Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

apache 2.2.4 and AD: authentication failed.

  

 
Apache users RSS feed   Index | Next | Previous | View Threaded


melanie_pfefer at yahoo

Oct 25, 2007, 12:33 PM

Post #1 of 12 (412 views)
Permalink
apache 2.2.4 and AD: authentication failed.
The browser returns Internal server error

The log file returns this error

[Thu Oct 25 21:21:36 2007] [debug]
mod_authnz_ldap.c(376): [client 172.21.194.71] [14657]
auth_ldap authenticate: using URL
ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sAMAccountName?
[Thu Oct 25 21:21:36 2007] [warn] [client
172.21.194.71] [14657] auth_ldap authenticate: user
mpfefer authentication failed; URI /
[ldap_search_ext_s() for user failed][Operations
error]



AuthBasicProvider ldap
AuthLDAPUrl
ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sAMAccountName?
Require valid-user
AuthType Basic
AuthName "internal users"


could you please advise??

thanks


___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Oct 25, 2007, 1:03 PM

Post #2 of 12 (406 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
On 10/25/07, Melanie Pfefer <melanie_pfefer [at] yahoo> wrote:
> The browser returns Internal server error
>
> The log file returns this error
>
> [Thu Oct 25 21:21:36 2007] [debug]
> mod_authnz_ldap.c(376): [client 172.21.194.71] [14657]
> auth_ldap authenticate: using URL
> ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sAMAccountName?
> [Thu Oct 25 21:21:36 2007] [warn] [client
> 172.21.194.71] [14657] auth_ldap authenticate: user
> mpfefer authentication failed; URI /
> [ldap_search_ext_s() for user failed][Operations
> error]

Can't search for that userid anonymously? Might want to try anonymous
via command line to find mpfefers DN

--
Eric Covener
covener [at] gmail

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


melanie_pfefer at yahoo

Oct 25, 2007, 1:29 PM

Post #3 of 12 (401 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
thanks Eric. No I need to bind to ldap:

ldapsearch -D "uk.siroe.com\mpfefer" -w password -h
iceman -b "ou=users,dc=uk,dc=siroe,dc=com"
objectclass=*


so I changed this:

AuthLDAPUrl
ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sub?
AuthLDAPBindDN "uk-siroe-com\mpfefer"
AuthLDAPBindPassword "password"


The logging changed:

[Thu Oct 25 22:25:29 2007] [warn] [client
172.21.194.71] [27608] auth_ldap authenticate: user
mpfefer authentication failed; URI / [User not
found][No such object]
[Thu Oct 25 22:25:29 2007] [error] [client
172.21.194.71] user mpfefer not found: /

--- Eric Covener <covener [at] gmail> wrote:

> On 10/25/07, Melanie Pfefer
> <melanie_pfefer [at] yahoo> wrote:
> > The browser returns Internal server error
> >
> > The log file returns this error
> >
> > [Thu Oct 25 21:21:36 2007] [debug]
> > mod_authnz_ldap.c(376): [client 172.21.194.71]
> [14657]
> > auth_ldap authenticate: using URL
> >
>
ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sAMAccountName?
> > [Thu Oct 25 21:21:36 2007] [warn] [client
> > 172.21.194.71] [14657] auth_ldap authenticate:
> user
> > mpfefer authentication failed; URI /
> > [ldap_search_ext_s() for user failed][Operations
> > error]
>
> Can't search for that userid anonymously? Might want
> to try anonymous
> via command line to find mpfefers DN
>
> --
> Eric Covener
> covener [at] gmail
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe [at] httpd
> " from the digest:
> users-digest-unsubscribe [at] httpd
> For additional commands, e-mail:
> users-help [at] httpd
>
>



___________________________________________________________
Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
now.
http://uk.answers.yahoo.com/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


melanie_pfefer at yahoo

Oct 26, 2007, 1:06 AM

Post #4 of 12 (397 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
Hi again,

I changed the ldapurl and the logs changed to:

[Fri Oct 26 09:58:11 2007] [debug]
mod_authnz_ldap.c(376): [client 172.21.194.71] [13900]
auth_ldap authenticate: using URL
ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sAMAccountName?sub?
[Fri Oct 26 09:58:11 2007] [debug]
mod_authnz_ldap.c(475): [client 172.21.194.71] [13900]
auth_ldap authenticate: accepting mpfefer
[Fri Oct 26 09:58:11 2007] [debug]
mod_authnz_ldap.c(847): [client 172.21.194.71] [13900]
auth_ldap authorise: authorisation denied


So in sum: authentication is ok. authorization is
denied... What could be the cause??

thanks.

