|
| Require User Fails |
 |
Fri, 22 Sep 2006 15:49:21 GMT |
Originally posted at novell.support.netware.webserver
Netware 6.5 sp5
Apache 2.0.59
My intention is to auto-generate an index page because no DirectoryIndex
document exists. This works fine with Require valid-user but fails with
Require user. The LDAP server is a different machine than the one
running this instance of Apache. Any ideas?
==========================
LDAP Trace - Require valid-user
==========================
Tuesday, Sep 19, 2006
14:05:02 968CA480 LDAP: New TLS connection 0x6c5990e0 from
209.180.189.68:19221, monitor = 0x28b, index = 14
14:05:02 9916E400 LDAP: Monitor 0x28b initiating TLS handshake on
connection 0x6c5990e0
14:05:02 9916F4C0 LDAP: DoTLSHandshake on connection 0x6c5990e0
14:05:02 9916F4C0 LDAP: Completed TLS handshake on connection 0x6c5990e0
14:05:02 9916F4C0 LDAP: DoBind on connection 0x6c5990e0
14:05:02 9916F4C0 LDAP: Treating simple bind with empty DN and no
password as anonymous
14:05:02 9916F4C0 LDAP: Bind name:NULL, version:3, authentication:simple
14:05:02 9916F4C0 LDAP: Sending operation result 0:"":"" to
connection
0x6c5990e0
14:05:02 9916F4C0 LDAP: DoUnbind on connection 0x6c5990e0
14:05:02 9916F4C0 LDAP: Connection 0x6c5990e0 closed
14:05:03 968CA480 LDAP: New cleartext connection 0x6c5990e0 from
209.180.189.67:3573, monitor = 0x28b, index = 14
14:05:03 9916F4C0 LDAP: DoBind on connection 0x6c5990e0
14:05:03 9916F4C0 LDAP: Treating simple bind with empty DN and no
password as anonymous
14:05:03 9916F4C0 LDAP: Bind name:NULL, version:3, authentication:simple
14:05:03 9916F4C0 LDAP: Sending operation result 0:"":"" to
connection
0x6c5990e0
14:05:03 9916F4C0 LDAP: DoSearch on connection 0x6c5990e0
14:05:03 9916F4C0 LDAP: Search request:
base: "O=TREE"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(uid=howardw))"
attribute: "uid"
14:05:03 9916F4C0 LDAP: Sending search result entry
"cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE" to connection 0x6c5990e0
14:05:03 9916F4C0 LDAP: Sending operation result 0:"":"" to
connection
0x6c5990e0
==========================
with bad password
==========================
14:05:03 9916F4C0 LDAP: DoBind on connection 0x6c5990e0
14:05:03 9916F4C0 LDAP: Bind
name:cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE, version:3,
authentication:simple
14:05:06 9916F4C0 LDAP: Failed to authenticate local on connection
0x6c5990e0, err = failed authentication (-669)
14:05:06 9916F4C0 LDAP: Sending operation result 49:"":"NDS
error:
failed authentication (-669)" to connection 0x6c5990e0
14:05:06 9916F4C0 LDAP: DoUnbind on connection 0x6c5990e0
14:05:06 9916F4C0 LDAP: Connection 0x6c5990e0 closed
[Tue Sep 19 14:05:06 2006] [warn] [client 192.168.1.84] [51] auth_ldap
authenticate: user howardw authentication failed; URI /Sdrive/
[ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
==========================
LDAP Trace - Require user
==========================
Tuesday, Sep 19, 2006
14:20:24 968CA480 LDAP: New TLS connection 0x6c5991c0 from
209.180.189.68:19603, monitor = 0x28b, index = 15
14:20:24 9916E400 LDAP: Monitor 0x28b initiating TLS handshake on
connection 0x6c5991c0
14:20:24 9916F4C0 LDAP: DoTLSHandshake on connection 0x6c5991c0
14:20:24 9916F4C0 LDAP: Completed TLS handshake on connection 0x6c5991c0
14:20:24 9916F4C0 LDAP: DoBind on connection 0x6c5991c0
14:20:24 9916F4C0 LDAP: Treating simple bind with empty DN and no
password as anonymous
14:20:24 9916F4C0 LDAP: Bind name:NULL, version:3, authentication:simple
14:20:24 9916F4C0 LDAP: Sending operation result 0:"":"" to
connection
0x6c5991c0
14:20:24 9916F4C0 LDAP: DoUnbind on connection 0x6c5991c0
14:20:24 9916F4C0 LDAP: Connection 0x6c5991c0 closed
