Greetings!
I've managed to completely isolate the multiple authentication
"symptoms" I'm having. To recap, I'd like to authenticate users against
an LDAP server with a fail through to a MySQL server. Realms which
require only LDAP or only MySQL authentication behave correctly.
However, a realm which requires authentication against both LDAP
followed by MySQL is problematic in that when a user exists in LDAP
[with password 'x'] AND the SAME user exists in MySQL [with password
'y'] AND the user submits the MySQL password [password 'y'] LDAP refuses
to "decline" authentication to mod_auth_mysql. See error below:
[Fri Feb 03 10:45:52 2006] [debug] mod_auth_ldap.c(337): [client
129.xxx.xx.xx] [20821] auth_ldap authenticate: using URL
ldap://sun.xxxxx.xx.edu/ou=people,dc=xxxxx,dc=xx,dc=edu
[Fri Feb 03 10:45:52 2006] [warn] [client 129.xxx.xx.xx] [20821]
auth_ldap authenticate: user jones authentication failed; URI
/ldap_mysql/ [ldap_simple_bind_s() to check user credentials
failed][Invalid credentials]
The authentication dialog keeps reappearing as LDAP can't authenticate
and refuses to "decline" authorization.
When a user is in either LDAP or MySQL [but NOT both] and submits their
name using their MySQL password, mod_auth_ladp correctly "declines"
authentication to mod_auth_mysql. Likewise, when a user who is in either
LDAP or MySQL [NOT both] submits their name using their LDAP password,
LDAP correctly authenticates.
# ################################################
<Directory /usr/local/apache2/htdocs/mysql>
Options FollowSymLinks
AuthType Basic
AuthName "MySQL protected"
#mod_auth_mysql
AuthMySQLEnable On
AuthMySQLHost gentoo.xxxxx.xx.edu
AuthMySQLUser httpd
AuthMySQLPassword xxxxxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMySQLPwEncryption crypt
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
require group administration
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap>
Options FollowSymLinks
AuthType Basic
AuthName "ldap secured"
#mod_auth_ldap
AuthLDAPURL ldap://sun.xxxxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
require valid-user
</Directory>
# ################################################
<Directory /usr/local/apache2/htdocs/ldap_mysql>
Options FollowSymLinks
AuthType Basic
AuthName "LDAP then MySQL secured"
#mod_auth_ldap
AuthLDAPURL ldap://sun.xxx.xx.xxx:389/ou=people,dc=xxxxx,dc=xx,dc=edu
AuthLDAPAuthoritative Off
require valid-user
#mod_auth_mysql
AuthMySQLHost gentoo.xxxxx.xx.edu
AuthMySQLUser httpd
AuthMySQLPassword xxxxxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMySQLPwEncryption crypt
require group administration
</Directory>
# ################################################
System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]
Using these modules
-------------------
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule mysql_auth_module modules/mod_auth_mysql.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule php5_module modules/libphp5.so
Please let me know if you have any thoughts on how to debug this
problem. I've already rebuilt Apache and mod_auth_mysql from fresh
downloads to make sure the installation is clean.
regards,
-bill
William Paredes wrote:
Just before going "live" I noticed that mod_auth_mysql and
mod_auth_ldap do not "fail through" properly when protecting the same
realm.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]