocol=NTLMSSP, type=3, user=francoise.dehinbo, host=MAINBOARD, domain=mp.newdev.digital.foxtons.co.uk, msg_len=0 [2832
Re: [Fwd: AuthenNTLM and slow web server]
Leo Lapworth wrote: On Fri, Oct 31, 2003 at 08:08:02PM +0100, Stefano Ciancio wrote: But the big problem with this module is that seem for each object it require an authentication from pdc/bdc. This behaviour causes the web server to go _very_ slow. The user must wait ten of seconds to load a single web page. We are working on something similar at the moment, we are planning on creating a wrapper module which checks for a cookie, if that is not set then it used AuthenNTML and sets the cookie (just for the browser session), but if it is set we know that the user has been authenticated and therefor only have to check authentication once per user per session. Once we get it working I'll post it on the net somewhere and a message here. Leo Are you creating something along the lines of a: Apache-AuthCookieNTML ? It seems that a lot of these questions would be resolved by a module that would check for a cookie first, and then throw the auth box when the user hasn't been authenticated. Then you could just continue to check for a cookie, instead of querying the samba server for every image, etc. on the page. Could I recommend writing this module, (instead of a work-around piece of code)? I think that an Apache-AuthCookieNTLM would benefit a lot of people. If no one is up to it, let me know and I will start working on one when I have the time. thanks, speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: AuthenNTLM and slow web server]
Stefano Ciancio wrote: Hi Shannon Eric, I have set "ntlmdebug" = 2 and produced an error.log that I have attached. It seems that the error is: [9100] AuthenNTLM: Authorization Header I don't know its means ... Can you help me? Stefano Hi! I'm sorry, but I have become foggy on the problem here... Are you talking about problems logging in, or web server performance? [9100] AuthenNTLM: Authorization Header This is telling us that the browser is not including an "Authorization" header, which is normal on the initial request from the browser. (The server throws a 401 Authorization Required, which tells the browser that it needs to include an Authorization header. There is no error here. speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: AuthenNTLM and slow web server]
Stefano Ciancio wrote: Hi, I have seen better the log and the error in apache's error.log was about some gif that the web server not found. But the big problem with this module is that seem for each object it require an authentication from pdc/bdc. This behaviour causes the web server to go _very_ slow. The user must wait ten of seconds to load a single web page. Unfortunately, I don't use this module in a production environment, so cannot comment here. Is anyone else seeing this in a live environment? I want use this module to obtain a single sign on in the Intranet of my company that have thousands of users in some trusted NT pdc/bdc. Do you think that this module could working fine? I don't really think that this module was created with this purpose in mind. Exists some other mechanism to obtain the single sign on with ntlm? Check out my message to Mr. Lapworth at: http://marc.theaimsgroup.com/?l=apache-modperl&m=106788287330640&w=2 If he doesn't have the time to create this module, maybe one of you will? If not, I can put it on my to-do list, and could probably have something by late January... speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: Apache::AuthenNTLM]
Original Message Subject:Apache::AuthenNTLM Date: Mon, 3 Nov 2003 10:56:26 - From: francoise dehinbo <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Hi Shannon, I was hoping you might be able to help me with a problem I'm currently having with this module. Below is a list of the system versions we are currently using in our quest to authenticate users and store their details in a cookie as they access the intranet: It sounds like something like Apache-AuthCookie would be more useful here. Apache-AuthenNTLM is wired to accept input to the auth windows, and doesn't check the browser for cookies, etc. I'm not sure how you propose to authenticate from the cookie, but it shouldn't be too difficult of a job to add NTLM authentication capabilities on top of Apache-AuthCookie. (I see we already have Apache-AuthCookieLDAP and Apache-AuthCookieDBI, for reference...) speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: AuthenNTLM and slow web server]
Leo Lapworth wrote: On Mon, Nov 03, 2003 at 11:55:28AM -0600, Shannon Eric Peevey wrote: Are you creating something along the lines of a: Apache-AuthCookieNTML ? It seems that a lot of these questions would be resolved by a module that would check for a cookie first, and then throw the auth box when the user hasn't been authenticated. This is the general plan - we've just got Apache::AuthNTML working properly, so going to work on Apache::AuthCookieNTML this week, I'll report back when we've got something up and running. Cheers Leo Great!! Keep us posted, and don't forget to request a PAUSE account on CPAN so that you can upload your module there :) speeves cws PS Sorry bout the typo in the previous message :P It's really Apache-AuthCookieNTLM... -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: AuthenNTLM and slow web server]
