Just before going "live" I noticed that mod_auth_mysql and mod_auth_ldap do not "fail through" properly when protecting the same realm.
1] The mysql protected area below works as expected. entering a bad password or unknown user produces the correct response.
[Fri Jan 27 19:34:10 2006] [error] [client 129.98.98.98] user jones: password mismatch: /area51/
[Fri Jan 27 19:34:18 2006] [error] [client 129.98.98.98] MySQL user not found: /area51/
2] The LDAP protected area works but it NEEDS to have the mysql directives in place with AuthMysqlEnable set to OFF otherwise the server returns the following error:
[Fri Jan 27 19:15:03 2006] [error] [client 129.98.98.98] MySQL user jones not found: /area52
[Fri Jan 27 19:15:59 2006] [error] [client 129.98.98.98] MySQL ERROR: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
It's as if mod_auth_mysql is "stuck" in memory. With the mysql directives in place the realm is properly protected. Its a kludge but it works.
3] The real problem is in the third realm with LDAP not "failing through" to MYSQL. The server always ignores LDAP regardless of the AuthLDAPAuthoritative or AuthMySQLAuthoritative settings. Swapping the order of the LDAP and MYSQL directives within the protected realm has no effect. A bad password always results in:
[Fri Jan 27 19:52:41 2006] [error] [client 129.98.98.98] user jones: password mismatch: /area53
. . . which is the mysql error return.
I know that the module load order is NOT supposed to matter but systematically changing the load order of mod_auth_mysql and mod_ladp/mod_auth_ldap produces the opposite results. The end result is that that the MYSQL-LDAP protected realm does not "fail through" properly.
4] I've scoured the web, groups and blogs for any hint in using both mod_auth_ldap together with mod_auth_mysql to protect a realm.
Any hint or idea anyone has that I might try at further isolating the problem would be much appreciated!
System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]
<Directory />
Options FollowSymLinks
AllowOverride None
allow from all
</Directory>
<Directory /usr/local/apache2/htdocs/mysqlProtected>
Options FollowSymLinks
AuthType Basic
AuthName "area51-MySQL protected"
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLAuthoritative on
AuthMySQLEnable on
#AuthMySQLNoPasswd off
AuthMySQLPwEncryption crypt
require group administration
</Directory>
<Directory /usr/local/apache2/htdocs/ldapProtected>
Options FollowSymLinks
AuthType Basic
AuthName "ldap secured - area 52"
#Disabled mod_auth_mysql place holder- this has to do with the way mod_auth_mysql
#sits in memory. Will not work any other way. mysql vs ldap order not important.
#Very strange.
AuthMySQLAuthoritative off
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLEnable off
#AuthMySQLNoPasswd off
AuthMySQLPwEncryption crypt
require group meduser teaching_faculty testing administration
#allow authenticated access - ldap
AuthLDAPURL ldap://xxxx.xxxx.xxx.xxx:389/ou=people,dc=xxxx,dc=xxx,dc=xxx
AuthLDAPAuthoritative on
require valid-user
</Directory>
<Directory /usr/local/apache2/htdocs/area53>
Options FollowSymLinks
AuthType Basic
AuthName "LDAP and mysql secured area 53"
#mod_auth_ldap
AuthLDAPAuthoritative off
AuthLDAPURL "ldap://xxxx.xxxx.xxx.xxx:389/ou=people,dc=xxxx,dc=xxx,dc=xxx"
require valid-user
#mod_auth_mysql
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLAuthoritative On
AuthMySQLEnable on
#AuthMySQLNoPasswd on
AuthMySQLPwEncryption crypt
require group administration
</Directory>
Regards,
bill
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sorry for the delay in responding; I've been very busy.
I guess I'm confused. Why would LDAP require mod_auth_mysql be present but disabled?
The only access mod_auth_mysql makes is to the database with the AuthMySqlUser and AuthMySQLPassword parameters.
Is it possible mod_ldap is trying to validate these parameters? I'm not familiar with that module, but I don't think it should.
Other than that, I don't know of anything we would do to cause this. We don't leave anything in memory (other than in our own configuration parameters) and only return a value to Apache indicating whether authentication/authorization succeeded or not.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just before going "live" I noticed that mod_auth_mysql and mod_auth_ldap do not "fail through" properly when protecting the same realm.
