Re: [users@httpd] mod_auth_ldap mod_auth_mysql on OS-X

Fri, 03 Feb 2006 09:26:49 -0800 

Greetings!
I've managed to completely isolate the multiple authentication "symptoms" I'm having. To recap, I'd like to authenticate users against an LDAP server with a fail through to a MySQL server. Realms which require only LDAP or only MySQL authentication behave correctly. However, a realm which requires authentication against both LDAP followed by MySQL is problematic in that when a user exists in LDAP [with password 'x'] AND the SAME user exists in MySQL [with password 'y'] AND the user submits the MySQL password [password 'y'] LDAP refuses to "decline" authentication to mod_auth_mysql. See error below: 


[Fri Feb 03 10:45:52 2006] [debug] mod_auth_ldap.c(337): [client 
129.xxx.xx.xx] [20821] auth_ldap authenticate: using URL 
ldap://sun.xxxxx.xx.edu/ou=people,dc=xxxxx,dc=xx,dc=edu
[Fri Feb 03 10:45:52 2006] [warn] [client 129.xxx.xx.xx] [20821] 
auth_ldap authenticate: user jones authentication failed; URI 
/ldap_mysql/ [ldap_simple_bind_s() to check user credentials 
failed][Invalid credentials]



The authentication dialog keeps reappearing as LDAP can't authenticate 
and refuses to "decline" authorization.



When a user is in either LDAP or MySQL [but NOT both] and submits their 
name using their MySQL password, mod_auth_ladp correctly "declines" 
authentication to mod_auth_mysql. Likewise, when a user who is in either 
LDAP or MySQL [NOT both] submits their name using their LDAP password, 
LDAP correctly authenticates.


# ################################################
<Directory /usr/local/apache2/htdocs/mysql>
   Options FollowSymLinks
   AuthType Basic
   AuthName "MySQL protected"
 #mod_auth_mysql
   AuthMySQLEnable On
   AuthMySQLHost gentoo.xxxxx.xx.edu
   AuthMySQLUser httpd
   AuthMySQLPassword xxxxxxxx
   AuthMySQLDB http_auth
   AuthMysqlUserTable mysql_auth
   AuthMySQLNameField username
   AuthMySQLPasswordField passwd

   AuthMySQLPwEncryption crypt   
   AuthMysqlGroupTable mysql_groups

   AuthMySQLGroupField groups
   require group administration
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap>
  Options FollowSymLinks
  AuthType Basic
  AuthName "ldap secured"
#mod_auth_ldap
  AuthLDAPURL ldap://sun.xxxxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
  require valid-user
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap_mysql>
   Options FollowSymLinks
   AuthType Basic
   AuthName "LDAP then MySQL secured"
#mod_auth_ldap
   AuthLDAPURL ldap://sun.xxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
   AuthLDAPAuthoritative Off
   require valid-user
 #mod_auth_mysql
   AuthMySQLHost gentoo.xxxxx.xx.edu
   AuthMySQLUser httpd
   AuthMySQLPassword xxxxxxxx
   AuthMySQLDB http_auth
   AuthMysqlUserTable mysql_auth
   AuthMysqlGroupTable mysql_groups
   AuthMySQLGroupField groups
   AuthMySQLNameField username
   AuthMySQLPasswordField passwd

   AuthMySQLPwEncryption crypt   
   require group administration

</Directory>
# ################################################

System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]

Using these modules
-------------------
LoadModule access_module modules/mod_access.so

LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

LoadModule mysql_auth_module  modules/mod_auth_mysql.so

LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so

LoadModule php5_module        modules/libphp5.so



Please let me know if you have any thoughts on how to debug this 
problem. I've already rebuilt Apache and mod_auth_mysql from fresh 
downloads to make sure the installation is clean.


regards,
-bill



William Paredes wrote:


Just before going "live" I noticed that mod_auth_mysql and 
mod_auth_ldap do not "fail through" properly when protecting the same 
realm.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to