--- Melanie Pfefer <melanie_pfefer [at] yahoo> wrote:

> thanks Eric. No I need to bind to ldap:
>
> ldapsearch -D "uk.siroe.com\mpfefer" -w password -h
> iceman -b "ou=users,dc=uk,dc=siroe,dc=com"
> objectclass=*
>
>
> so I changed this:
>
> AuthLDAPUrl
> ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sub?
> AuthLDAPBindDN "uk-siroe-com\mpfefer"
> AuthLDAPBindPassword "password"
>
>
> The logging changed:
>
> [Thu Oct 25 22:25:29 2007] [warn] [client
> 172.21.194.71] [27608] auth_ldap authenticate: user
> mpfefer authentication failed; URI / [User not
> found][No such object]
> [Thu Oct 25 22:25:29 2007] [error] [client
> 172.21.194.71] user mpfefer not found: /
>
> --- Eric Covener <covener [at] gmail> wrote:
>
> > On 10/25/07, Melanie Pfefer
> > <melanie_pfefer [at] yahoo> wrote:
> > > The browser returns Internal server error
> > >
> > > The log file returns this error
> > >
> > > [Thu Oct 25 21:21:36 2007] [debug]
> > > mod_authnz_ldap.c(376): [client 172.21.194.71]
> > [14657]
> > > auth_ldap authenticate: using URL
> > >
> >
>
ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sAMAccountName?
> > > [Thu Oct 25 21:21:36 2007] [warn] [client
> > > 172.21.194.71] [14657] auth_ldap authenticate:
> > user
> > > mpfefer authentication failed; URI /
> > > [ldap_search_ext_s() for user failed][Operations
> > > error]
> >
> > Can't search for that userid anonymously? Might
> want
> > to try anonymous
> > via command line to find mpfefers DN
> >
> > --
> > Eric Covener
> > covener [at] gmail
> >
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> > Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for
> > more info.
> > To unsubscribe, e-mail:
> > users-unsubscribe [at] httpd
> > " from the digest:
> > users-digest-unsubscribe [at] httpd
> > For additional commands, e-mail:
> > users-help [at] httpd
> >
> >
>
>
>
>
>
___________________________________________________________
> Yahoo! Answers - Got a question? Someone out there
> knows the answer. Try it
> now.
> http://uk.answers.yahoo.com/
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe [at] httpd
> " from the digest:
> users-digest-unsubscribe [at] httpd
> For additional commands, e-mail:
> users-help [at] httpd
>
>



___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


dstusynski at ptc

Oct 26, 2007, 6:21 AM

Post #5 of 12 (396 views)
Permalink
RE: apache 2.2.4 and AD: authentication failed. [In reply to]
Looks like you can't acccess the resource.

See: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

The Authorization Phase
During the authorization phase, mod_authnz_ldap attempts to determine if
the user is authorized to access the resource. Many of these checks
require mod_authnz_ldap to do a compare operation on the LDAP server.
This is why this phase is often referred to as the compare phase.
mod_authnz_ldap accepts the following Require directives to determine if
the credentials are acceptable:

Dan Stusynski

-----Original Message-----
From: Melanie Pfefer [mailto:melanie_pfefer [at] yahoo]
Sent: Friday, October 26, 2007 3:07 AM
To: users [at] httpd
Subject: Re: [users [at] http] apache 2.2.4 and AD: authentication failed.

Hi again,

I changed the ldapurl and the logs changed to:

[Fri Oct 26 09:58:11 2007] [debug]
mod_authnz_ldap.c(376): [client 172.21.194.71] [13900] auth_ldap
authenticate: using URL
ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sAMAccountName?sub?
[Fri Oct 26 09:58:11 2007] [debug]
mod_authnz_ldap.c(475): [client 172.21.194.71] [13900] auth_ldap
authenticate: accepting mpfefer [Fri Oct 26 09:58:11 2007] [debug]
mod_authnz_ldap.c(847): [client 172.21.194.71] [13900] auth_ldap
authorise: authorisation denied


So in sum: authentication is ok. authorization is denied... What could
be the cause??

thanks.

