LDAP authentification from 2.0 to 2.2
LDAP authentification from 2.0 to 2.2
am 24.04.2006 17:53:55 von Matteo Corti
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I posted the same question on alt.apache.configuration some time ago
but got
no answer and decided to try also here.
I am setting up a test server with apache 2.2.0 and having trouble
with LDAP
authentification.
This is (or was in 2.0) my configuration:
SSLRequireSSL
Options Indexes FollowSymLinks
# LDAP
AuthLDAPURL "ldaps://1.example.com 2.example.com
3.example.com/ou=users,ou=id,ou=auth,
o=example,c=com?uid?one?(objectClass=*)"
AuthLDAPBindDN
"CN=linuxlo_proxy,OU=admins,OU=id,OU=auth,O=example,C=com"
AuthLDAPBindPassword "**********"
AuthzLDAPAuthoritative Off
# Authenticattion
Require valid-user
AuthType Basic
AuthName "Some text"
Authentication fails with the following error:
[error] Internal error: pcfg_openfile() called with NULL filename
[error] [client 129.132.57.95] (9)Bad file descriptor: Could not
open password file: (null)
I could agree on the fact the the passwd file cannot be opened since
there
is none :-). My problem is: why Apache does not use LDAP but looks for a
password file.
Many thanks in advance,
Matteo
- --
Matteo Corti
ETH Zurich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFETPSTLEG/T0gggJsRAnV3AJ9xjdHENHgqtkjI+AQgV/wj+E21XACg tmWn
o7oXn90wqPibVjFnvA/2sS0=
=Lx0c
-----END PGP SIGNATURE-----
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: LDAP authentification from 2.0 to 2.2
am 24.04.2006 20:12:45 von mbockol
--------------ms010101060208030901040307
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi Matteo,
I've run into the same error, here's an example config that works for us:
AuthType Basic
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthLDAPBindDN cn=blah,dc=blah2,dc=blah3
AuthLDAPBindPassword "************"
AuthLDAPURL "ldaps://similar to yours"
AuthzLDAPAuthoritative off
Require valid-user
It's something about the AuthType Basic expecting a htpasswd file when
using it with require valid-user, but I don't completely understand how
these are supposed to mix and match with the new 2.2.0 auth configs.
Matt
Matteo Corti wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
> I posted the same question on alt.apache.configuration some time ago
> but got
> no answer and decided to try also here.
>
> I am setting up a test server with apache 2.2.0 and having trouble
> with LDAP
> authentification.
>
> This is (or was in 2.0) my configuration:
>
>
> SSLRequireSSL
>
> Options Indexes FollowSymLinks
>
> # LDAP
> AuthLDAPURL "ldaps://1.example.com 2.example.com
> 3.example.com/ou=users,ou=id,ou=auth,
> o=example,c=com?uid?one?(objectClass=*)"
> AuthLDAPBindDN
> "CN=linuxlo_proxy,OU=admins,OU=id,OU=auth,O=example,C=com"
> AuthLDAPBindPassword "**********"
> AuthzLDAPAuthoritative Off
>
> # Authenticattion
> Require valid-user
> AuthType Basic
> AuthName "Some text"
>
>
>
> Authentication fails with the following error:
>
> [error] Internal error: pcfg_openfile() called with NULL filename
> [error] [client 129.132.57.95] (9)Bad file descriptor: Could not
> open password file: (null)
>
> I could agree on the fact the the passwd file cannot be opened since
> there
> is none :-). My problem is: why Apache does not use LDAP but looks for a
> password file.
>
> Many thanks in advance,
>
> Matteo
>
> - -- Matteo Corti
> ETH Zurich -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFETPSTLEG/T0gggJsRAnV3AJ9xjdHENHgqtkjI+AQgV/wj+E21XACg tmWn
> o7oXn90wqPibVjFnvA/2sS0=
> =Lx0c
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--------------ms010101060208030901040307
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIII9TCC
AtUwggI+oAMCAQICAw6iwTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJa QTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNTA0MTQyNzM4WhcNMDYw NTA0MTQyNzM4
WjBGMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSMwIQYJKoZI hvcNAQkBFhRt
Ym9ja29sQGNhcmxldG9uLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKmw
YqrWqs6f3xB+QGjRj5kF90cvyr2/gKmknyrm8zYqeUO8XSWTEF+yj9b7mNIV DlLUUV7nV/Ok
XpR+b1OIGK4XwYz1ZjC4VoCey0O/Vi6erWMGsEeXfuw1AzRLngAp6t50G2ii 4kov7MCgfKuF
zR8G7MwzZu/qSErGrLRz/tKP66aMWtEkhtiQLf/aUev8ZrnEfQauOcXq/BRJ kj6DisHEj7xE
qbMK0NZMlE9TnezgbCcQa1jrHMRcU7GUCyI6K/0nphq7o9G/I1tnDB5Blm9S DD5xNSj0NjjE