[Tue Sep 19 14:20:24 2006] [error] [client 192.168.1.84] access to
/Sdrive/ failed, reason: user cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE not
allowed access
==========================
with bad password
==========================
14:24:14 9916F4C0 LDAP: Connection 0x6c5991c0 closed
14:25:00 9916F4C0 LDAP: DoBind on connection 0x6c5990e0
14:25:00 9916F4C0 LDAP: Treating simple bind with empty DN and no
password as anonymous
14:25:00 9916F4C0 LDAP: Bind name:NULL, version:3, authentication:simple
14:25:00 9916F4C0 LDAP: Sending operation result 0:"":"" to
connection
0x6c5990e0
14:25:00 9916F4C0 LDAP: DoSearch on connection 0x6c5990e0
14:25:00 9916F4C0 LDAP: Search request:
base: "O=TREE"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(uid=howardw))"
attribute: "uid"
14:25:00 9916F4C0 LDAP: Sending search result entry
"cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE" to connection 0x6c5990e0
14:25:00 9916F4C0 LDAP: Sending operation result 0:"":"" to
connection
0x6c5990e0
14:25:00 9916F4C0 LDAP: DoBind on connection 0x6c5990e0
14:25:00 9916F4C0 LDAP: Bind
name:cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE, version:3,
authentication:simple
14:25:03 9916F4C0 LDAP: Failed to authenticate local on connection
0x6c5990e0, err = failed authentication (-669)
14:25:03 9916F4C0 LDAP: Sending operation result 49:"":"NDS
error:
failed authentication (-669)" to connection 0x6c5990e0
14:25:03 9916F4C0 LDAP: DoUnbind on connection 0x6c5990e0
14:25:03 9916F4C0 LDAP: Connection 0x6c5990e0 closed
[Tue Sep 19 14:25:03 2006] [warn] [client 192.168.1.84] [22] auth_ldap
authenticate: user howardw authentication failed; URI /Sdrive/
[ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
==========================
Apache httpd.conf
==========================
DocumentRoot "VOL1:/COMMON"
<Directory "VOL1:/COMMON">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
Alias /Sdrive "VOL1:/COMMON/FILES"
<Directory VOL1:/COMMON/FILES>
AllowOverride None
Options FollowSymLinks Indexes
Order Deny,Allow
Allow From All
AuthType Basic
AuthName "S-Drive"
# you can use unencrypted communication if the LDAP server runs
on the same machine.
# if you have to access a remote LDAP server it is recommended
to use SSL.
AuthLDAPURL "ldap://LDAPserver:389/O=TREE?uid"
AuthLDAPRemoteUserIsDN On
## require valid-user (works)
require user howardw (fails)
|
| Post Reply
|
| Re: Require User Fails |
 |
Mon, 25 Sep 2006 15:12:44 GMT |
Set the loglevel to debug and check your error_log. It is likely that
since you set AuthLDAPRemoteUserIsDN to ON, the user name that you specify
in Require User must be a fully distinguished name. You can either turn
AuthLDAPRemoteUserIsDN OFF or use the FDN in the Require User directive.
Brad
>>> On 9/22/2006 at 9:49 AM, in message
<5CTQg.2272$0w1.1547@prv-forum2.provo.novell.com>, Howard
Watson<howardw@esgw.org> wrote:
> Originally posted at novell.support.netware.webserver
>
> Netware 6.5 sp5
> Apache 2.0.59
>
> My intention is to auto-generate an index page because no DirectoryIndex
> document exists. This works fine with Require valid-user but fails with
> Require user. The LDAP server is a different machine than the one
> running this instance of Apache. Any ideas?
>
> ==========================
> Apache httpd.conf
> ==========================
> DocumentRoot "VOL1:/COMMON"
>
> <Directory "VOL1:/COMMON">
> Options FollowSymLinks
> AllowOverride None
> Order allow,deny
> Deny from all
> </Directory>
>
> Alias /Sdrive "VOL1:/COMMON/FILES"
> <Directory VOL1:/COMMON/FILES>
> AllowOverride None
> Options FollowSymLinks Indexes
> Order Deny,Allow
> Allow From All
> AuthType Basic
> AuthName "S-Drive"
> # you can use unencrypted communication if the LDAP server runs
>
> on the same machine.