--- Melanie Pfefer <melanie_pfefer [at] yahoo> wrote:

> thanks Eric. No I need to bind to ldap:
>
> ldapsearch -D "uk.siroe.com\mpfefer" -w password -h iceman -b
> "ou=users,dc=uk,dc=siroe,dc=com"
> objectclass=*
>
>
> so I changed this:
>
> AuthLDAPUrl
> ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sub?
> AuthLDAPBindDN "uk-siroe-com\mpfefer"
> AuthLDAPBindPassword "password"
>
>
> The logging changed:
>
> [Thu Oct 25 22:25:29 2007] [warn] [client 172.21.194.71] [27608]
> auth_ldap authenticate: user mpfefer authentication failed; URI /
> [User not found][No such object] [Thu Oct 25 22:25:29 2007] [error]
> [client 172.21.194.71] user mpfefer not found: /
>
> --- Eric Covener <covener [at] gmail> wrote:
>
> > On 10/25/07, Melanie Pfefer
> > <melanie_pfefer [at] yahoo> wrote:
> > > The browser returns Internal server error
> > >
> > > The log file returns this error
> > >
> > > [Thu Oct 25 21:21:36 2007] [debug]
> > > mod_authnz_ldap.c(376): [client 172.21.194.71]
> > [14657]
> > > auth_ldap authenticate: using URL
> > >
> >
>
ldap://iceman/ou=users,dc=uk,dc=siroe,dc=com?sAMAccountName?
> > > [Thu Oct 25 21:21:36 2007] [warn] [client 172.21.194.71] [14657]
> > > auth_ldap authenticate:
> > user
> > > mpfefer authentication failed; URI /
> > > [ldap_search_ext_s() for user failed][Operations error]
> >
> > Can't search for that userid anonymously? Might
> want
> > to try anonymous
> > via command line to find mpfefers DN
> >
> > --
> > Eric Covener
> > covener [at] gmail
> >
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for
> > more info.
> > To unsubscribe, e-mail:
> > users-unsubscribe [at] httpd
> > " from the digest:
> > users-digest-unsubscribe [at] httpd
> > For additional commands, e-mail:
> > users-help [at] httpd
> >
> >
>
>
>
>
>
___________________________________________________________
> Yahoo! Answers - Got a question? Someone out there knows the answer.
> Try it now.
> http://uk.answers.yahoo.com/
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe [at] httpd
> " from the digest:
> users-digest-unsubscribe [at] httpd
> For additional commands, e-mail:
> users-help [at] httpd
>
>



___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good
http://uk.promotions.yahoo.com/forgood/environment.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Oct 26, 2007, 6:54 AM

Post #6 of 12 (400 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
On 10/26/07, Stusynski, Dan <dstusynski [at] ptc> wrote:
> Looks like you can't acccess the resource.
authnz_ldap + require valid-user doesn't work as expected in 2.2.4,
try AuthZLDAPAuthoritative off

--
Eric Covener
covener [at] gmail

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


melanie_pfefer at yahoo

Oct 26, 2007, 9:00 AM

Post #7 of 12 (395 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
I tried AuthZLDAPAuthoritative off and indeed it
worked...now...what is the impact of disabling
AuthZLDAPAuthoritative??


thanks bunches...
--- Eric Covener <covener [at] gmail> wrote:

> On 10/26/07, Stusynski, Dan <dstusynski [at] ptc>
> wrote:
> > Looks like you can't acccess the resource.
> authnz_ldap + require valid-user doesn't work as
> expected in 2.2.4,
> try AuthZLDAPAuthoritative off
>
> --
> Eric Covener
> covener [at] gmail
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe [at] httpd
> " from the digest:
> users-digest-unsubscribe [at] httpd
> For additional commands, e-mail:
> users-help [at] httpd
>
>



___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


tomhart at coopfed

Oct 26, 2007, 9:03 AM

Post #8 of 12 (394 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
authzldapauthoritative sets it such that ldap is the only authentication
that can be used. However valid-user is not seen as an ldap
authentication (try ldap-user, etc.), so it needs to be able to fall
back on "basic authentication" even though it is using the ldap setup to
validate.

Basically it's ldap, but apache thinks it's basic. I think that's what
happens anyway.