Stefano Ciancio wrote: On Mon, 03 Nov 2003 15:39:14 -0600 Shannon Eric Peevey <[EMAIL PROTECTED]> wrote: Stefano Ciancio wrote: Hi Shannon Eric, I have set "ntlmdebug" = 2 and produced an error.log that I have attached. It seems that the error is: [9100] AuthenNTLM: Authorization Header I don't know its means ... Can you help me? Stefano Hi! I'm sorry, but I have become foggy on the problem here... Are you talking about problems logging in, or web server performance? [9100] AuthenNTLM: Authorization Header This is telling us that the browser is not including an "Authorization" header, which is normal on the initial request from the browser. (The server throws a 401 Authorization Required, which tells the browser that it needs to include an Authorization header. There is no error here. speeves cws Yes, have you right!! My problem is about web server performance and I thought that it depended from some error of the module. Stefano I don't think that you are getting any errors in what I see( on your end). So I guess my question still stands, is anyone else seeing slow performance in a production site with this module? BTW, I don't see the module asking for authorization for every object, only when the client asks for something in a new directory. (It's a little hard to tell from the debug log if the calls to the samba server are made for every object, I need a little more time to follow its logic through. But, on the client side, I am not seeing the 401 returned for every object.) thanks, speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
[Fwd: Re: [Fwd: AuthenNTLM and slow web server]]
Original Message Subject: Re: [Fwd: AuthenNTLM and slow web server] Date: Tue, 4 Nov 2003 15:03:32 + From: Leo Lapworth <[EMAIL PROTECTED]> Reply-To: Leo Lapworth <[EMAIL PROTECTED]> To: Shannon Eric Peevey <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Great!! Keep us posted, and don't forget to request a PAUSE account on CPAN so that you can upload your module there :) I'm already a module author - though this is my first apache module. Francoise works for me, so we're going to try it together. The first problem we've come across is accessing the username from the object as it is never returned by the handle (for obvious reasons) and we can't see an easy way to access it even when subclassing - I've posted to the London.pm perl mailing list asking if there is a way to sneek in and grab the info, if there isn't would you be adversed to having an additional flag which can be passed into handler() and would then return the object rather than 'OK' ? PS Sorry bout the typo in the previous message :P It's really Apache-AuthCookieNTLM... Heh, glad to see it's not just me that gets it the wrong way round all the time! :) Leo -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: AuthenNTLM and slow web server]
Enrico Sorcinelli wrote: On Tue, 04 Nov 2003 09:13:34 -0600 Shannon Eric Peevey <[EMAIL PROTECTED]> wrote: BTW, I don't see the module asking for authorization for every object, only when the client asks for something in a new directory. (It's a little hard to tell from the debug log if the calls to the samba server are made for every object, I need a little more time to follow its logic through. But, on the client side, I am not seeing the 401 returned for every object.) How about improving the module by adding some caching mechanism for authenticated users? Moreover it could be nice to control it with PerlSetVar directives (ttl and so on) by - Enrico Hi! I think that is probably a great idea. I don't have time to add it in now, but if you send me a patch, I will be happy to add it into the next release. thanks, speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: Re: [Fwd: AuthenNTLM and slow web server]]
The first problem we've come across is accessing the username
from the object as it is never returned by the handle (for
obvious reasons) and we can't see an easy way to access it
even when subclassing - I've posted to the London.pm perl mailing
list asking if there is a way to sneek in and grab the info,
if there isn't would you be adversed to having an additional
flag which can be passed into handler() and would then return
the object rather than 'OK' ?
I am assuming that you are going to build your module on top of
Apache::AuthCookie and Apache::AuthenNTLM. If that is the case, then
you can grab the username and domain from the $self->{username}
variable, or the $data variable which is uppacked in the get_msg1 and
getmsg3 subroutines. This should make it easier.
PS Sorry bout the typo in the previous message :P It's really
Apache-AuthCookieNTLM...