1] The mysql protected area below works as expected. entering a bad password or unknown user produces the correct response.
[Fri Jan 27 19:34:10 2006] [error] [client 129.98.98.98] user jones: password mismatch: /area51/
[Fri Jan 27 19:34:18 2006] [error] [client 129.98.98.98] MySQL user not found: /area51/
2] The LDAP protected area works but it NEEDS to have the mysql directives in place with AuthMysqlEnable set to OFF otherwise the server returns the following error:
[Fri Jan 27 19:15:03 2006] [error] [client 129.98.98.98] MySQL user jones not found: /area52
[Fri Jan 27 19:15:59 2006] [error] [client 129.98.98.98] MySQL ERROR: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
It's as if mod_auth_mysql is "stuck" in memory. With the mysql directives in place the realm is properly protected. Its a kludge but it works.
3] The real problem is in the third realm with LDAP not "failing through" to MYSQL. The server always ignores LDAP regardless of the AuthLDAPAuthoritative or AuthMySQLAuthoritative settings. Swapping the order of the LDAP and MYSQL directives within the protected realm has no effect. A bad password always results in:
[Fri Jan 27 19:52:41 2006] [error] [client 129.98.98.98] user jones: password mismatch: /area53
. . . which is the mysql error return.
I know that the module load order is NOT supposed to matter but systematically changing the load order of mod_auth_mysql and mod_ladp/mod_auth_ldap produces the opposite results. The end result is that that the MYSQL-LDAP protected realm does not "fail through" properly.
4] I've scoured the web, groups and blogs for any hint in using both mod_auth_ldap together with mod_auth_mysql to protect a realm.
Any hint or idea anyone has that I might try at further isolating the problem would be much appreciated!
System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]
Extracts from http.conf =
-------------------------
# Dynamic Shared Object (DSO) Support
LoadModule mysql_auth_module modules/mod_auth_mysql.so
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule php5_module modules/libphp5.so
<Directory />
Options FollowSymLinks
AllowOverride None
allow from all
</Directory>
<Directory /usr/local/apache2/htdocs/mysqlProtected>
Options FollowSymLinks
AuthType Basic
AuthName "area51-MySQL protected"
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLAuthoritative on
AuthMySQLEnable on
#AuthMySQLNoPasswd off
AuthMySQLPwEncryption crypt
require group administration
</Directory>
<Directory /usr/local/apache2/htdocs/ldapProtected>
Options FollowSymLinks
AuthType Basic
AuthName "ldap secured - area 52"
#Disabled mod_auth_mysql place holder- this has to do with the way mod_auth_mysql
#sits in memory. Will not work any other way. mysql vs ldap order not important.
#Very strange.
AuthMySQLAuthoritative off
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLEnable off
#AuthMySQLNoPasswd off
AuthMySQLPwEncryption crypt
require group meduser teaching_faculty testing administration
#allow authenticated access - ldap
AuthLDAPURL ldap://xxxx.xxxx.xxx.xxx:389/ou=people,dc=xxxx,dc=xxx,dc=xxx
AuthLDAPAuthoritative on
require valid-user
</Directory>
<Directory /usr/local/apache2/htdocs/area53>
Options FollowSymLinks
AuthType Basic
AuthName "LDAP and mysql secured area 53"
#mod_auth_ldap
AuthLDAPAuthoritative off
AuthLDAPURL "ldap://xxxx.xxxx.xxx.xxx:389/ou=people,dc=xxxx,dc=xxx,dc=xxx"
require valid-user
#mod_auth_mysql
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLAuthoritative On
AuthMySQLEnable on
#AuthMySQLNoPasswd on
AuthMySQLPwEncryption crypt
require group administration
</Directory>
Regards,
bill
Sorry for the delay in responding; I've been very busy.
I guess I'm confused. Why would LDAP require mod_auth_mysql be present but disabled?
The only access mod_auth_mysql makes is to the database with the AuthMySqlUser and AuthMySQLPassword parameters.
Is it possible mod_ldap is trying to validate these parameters? I'm not familiar with that module, but I don't think it should.
Other than that, I don't know of anything we would do to cause this. We don't leave anything in memory (other than in our own configuration parameters) and only return a value to Apache indicating whether authentication/authorization succeeded or not.