Melanie Pfefer wrote:
> I tried AuthZLDAPAuthoritative off and indeed it
> worked...now...what is the impact of disabling
> AuthZLDAPAuthoritative??
>
>
> thanks bunches...
> --- Eric Covener <covener [at] gmail> wrote:
>
>
>> On 10/26/07, Stusynski, Dan <dstusynski [at] ptc>
>> wrote:
>>
>>> Looks like you can't acccess the resource.
>>>
>> authnz_ldap + require valid-user doesn't work as
>> expected in 2.2.4,
>> try AuthZLDAPAuthoritative off
>>
>> --
>> Eric Covener
>> covener [at] gmail
>>
>>
>>
> ---------------------------------------------------------------------
>
>> The official User-To-User support forum of the
>> Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for
>> more info.
>> To unsubscribe, e-mail:
>> users-unsubscribe [at] httpd
>> " from the digest:
>> users-digest-unsubscribe [at] httpd
>> For additional commands, e-mail:
>> users-help [at] httpd
>>
>>
>>
>
>
>
> ___________________________________________________________
> Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> " from the digest: users-digest-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Oct 26, 2007, 9:05 AM

Post #9 of 12 (397 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
On 10/26/07, Melanie Pfefer <melanie_pfefer [at] yahoo> wrote:
> I tried AuthZLDAPAuthoritative off and indeed it
> worked...now...what is the impact of disabling
> AuthZLDAPAuthoritative??

Probably no harm, either some other module down the line will be able
to understand a least 1 'require' (in your case, that next module is
mod_authz_user) or ultimately mod_authz_default will fail
authorization.


--
Eric Covener
covener [at] gmail

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


melanie_pfefer at yahoo

Oct 26, 2007, 9:19 AM

Post #10 of 12 (397 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
ldap-user is not viable...I will have to add all users
by hand... Any other alternative?

also, AuthLDAPBindPassword is written in clear text in
the file...Any other alternative?

Many thanks!

--- Tom Hart <tomhart [at] coopfed> wrote:

> authzldapauthoritative sets it such that ldap is the
> only authentication
> that can be used. However valid-user is not seen as
> an ldap
> authentication (try ldap-user, etc.), so it needs to
> be able to fall
> back on "basic authentication" even though it is
> using the ldap setup to
> validate.
>
> Basically it's ldap, but apache thinks it's basic. I
> think that's what
> happens anyway.
>
> Melanie Pfefer wrote:
> > I tried AuthZLDAPAuthoritative off and indeed it
> > worked...now...what is the impact of disabling
> > AuthZLDAPAuthoritative??
> >
> >
> > thanks bunches...
> > --- Eric Covener <covener [at] gmail> wrote:
> >
> >
> >> On 10/26/07, Stusynski, Dan <dstusynski [at] ptc>
> >> wrote:
> >>
> >>> Looks like you can't acccess the resource.
> >>>
> >> authnz_ldap + require valid-user doesn't work as
> >> expected in 2.2.4,
> >> try AuthZLDAPAuthoritative off
> >>
> >> --
> >> Eric Covener
> >> covener [at] gmail
> >>
> >>
> >>
> >
>
---------------------------------------------------------------------
> >
> >> The official User-To-User support forum of the
> >> Apache HTTP Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html>
> for
> >> more info.
> >> To unsubscribe, e-mail:
> >> users-unsubscribe [at] httpd
> >> " from the digest:
> >> users-digest-unsubscribe [at] httpd
> >> For additional commands, e-mail:
> >> users-help [at] httpd
> >>
> >>
> >>
> >
> >
> >
> >
>
___________________________________________________________
>
> > Want ideas for reducing your carbon footprint?
> Visit Yahoo! For Good
>
http://uk.promotions.yahoo.com/forgood/environment.html
> >
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> > To unsubscribe, e-mail:
> users-unsubscribe [at] httpd
> > " from the digest:
> users-digest-unsubscribe [at] httpd
> > For additional commands, e-mail:
> users-help [at] httpd
> >
> >
>
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe [at] httpd
> " from the digest:
> users-digest-unsubscribe [at] httpd
> For additional commands, e-mail:
> users-help [at] httpd
>
>



___________________________________________________________
Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
now.
http://uk.answers.yahoo.com/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


tomhart at coopfed

Oct 26, 2007, 10:30 AM

Post #11 of 12 (395 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
I'm not sure that you really need an alternative. using the setup you
have now should work fine, with authoritative off, and using valid-user.
I have that same exact setup running on our corporate intranet, and it's
been working fine.