Heh, glad to see it's not just me that gets it the wrong way
round all the time! :)
:))
speeves
cws
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: AuthenNTLM and slow web server]
Enrico Sorcinelli wrote:
On Tue, 04 Nov 2003 09:13:34 -0600
Shannon Eric Peevey <[EMAIL PROTECTED]> wrote:
BTW, I don't see the module asking for authorization for every object,
only when the client asks for something in a new directory. (It's a
little hard to tell from the debug log if the calls to the samba server
are made for every object, I need a little more time to follow its logic
through. But, on the client side, I am not seeing the 401 returned for
every object.)
How about improving the module by adding some caching mechanism for
authenticated users?
Moreover it could be nice to control it with PerlSetVar directives
(ttl and so on)
by
- Enrico
BTW, has anyone read the documentation in AuthenNTLM.pm? Here is an
example on how to only call AuthenNTLM if a precondition is met...
=head2 Example for overriding
The following code shows the a basic example for creating a module which
overrides the map_user method and calls AuthenNTLM's handler only if a
precondition is met. Note: The functions preconditon_met and lookup_user
do the real work and are not shown here.
package Apache::MyAuthenNTLM ;
use Apache::AuthenNTLM ;
@ISA = ('Apache::AuthenNTLM') ;
sub handler ($$)
{
my ($self, $r) = @_ ;
return Apache::AuthenNTLM::handler ($self, $r) if
(precondition_met()) ;
return DECLINED ;
}
sub map_user
{
my ($self, $r) = @_ ;
return lookup_user ($self->{userdomain}, $self->{username}) ;
}
This should work for now, and I will bang around and see how much work
it will take to add in a caching feature directly into the module.
Seems that it would be useful for a lot of people, right?
speeves
cws
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: authentication with smb
Tauber, Mathias HDP wrote: hi, I have just subscribed to this mailing list, so I hope I'm doing everything right... my problem: I'm running a reverse proxy with apache 1.3.x and mod_proxy on debian. For the authentication libapache-authensmb is used, so there's a connection to the domain controller present and working. Everything is fine, but for each request sent by the browser, the module needs to authenticate on the nt-domain. As I was told, the domain controller can't handle all the requests, so it's compareble with an DOS-attack. Because of this, the browser opens multiple times the popup for filling in the authentication data (although it's not necessary). To prevent this, I tried the following ideas I have found in the web: a) exclude images from being authenticated b) AuthenCache c) AuthzCache I've been searching for days in the web for a perfect solution, but all I've tried doesn't work as wanted. a) combined b) or c) makes it a little bit better, but still every second click opens the popup again. Now I'm trying to use PAM in hope it can do better then the rest. But it's not running properly at the moment... I think this problem is already OT, but I couldn't find the needed threads in the archives. It would be great, if somebody could give me some further information to fix this problem. regards mathias lol We seem to be in the midst of this ourselves :)) Only a different module. Check out this thread: http://marc.theaimsgroup.com/?l=apache-modperl&w=2&r=1&s=AuthenNTLM+and+slow+web+server&q=b Once I get Apache-AuthenNTLM in shape, then I will turn my eyes upon Apache-AuthenSMB. :) speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [Fwd: AuthenNTLM and slow web server]
Shannon Eric Peevey wrote:
Enrico Sorcinelli wrote:
On Tue, 04 Nov 2003 09:13:34 -0600
Shannon Eric Peevey <[EMAIL PROTECTED]> wrote:
BTW, I don't see the module asking for authorization for every
object, only when the client asks for something in a new directory.
(It's a little hard to tell from the debug log if the calls to the
samba server are made for every object, I need a little more time to
follow its logic through. But, on the client side, I am not seeing
the 401 returned for every object.)
How about improving the module by adding some caching mechanism for
authenticated users?
Moreover it could be nice to control it with PerlSetVar directives
(ttl and so on)
by
- Enrico
BTW, has anyone read the documentation in AuthenNTLM.pm? Here is an
example on how to only call AuthenNTLM if a precondition is met...
=head2 Example for overriding
The following code shows the a basic example for creating a module which
overrides the map_user method and calls AuthenNTLM's handler only if a
precondition is met. Note: The functions preconditon_met and lookup_user
do the real work and are not shown here.
package Apache::MyAuthenNTLM ;
use Apache::AuthenNTLM ;
@ISA = ('Apache::AuthenNTLM') ;
sub handler ($$)
{
my ($self, $r) = @_ ;
return Apache::AuthenNTLM::handler ($self, $r) if
(precondition_met()) ;
return DECLINED ;
}
sub map_user
{
my ($self, $r) = @_ ;
return lookup_user ($self->{userdomain}, $self->{username}) ;
}
This should work for now, and I will bang around and see how much work
it will take to add in a caching feature directly into the module.
