LDAP issues aside, is DAV working ok?
Yes, DAV is working fine as long as I use file based auth.
I have to admit that my ldap knowledge is nowhere near sufficient
but it'll take me some time to read the books I've ordered. No FAQ
or online HOWTO or mailing-list archive I've read over the last
5 days seems to be of any help.
Try this one:
http://wiki.apache.org/httpd/UseLDAPToPasswordProtectAFolder
Okay, I implemented it as described in the Wiki :
<Directory "/var/www/localhost/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName LDAP_Auth_Test
AuthBasicProvider ldap
AuthzLDAPAuthoritative OFF
AuthLDAPBindDN "cn=Manager,dc=domain,dc=org"
AuthLDAPBindPassword "mysecretpassword"
AuthLDAPURL
ldap://localhost/ou=DAV,dc=global,dc=domain,dc=org?cn?sub
#AuthLDAPURL
ldap://localhost/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectClass=person)
Require valid-user
</Directory>
No DAV, nothing else, just vanilla config, no other virtual hosts.
I have tested both AuthLDAPURL strings, because when I ldapsearch on the
console without (objectClass=person)
I get 2 results due to the ou=DAV. I think having more than one result
for a given authentication
should confuse authnz_ldap. Nevertheless, same thing here. No login
possible.
I've also tested a non-existent username to be sure the LDAP query goes
through.
[Tue Jul 10 16:59:45 2007] [warn] [client 10.20.1.2] [20776] auth_ldap
authenticate: user U000001 authentication failed; URI /
[ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Tue Jul 10 16:59:45 2007] [error] [client 10.20.1.2] user U000001:
authentication failure for "/": Password Mismatch
[Tue Jul 10 16:59:52 2007] [warn] [client 10.20.1.2] [20777] auth_ldap
authenticate: user U0001 authentication failed; URI / [User not
found][No such object]
[Tue Jul 10 16:59:52 2007] [error] [client 10.20.1.2] user U0001 not
found: /
So my guess is that the password algorithms don't match. After
tcpdumping the LDAP
communication inbetween apache and LDAP I it seems that the password itself
is transfered as cleartext password (in this case "test")
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ........ ......E.
0010 00 72 47 63 40 00 40 06 f5 20 7f 00 00 01 7f 00 [EMAIL PROTECTED]@. .
......
0020 00 01 b0 2e 01 85 c4 42 84 a5 c3 b4 15 50 80 18 .......B .....P..
0030 20 00 fe 66 00 00 01 01 08 0a a5 18 c3 5f a5 18 ..f.... ....._..
0040 c3 5c 30 3c 02 01 03 60 37 02 01 03 04 2c 63 6e .\0<...` 7....,cn
0050 3d 55 30 30 30 30 30 31 2c 6f 75 3d 44 41 56 2c =U000001 ,ou=DAV,
0060 64 63 3d 67 6c 6f 62 61 6c 2c 64 63 3d 72 61 64 dc=globa l,dc=dom
0070 69 6f 6e 2c 64 63 3d 6f 72 67 80 04 74 65 73 74 ain,dc=o rg..test
So, LDAP seems to be getting the password in cleartext, but how does the
matching work?
SHA password didn't work, cleartext didn't either.
After setting up an openldap server and creating a basic
testing structure I tried to get apache to authenticate
the DAV location via mod_authz_ldap.
This is what I have got so far :
### httpd.conf ###
Alias /U000001 "/var/www/webdav/U000001"
<Directory "/var/www/webdav/U000001">
Dav On
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
The above line isn't necessary as you're not using Digest auth (and
can't, mod_authnz_ldap doesn't work with Digest in the current
version).
Alright, I thought so too, but as I am stuck I tried any possible switch
no matter how irrelevant or stupid it may seemed ;)
DavMinTimeout 6000
<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK
UNLOCK>
This is a mistake. DAV uses more methods than this and in any case I
don't see why you'd care which ones are authenticated. Just remove
<Limit> altogether. If you did want to apply authentication only to
the DAV methods, a better solution would be:
<LimitExcept GET POST HEAD OPTIONS>
Well, I have this line out a DAV HOWTO. For the sake of clarification:
I don't want anybody doing ANYTHING to the folder EXCEPT
the authenticated user the share belongs to (U000001 in this case).
How do I put this in httpd.conf lang ?
Here's my first question:
How is the password to be stored in LDAP ? Plain ? SHA ?
There are several methods and AFAIK the encryption type becomes part
of the stored password, so you end up with something like
"MD5:xxxxx...". That could be your issue.
I couldn't find any documentation regarding this as most people's
questions I've found in mailing-lists or archives use Active
Directory instead of OpenLDAP.
From my point of view the Basic authentication does the following :
auth_string = base64_encode ("U000001:test");
where "U000001" is the submitted username and "test" the password.
After tcpdumping all traffic the browser submitted "VTAwMDAwMTp0ZXN0"
which I think is the correct base64 encoding for "U000001:test".
It is.
If OpenLDAP can store userpasswords in different hashes how does the
authnz_ldap know which one to use ? I obviously still don't get it.
I tried changing my U000001 userpassword to userpassword: {CRYPT}test
as I thought this was the closest to MD5 but still no luck.
Now what ? *sigh
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