Also, I do not know of an alternative for having the paassword in clear
text in the file. What I did was create a new AD user (apache_validate
or something along those lines) that is used only for this purpose. The
user has almost no access rights, except that they can login and query
ad. This is what I would recommend, as well as running apache under a
seperate user account if you're not doing this already.

Melanie Pfefer wrote:
> ldap-user is not viable...I will have to add all users
> by hand... Any other alternative?
>
> also, AuthLDAPBindPassword is written in clear text in
> the file...Any other alternative?
>
> Many thanks!
>
> --- Tom Hart <tomhart [at] coopfed> wrote:
>
>
>> authzldapauthoritative sets it such that ldap is the
>> only authentication
>> that can be used. However valid-user is not seen as
>> an ldap
>> authentication (try ldap-user, etc.), so it needs to
>> be able to fall
>> back on "basic authentication" even though it is
>> using the ldap setup to
>> validate.
>>
>> Basically it's ldap, but apache thinks it's basic. I
>> think that's what
>> happens anyway.
>>
>> Melanie Pfefer wrote:
>>
>>> I tried AuthZLDAPAuthoritative off and indeed it
>>> worked...now...what is the impact of disabling
>>> AuthZLDAPAuthoritative??
>>>
>>>
>>> thanks bunches...
>>> --- Eric Covener <covener [at] gmail> wrote:
>>>
>>>
>>>
>>>> On 10/26/07, Stusynski, Dan <dstusynski [at] ptc>
>>>> wrote:
>>>>
>>>>
>>>>> Looks like you can't acccess the resource.
>>>>>
>>>>>
>>>> authnz_ldap + require valid-user doesn't work as
>>>> expected in 2.2.4,
>>>> try AuthZLDAPAuthoritative off
>>>>
>>>> --
>>>> Eric Covener
>>>> covener [at] gmail
>>>>
>>>>
>>>>
>>>>
> ---------------------------------------------------------------------
>
>>>
>>>
>>>> The official User-To-User support forum of the
>>>> Apache HTTP Server Project.
>>>> See <URL:http://httpd.apache.org/userslist.html>
>>>>
>> for
>>
>>>> more info.
>>>> To unsubscribe, e-mail:
>>>> users-unsubscribe [at] httpd
>>>> " from the digest:
>>>> users-digest-unsubscribe [at] httpd
>>>> For additional commands, e-mail:
>>>> users-help [at] httpd
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
> ___________________________________________________________
>
>>> Want ideas for reducing your carbon footprint?
>>>
>> Visit Yahoo! For Good
>>
>>
> http://uk.promotions.yahoo.com/forgood/environment.html
>
>>>
> ---------------------------------------------------------------------
>
>>> The official User-To-User support forum of the
>>>
>> Apache HTTP Server Project.
>>
>>> See <URL:http://httpd.apache.org/userslist.html>
>>>
>> for more info.
>>
>>> To unsubscribe, e-mail:
>>>
>> users-unsubscribe [at] httpd
>>
>>> " from the digest:
>>>
>> users-digest-unsubscribe [at] httpd
>>
>>> For additional commands, e-mail:
>>>
>> users-help [at] httpd
>>
>>>
>>>
>>
>>
> ---------------------------------------------------------------------
>
>> The official User-To-User support forum of the
>> Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for
>> more info.
>> To unsubscribe, e-mail:
>> users-unsubscribe [at] httpd
>> " from the digest:
>> users-digest-unsubscribe [at] httpd
>> For additional commands, e-mail:
>> users-help [at] httpd
>>
>>
>>
>
>
>
> ___________________________________________________________
> Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
> now.
> http://uk.answers.yahoo.com/
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> " from the digest: users-digest-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


melanie_pfefer at yahoo

Oct 26, 2007, 10:56 AM

Post #12 of 12 (395 views)
Permalink
Re: apache 2.2.4 and AD: authentication failed. [In reply to]
thanks!