> # if you have to access a remote LDAP server it is recommended
> to use SSL.
> AuthLDAPURL "ldap://LDAPserver:389/O=TREE?uid"
> AuthLDAPRemoteUserIsDN On
> ## require valid-user (works)
> require user howardw (fails)
> </Directory
|
| Post Reply
|
| Re: Require User Fails |
 |
Mon, 25 Sep 2006 19:55:06 GMT |
Hi Brad,
Thought I'd already hacked every combination.
Notes:
1) AuthLDAPRemoteUserIsDN should be off by default, but rem'ing it
out was not sufficient. It needed to be explicitly set to OFF.
2) It's interesting that AuthLDAPRemoteUserIsDN On works with
require valid-user, but not require user userName.
3) I expected AuthLDAPRemoteUserIsDN to only affect the REMOTE_USER
environment variable as it is used to display userName in the Apache log
files and as it is returned by request.getRemoteUser().
4) Using FDN with 'require user' did not work with
AuthLDAPRemoteUserIsDN On.
5) The only additional info from debug: [Mon Sep 25 11:10:04 2006]
[debug] mod_auth_ldap.c(411): [client 192.168.1.84] [15] auth_ldap
authenticate: accepting cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE
With loglevel set to debug I did see some DN errors with require group,
but that's another experiment.
Thanks.
Howard
Brad Nicholes wrote:
> Set the loglevel to debug and check your error_log. It is likely that
> since you set AuthLDAPRemoteUserIsDN to ON, the user name that you specify
> in Require User must be a fully distinguished name. You can either turn
> AuthLDAPRemoteUserIsDN OFF or use the FDN in the Require User directive.
>
> Brad
>
>
>>>>On 9/22/2006 at 9:49 AM, in message
>
> <5CTQg.2272$0w1.1547@prv-forum2.provo.novell.com>, Howard
> Watson<howardw@esgw.org> wrote:
>
>>Originally posted at novell.support.netware.webserver
>>
>>Netware 6.5 sp5
>>Apache 2.0.59
>>
>>My intention is to auto-generate an index page because no DirectoryIndex
>>document exists. This works fine with Require valid-user but fails with
>>Require user. The LDAP server is a different machine than the one
>>running this instance of Apache. Any ideas?
>>
>>==========================
>>Apache httpd.conf
>>==========================
>>DocumentRoot "VOL1:/COMMON"
>>
>><Directory "VOL1:/COMMON">
>> Options FollowSymLinks
>> AllowOverride None
>> Order allow,deny
>> Deny from all
>></Directory>
>>
>>Alias /Sdrive "VOL1:/COMMON/FILES"
>> <Directory VOL1:/COMMON/FILES>
>> AllowOverride None
>> Options FollowSymLinks Indexes
>> Order Deny,Allow
>> Allow From All
>> AuthType Basic
>> AuthName "S-Drive"
>> # you can use unencrypted communication if the LDAP server runs
>>
>>on the same machine.
>> # if you have to access a remote LDAP server it is recommended
>>to use SSL.
>> AuthLDAPURL "ldap://LDAPserver:389/O=TREE?uid"
>> AuthLDAPRemoteUserIsDN On
>>## require valid-user (works)
>> require user howardw (fails)
>> </Directory
>
>
|
| Post Reply
|
| Re: Require User Fails |
 |
Wed, 27 Sep 2006 14:30:37 GMT |
Just as an FYI, see my inline comments:
Brad
>>> On 9/25/2006 at 1:55 PM, in message
<uuWRg.450$0h7.17@prv-forum2.provo.novell.com>, Howard
Watson<howardw@esgw.org> wrote:
> Hi Brad,
> Thought I'd already hacked every combination.
>
> Notes:
> 1) AuthLDAPRemoteUserIsDN should be off by default, but rem'ing it
> out was not sufficient. It needed to be explicitly set to OFF.
According to the source code, AuthLDAPRemoteUserIsDN is OFF by default. But
this may depend on inheritance. If it has been set to ON in a parent
directory, then any subdirectory will inherit that setting.
> 2) It's interesting that AuthLDAPRemoteUserIsDN On works with
> require valid-user, but not require user userName.
This is because require valid-user does not do any kind of authorization
check. All it cares about is that the authentication was successful which
in this case it was. Require user actually does authorization. In other
words, it makes sure that the authenticated user is also authorized to
access the directory.