Seems that it would be useful for a lot of people, right?
speeves
cws
OK, final questions for the day...
1. Apache-AuthenNTLM already caches the connections to the samba
server. I am assuming that we are having a problem with queries passing
through this connection, and not a "too many connections" problem on the
samba server end, right?
(NOTE: (Mathias) Apache-AuthenSMB does not cache the connections, so
what are we seeing with it exactly? )
2. Do we really need to handle caching within this module? Might it
not be handled by one of the Caching modules that Michael Parker
mentioned in an earlier email?
(http://marc.theaimsgroup.com/?l=apache-modperl&m=106780304521226&w=2)
3. If we do add caching into the Apache-AuthenNTLM mod, where do we
cache the yes/no variable, and when do we destroy it?
thanks for your input,
speeves
cws
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Apache::AuthCookieNTLM
Leo Lapworth wrote: Hi All, The first version is available at: http://leo.cuckoo.org/projects/AuthCookieNTLM/ I'll tidy up the docs and add a bit more functionality tomorrow, debugging for example! - before uploading to CPAN. We decided against using Apache::AuthCookie in the end, it just seemed over kill. By default the user's login and a test value are set in the cookie, there is the choose_cookie_values() so you can inherit Apache::AuthCookieNTLM and overwride this and therefor add any additional information you want to the cookie at this stage. For example we want to lookup people's email addresses and other info we have in a DB to personalise other pages on the intranet. Feedback welcome. Cheers Leo Bravo!! Way to get on the ball :) I will see if I get a chance to check it out tomorrow. thanks, speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: authentication with smb
cramirez wrote:
Awhile back, I encountered this same problem and found a solution
from Matt Arnold's mod_perl post, which I cannot locate at the time.
Anyhow, here's the fix that I've been using in our production
environment.
1. Update Authen::Smb like so:
use Fcntl qw(:flock);
...
open S, "> /full/path/to/AuthenSmb.lck" or
die "Can't open AuthenSmb.lck: $!\n";
flock S, LOCK_EX;
my $res = Valid_User($username, $password, $server, $backup, $domain);
close S;
2. Update Apache::AuthenSmb like do:
use Memoize;
memoize('Authen::Smb::authen');
That's it! I contacted both authors of Authen::Smb and
Apache::AuthenSmb but I didn't hear back from them nor did they
incoporate these fixes. I also added some enhancements but never
released it, but maintain my own private copy.
Hope this helps.
-Carlos
Shannon Eric Peevey wrote:
Tauber, Mathias HDP wrote:
hi,
I have just subscribed to this mailing list,
so I hope I'm doing everything right...
my problem:
I'm running a reverse proxy with apache 1.3.x
and mod_proxy on debian. For the authentication
libapache-authensmb is used, so there's a
connection to the domain controller present and
working.
Everything is fine, but for each request sent
by the browser, the module needs to authenticate
on the nt-domain. As I was told, the domain
controller can't handle all the requests, so it's
compareble with an DOS-attack. Because of this,
the browser opens multiple times the popup for
filling in the authentication data (although it's
not necessary).
To prevent this, I tried the following ideas I
have found in the web:
a) exclude images from being authenticated
b) AuthenCache
c) AuthzCache
I've been searching for days in the web for a
perfect solution, but all I've tried doesn't
work as wanted. a) combined b) or c) makes it
a little bit better, but still every second
click opens the popup again.
Now I'm trying to use PAM in hope it can do
better then the rest. But it's not running
properly at the moment...
I think this problem is already OT, but I
couldn't find the needed threads in the
archives. It would be great, if somebody
could give me some further information to
fix this problem.
regards
mathias
lol We seem to be in the midst of this ourselves :)) Only a
different module. Check out this thread:
http://marc.theaimsgroup.com/?l=apache-modperl&w=2&r=1&s=AuthenNTLM+and+slow+web+server&q=b
Once I get Apache-AuthenNTLM in shape, then I will turn my eyes upon
Apache-AuthenSMB. :)
speeves
cws
Hi!