--- Tom Hart <tomhart [at] coopfed> wrote:

> I'm not sure that you really need an alternative.
> using the setup you
> have now should work fine, with authoritative off,
> and using valid-user.
> I have that same exact setup running on our
> corporate intranet, and it's
> been working fine.
>
> Also, I do not know of an alternative for having the
> paassword in clear
> text in the file. What I did was create a new AD
> user (apache_validate
> or something along those lines) that is used only
> for this purpose. The
> user has almost no access rights, except that they
> can login and query
> ad. This is what I would recommend, as well as
> running apache under a
> seperate user account if you're not doing this
> already.
>
> Melanie Pfefer wrote:
> > ldap-user is not viable...I will have to add all
> users
> > by hand... Any other alternative?
> >
> > also, AuthLDAPBindPassword is written in clear
> text in
> > the file...Any other alternative?
> >
> > Many thanks!
> >
> > --- Tom Hart <tomhart [at] coopfed> wrote:
> >
> >
> >> authzldapauthoritative sets it such that ldap is
> the
> >> only authentication
> >> that can be used. However valid-user is not seen
> as
> >> an ldap
> >> authentication (try ldap-user, etc.), so it needs
> to
> >> be able to fall
> >> back on "basic authentication" even though it is
> >> using the ldap setup to
> >> validate.
> >>
> >> Basically it's ldap, but apache thinks it's
> basic. I
> >> think that's what
> >> happens anyway.
> >>
> >> Melanie Pfefer wrote:
> >>
> >>> I tried AuthZLDAPAuthoritative off and indeed it
> >>> worked...now...what is the impact of disabling
> >>> AuthZLDAPAuthoritative??
> >>>
> >>>
> >>> thanks bunches...
> >>> --- Eric Covener <covener [at] gmail> wrote:
> >>>
> >>>
> >>>
> >>>> On 10/26/07, Stusynski, Dan
> <dstusynski [at] ptc>
> >>>> wrote:
> >>>>
> >>>>
> >>>>> Looks like you can't acccess the resource.
> >>>>>
> >>>>>
> >>>> authnz_ldap + require valid-user doesn't work
> as
> >>>> expected in 2.2.4,
> >>>> try AuthZLDAPAuthoritative off
> >>>>
> >>>> --
> >>>> Eric Covener
> >>>> covener [at] gmail
> >>>>
> >>>>
> >>>>
> >>>>
> >
>
---------------------------------------------------------------------
> >
> >>>
> >>>
> >>>> The official User-To-User support forum of the
> >>>> Apache HTTP Server Project.
> >>>> See
> <URL:http://httpd.apache.org/userslist.html>
> >>>>
> >> for
> >>
> >>>> more info.
> >>>> To unsubscribe, e-mail:
> >>>> users-unsubscribe [at] httpd
> >>>> " from the digest:
> >>>> users-digest-unsubscribe [at] httpd
> >>>> For additional commands, e-mail:
> >>>> users-help [at] httpd
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >
>
___________________________________________________________
> >
> >>> Want ideas for reducing your carbon footprint?
> >>>
> >> Visit Yahoo! For Good
> >>
> >>
> >
>
http://uk.promotions.yahoo.com/forgood/environment.html
> >
> >>>
> >
>
---------------------------------------------------------------------
> >
> >>> The official User-To-User support forum of the
> >>>
> >> Apache HTTP Server Project.
> >>
> >>> See <URL:http://httpd.apache.org/userslist.html>
> >>>
> >> for more info.
> >>
> >>> To unsubscribe, e-mail:
> >>>
> >> users-unsubscribe [at] httpd
> >>
> >>> " from the digest:
> >>>
> >> users-digest-unsubscribe [at] httpd
> >>
> >>> For additional commands, e-mail:
> >>>
> >> users-help [at] httpd
> >>
> >>>
> >>>
> >>
> >>
> >
>
---------------------------------------------------------------------
> >
> >> The official User-To-User support forum of the
> >> Apache HTTP Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html>
> for
> >> more info.
> >> To unsubscribe, e-mail:
> >> users-unsubscribe [at] httpd
> >> " from the digest:
> >> users-digest-unsubscribe [at] httpd
> >> For additional commands, e-mail:
> >> users-help [at] httpd
> >>
> >>
> >>
> >
> >
> >
> >
>
___________________________________________________________
> > Yahoo! Answers - Got a question? Someone out there
> knows the answer. Try it
> > now.
> > http://uk.answers.yahoo.com/
> >
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> > To unsubscribe, e-mail:
> users-unsubscribe [at] httpd
> > " from the digest:
> users-digest-unsubscribe [at] httpd
> > For additional commands, e-mail:
> users-help [at] httpd
> >
> >
>
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe [at] httpd
> " from the digest:
> users-digest-unsubscribe [at] httpd
>
=== message truncated ===



___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.