> 3) I expected AuthLDAPRemoteUserIsDN to only affect the REMOTE_USER
>
> environment variable as it is used to display userName in the Apache log
>
> files and as it is returned by request.getRemoteUser().
Yep, me too. But when I looked at the code, this wasn't the case. If
AuthLDAPRemoteUserIsDN is set to ON, the full DN is copied to r->user which
is the main reference point within the request_rec. Subsequent operations
involving the user name would be done against r->user.
> 4) Using FDN with 'require user' did not work with
> AuthLDAPRemoteUserIsDN On.
This can be tricky which is why I suggested that you set loglevel to DEBUG.
As noted in #5 below, the user name that you specify in require user should
match exactly the user name that is shown in the error_log.
> 5) The only additional info from debug: [Mon Sep 25 11:10:04 2006]
> [debug] mod_auth_ldap.c(411): [client 192.168.1.84] [15] auth_ldap
> authenticate: accepting cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE
The full DN shown here should be used in the Require user statement.
>
> With loglevel set to debug I did see some DN errors with require group,
> but that's another experiment.
>
> Thanks.
> Howard
>
> Brad Nicholes wrote:
>> Set the loglevel to debug and check your error_log. It is likely
> that
>> since you set AuthLDAPRemoteUserIsDN to ON, the user name that you
> specify
>> in Require User must be a fully distinguished name. You can either
turn
>> AuthLDAPRemoteUserIsDN OFF or use the FDN in the Require User
directive.
>>
>> Brad
>>
>>
>>>>>On 9/22/2006 at 9:49 AM, in message
>>
>> <5CTQg.2272$0w1.1547@prv-forum2.provo.novell.com>, Howard
>> Watson<howardw@esgw.org> wrote:
>>
>>>Originally posted at novell.support.netware.webserver
>>>
>>>Netware 6.5 sp5
>>>Apache 2.0.59
>>>
>>>My intention is to auto-generate an index page because no
DirectoryIndex
>>>document exists. This works fine with Require valid-user but fails
with
>>>Require user. The LDAP server is a different machine than the one
>>>running this instance of Apache. Any ideas?
>>>
>>>==========================
>>>Apache httpd.conf
>>>==========================
>>>DocumentRoot "VOL1:/COMMON"
>>>
>>><Directory "VOL1:/COMMON">
>>> Options FollowSymLinks
>>> AllowOverride None
>>> Order allow,deny
>>> Deny from all
>>></Directory>
>>>
>>>Alias /Sdrive "VOL1:/COMMON/FILES"
>>> <Directory VOL1:/COMMON/FILES>
>>> AllowOverride None
>>> Options FollowSymLinks Indexes
>>> Order Deny,Allow
>>> Allow From All
>>> AuthType Basic
>>> AuthName "S-Drive"
>>> # you can use unencrypted communication if the LDAP server
runs
>>>
>>>on the same machine.
>>> # if you have to access a remote LDAP server it is
recommended
>>>to use SSL.
>>> AuthLDAPURL "ldap://LDAPserver:389/O=TREE?uid"
>>> AuthLDAPRemoteUserIsDN On
>>>## require valid-user (works)
>>> require user howardw (fails)
>>> </Directory
>>
>>
>>
|
| Post Reply
|
| Re: Require User Fails |
 |
Wed, 27 Sep 2006 17:41:22 GMT |
Brad Nicholes wrote:
> Just as an FYI, see my inline comments:
>
> Brad
>
>
Hi Brad, I won't spend time beating this up, because I would need to
reset the server to convince myself of each experiment, but your comment
on note 2 surprised me.
Thanks again.
>>>>On 9/25/2006 at 1:55 PM, in message
>
> <uuWRg.450$0h7.17@prv-forum2.provo.novell.com>, Howard
> Watson<howardw@esgw.org> wrote:
>
>>Hi Brad,
>>Thought I'd already hacked every combination.
>>
>>Notes:
>> 1) AuthLDAPRemoteUserIsDN should be off by default, but rem'ing it
>>out was not sufficient. It needed to be explicitly set to OFF.
>
>
> According to the source code, AuthLDAPRemoteUserIsDN is OFF by default.
But
> this may depend on inheritance. If it has been set to ON in a parent
> directory, then any subdirectory will inherit that setting.
>
>
The entire directory config is shown below.