Could you send me a patch? I have the rights to maintain the package,
so can add these enhancements in.
thanks,
speeves
cws
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Apache::AuthenSmb on Windows
cramirez wrote: Has anyone been able to use Apache::AuthenSmb on Windows? I'm trying to setup our UNIX Apache environment on a Windows box, but I'm having trouble compiling Authen::Smb. Actually, a better question might be, does anyone have any ideas on the best approach of implementing web authentication against a Windows domain on a windows system using Apache? Is Authen::Smb the best approach? I don't think AuthenNTLM would work since UNIX users wouldn't be able to authenticate right?? Thanks, -Carlos Not true. You can specify AuthType ntlm, basic, so that all non-IE browsers can authenticate against your samba server. (I can auth against samba 3.0.0 with the following config: client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No ) I can't test against a windows machine though :( speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: authentication with smb
Stas Bekman wrote: yo! please trim the quoted text in your replies to the mimimal relevant size. those who need to read the whole thing have the archives. thanks. Will do. speeves cws -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
[Fwd: Re: [ANNOUNCE] Apache::AuthCookieNTLM 0.04]
Original Message Subject: Re: [ANNOUNCE] Apache::AuthCookieNTLM 0.04 Date: Fri, 7 Nov 2003 15:31:54 +0100 From: Stefano Ciancio <[EMAIL PROTECTED]> Organization: Italia On Line To: Leo Lapworth <[EMAIL PROTECTED]> CC: Shannon Eric Peevey <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Great!! I will try soon it. Is it compatible with mod_perl2 ? Stefano On Fri, 7 Nov 2003 14:01:13 + Leo Lapworth <[EMAIL PROTECTED]> wrote: I've just uploaded Apache::AuthCookieNTLM 0.04 to CPAN, it's available from http://leo.cuckoo.org/projects/ if you can't wait for it to be processed. I'll consider it finished (ie. working) unless I hear from anyone :) Cheers Leo -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
[Fwd: Re: [ANNOUNCE] Apache::AuthCookieNTLM 0.04]
Original Message Subject: Re: [ANNOUNCE] Apache::AuthCookieNTLM 0.04 Date: Fri, 7 Nov 2003 15:07:57 + From: Leo Lapworth <[EMAIL PROTECTED]> Reply-To: Leo Lapworth <[EMAIL PROTECTED]> To: Stefano Ciancio <[EMAIL PROTECTED]> CC: Shannon Eric Peevey <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> On Fri, Nov 07, 2003 at 03:31:54PM +0100, Stefano Ciancio wrote: Is it compatible with mod_perl2 ? Fraid I haven't a clue, not used mod_perl2 yet, it requires Apache::Request and Apache::Cookie, can't remember if they are abailable yet. Leo -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: [ANNOUNCE] Apache::AuthCookieNTLM 0.04
Fraid I haven't a clue, not used mod_perl2 yet, it requires Apache::Request and Apache::Cookie, can't remember if they are abailable yet. Leo Actually, I am looking into it now. (I know that your module as it stands only works with mp1). But, I am going to download the libapreq 2 release and see how it plays with your module. (It is still in beta, and I don't know how far they are in the process of porting to mp2, so you might be nervous about using it... OTOH, if you are using mp2, who cares right?! Cause it's still in beta too ;) ) BTW, any and all installs of the new libapreq2 will be helping in the dev process, so it would be great if we all mess with it, and give them a heads-up on bugs and stuff :) thanks, speeves cws BTW, can you include the list in your replies? thanks :) -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
[Fwd: NTLM mod based on Apache::Session]
Original Message Subject:NTLM mod based on Apache::Session Date: Tue, 11 Nov 2003 16:21:13 +0100 From: Stefano Ciancio <[EMAIL PROTECTED]> Organization: Italia On Line To: Shannon Eric Peevey <[EMAIL PROTECTED]>, Leo Lapworth <[EMAIL PROTECTED]> Hi Leo, Hi Shannon, I am trying to develop a new module for NTLM very similar to AuthCookieNTLM. The big difference is about the information store (user, domain, etc.). I want store them on the server, instead of in the cookie, and put to the user only a cookie containing an md5 id. For this I am using the module Apache::Session and Apache::SessionManager. Using AuthCookieNTLM module, the ntlm authentication is not performed (and it is correct) if the user changes directory via web (obviously the user is already authenticated). On the contrary, with my module, the ntlm auth is performed when the user change dir. Can you suggest me some idea to fix my problem? Thanks, Stefano AuthSessionNTLM.pm Description: Binary data -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