>> 2) It's interesting that AuthLDAPRemoteUserIsDN On works with
>>require valid-user, but not require user userName.
>
>
> This is because require valid-user does not do any kind of authorization
> check. All it cares about is that the authentication was successful which
> in this case it was. Require user actually does authorization. In other
> words, it makes sure that the authenticated user is also authorized to
> access the directory.
>
>
I thought authorization was the domain of mod_edir. And without it file
access is controlled through Apache config. I'll experiment with this.
>> 3) I expected AuthLDAPRemoteUserIsDN to only affect the REMOTE_USER
>>
>>environment variable as it is used to display userName in the Apache log
>>
>>files and as it is returned by request.getRemoteUser().
>
>
> Yep, me too. But when I looked at the code, this wasn't the case. If
> AuthLDAPRemoteUserIsDN is set to ON, the full DN is copied to r->user
which
> is the main reference point within the request_rec. Subsequent operations
> involving the user name would be done against r->user.
>
>
>> 4) Using FDN with 'require user' did not work with
>>AuthLDAPRemoteUserIsDN On.
>
>
> This can be tricky which is why I suggested that you set loglevel to DEBUG.
> As noted in #5 below, the user name that you specify in require user
should
> match exactly the user name that is shown in the error_log.
>
>
>
>> 5) The only additional info from debug: [Mon Sep 25 11:10:04 2006]
>>[debug] mod_auth_ldap.c(411): [client 192.168.1.84] [15] auth_ldap
>>authenticate: accepting cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE
>
>
> The full DN shown here should be used in the Require user statement.
>
>
I'm pretty sure I got it right. Because the Apache errors were the same.
[error] [client 192.168.1.84] access to /Sdrive/ failed, reason: user
cn=howardw,ou=DEV,ou=CITY,ou=ST,o=TREE not allowed access
Otherwise [User not found][No such object] would have been Apache and
LDAP error
>
>>With loglevel set to debug I did see some DN errors with require group,
>>but that's another experiment.
>>
>>Thanks.
>>Howard
>>
>>Brad Nicholes wrote:
>>
>>> Set the loglevel to debug and check your error_log. It is likely
>>
>>that
>>
>>>since you set AuthLDAPRemoteUserIsDN to ON, the user name that you
>>
>>specify
>>
>>>in Require User must be a fully distinguished name. You can either
turn
>>>AuthLDAPRemoteUserIsDN OFF or use the FDN in the Require User
directive.
>>>
>>>Brad
>>>
>>>
>>>
>>>>>>On 9/22/2006 at 9:49 AM, in message
>>>
>>><5CTQg.2272$0w1.1547@prv-forum2.provo.novell.com>, Howard
>>>Watson<howardw@esgw.org> wrote:
>>>
>>>
>>>>Originally posted at novell.support.netware.webserver
>>>>
>>>>Netware 6.5 sp5
>>>>Apache 2.0.59
>>>>
>>>>My intention is to auto-generate an index page because no
DirectoryIndex
>
>
>>>>document exists. This works fine with Require valid-user but
fails with
>>>>Require user. The LDAP server is a different machine than the
one
>>>>running this instance of Apache. Any ideas?
>>>>
>>>>==========================
>>>>Apache httpd.conf
>>>>==========================
>>>>DocumentRoot "VOL1:/COMMON"
>>>>
>>>><Directory "VOL1:/COMMON">
>>>> Options FollowSymLinks
>>>> AllowOverride None
>>>> Order allow,deny
>>>> Deny from all
>>>></Directory>
>>>>
>>>>Alias /Sdrive "VOL1:/COMMON/FILES"
>>>> <Directory VOL1:/COMMON/FILES>
>>>> AllowOverride None
>>>> Options FollowSymLinks Indexes
>>>> Order Deny,Allow
>>>> Allow From All
>>>> AuthType Basic
>>>> AuthName "S-Drive"
>>>> # you can use unencrypted communication if the LDAP
server runs
>
>
>>>>on the same machine.
>>>> # if you have to access a remote LDAP server it is
recommended
>>>>to use SSL.
>>>> AuthLDAPURL
"ldap://LDAPserver:389/O=TREE?uid"
>>>> AuthLDAPRemoteUserIsDN On
>>>>## require valid-user (works)
>>>> require user howardw (fails)
>>>> </Directory
>>>
>>>
>>>
>
|
| Post Reply
|
|
|