CAZ5kQMHLmkSh+9Mk/UQ3km+bA4SBAlMu7onFZRR9wRB6k0Zi4ECAwEAAaMx MC8wHwYDVR0R
BBgwFoEUbWJvY2tvbEBjYXJsZXRvbi5lZHUwDAYDVR0TAQH/BAIwADANBgkq hkiG9w0BAQQF
AAOBgQBJl8w2lbavaZ5CI7aUVOFkism/JeDmNPsbaYXhVXNmJ9sv+FpEs/gP Lx0hjj0dXGvp
BoV9GPY0FChnSwJCwW3NG844eiUe+oSfwolMl6tOqubqL6nm0hf5h7KctY3J 8WlFeqVg9u4j
yoQkejlC2lJAIB2w6X9zoX8mIW8kQTKw2DCCAtUwggI+oAMCAQICAw6iwTAN BgkqhkiG9w0B
AQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwHhcN
MDUwNTA0MTQyNzM4WhcNMDYwNTA0MTQyNzM4WjBGMR8wHQYDVQQDExZUaGF3 dGUgRnJlZW1h
aWwgTWVtYmVyMSMwIQYJKoZIhvcNAQkBFhRtYm9ja29sQGNhcmxldG9uLmVk dTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmwYqrWqs6f3xB+QGjRj5kF90cv yr2/gKmknyrm
8zYqeUO8XSWTEF+yj9b7mNIVDlLUUV7nV/OkXpR+b1OIGK4XwYz1ZjC4VoCe y0O/Vi6erWMG
sEeXfuw1AzRLngAp6t50G2ii4kov7MCgfKuFzR8G7MwzZu/qSErGrLRz/tKP 66aMWtEkhtiQ
Lf/aUev8ZrnEfQauOcXq/BRJkj6DisHEj7xEqbMK0NZMlE9TnezgbCcQa1jr HMRcU7GUCyI6
K/0nphq7o9G/I1tnDB5Blm9SDD5xNSj0NjjECAZ5kQMHLmkSh+9Mk/UQ3km+ bA4SBAlMu7on
FZRR9wRB6k0Zi4ECAwEAAaMxMC8wHwYDVR0RBBgwFoEUbWJvY2tvbEBjYXJs ZXRvbi5lZHUw
DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQBJl8w2lbavaZ5CI7aU VOFkism/JeDm
NPsbaYXhVXNmJ9sv+FpEs/gPLx0hjj0dXGvpBoV9GPY0FChnSwJCwW3NG844 eiUe+oSfwolM
l6tOqubqL6nm0hf5h7KctY3J8WlFeqVg9u4jyoQkejlC2lJAIB2w6X9zoX8m IW8kQTKw2DCC
Az8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpB MRUwEwYDVQQI
EwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMR VGhhd3RlIENv
bnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2 aXNpb24xJDAi
BgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3 DQEJARYccGVy
c29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0x MzA3MTYyMzU5
NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu ZyAoUHR5KSBM
dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu ZyBDQTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p /6Me7L3N9Vvy
Gna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+R NiQqE88r1fOC
dz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sC AwEAAaOBlDCB
kTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6 Ly9jcmwudGhh
d3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQE AwIBBjApBgNV
HREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZI hvcNAQEFBQAD
gYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQ IJNwPP2t4WFi
w9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYI Tq726jTlEBpb
NU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJBgNV BAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQD EyNUaGF3dGUg
UGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDqLBMAkGBSsOAwIaBQCg ggGnMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA2MDQyNDE4 MTI0NVowIwYJ
KoZIhvcNAQkEMRYEFDkP/dFtUXL5BikcTOtMzCfjY4ESMFIGCSqGSIb3DQEJ DzFFMEMwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsO AwIHMA0GCCqG
SIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAj BgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBAgMOosEwegYLKoZIhvcNAQkQAgsxa6BpMGIx CzAJBgNVBAYT
AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSww KgYDVQQDEyNU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDqLBMA0GCSqG SIb3DQEBAQUA
BIIBAJrspuVdkUi5TLpgSI6TRsE8rOCAOIVPbDPSjfYzTyTDkyyZYFw0S33s o0H1EO0IsHdG
YJZLDZxFDIbM2s0+Qc94O5saz0CN47zOnZh6jioWuu09NvMF9H3ijk3vMBSb gZC5QhZv8Q4N
knexgjJG3/TYj4WyJAurYERvyug1Z9D/10cmNPWkRlAvBkbC7y/Cqrya7blP th+1VahR32uQ
JvqPv+aaLlxwwKKIo0qpDAly5djq00y1AeEfZDcyNZAmgfy6fmL+0DKXtMEO yB5aymCOGGw8
1kI7u5Pa+HubrywGnjdTv+HNDB2YRz1Wr84TBZ2kGSeB4/fbjDHRAd82rVIA AAAAAAA=
--------------ms010101060208030901040307--
Re: LDAP authentification from 2.0 to 2.2
am 24.04.2006 22:27:48 von Falko Zurell
--Apple-Mail-3-99544708
Content-Type: multipart/alternative; boundary=Apple-Mail-2-99544534
--Apple-Mail-2-99544534
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
Hello Matteo,
I think you got two errors in your configuration:
Require valid-user
must be
Require ldap-user
if you use LDAP-Authentication.
And since Apache 2.2.0 You have to tell apache which basic provider
to use:
AuthBasicProvider ldap
maybe this helps...
kind regards
Am 24.04.2006 um 17:53 schrieb Matteo Corti:
> Require valid-user
---
F a l k o Z u r e l l
-----------------------------------------------------
mail: mailto:falko@zurell.de
web: http://www.zurell.de
gpg: http://www.zurell.de/falko.zurell-gpg-key.asc
blog: http://www.explain-it.org/wordpress/
icq: 327004879
--Apple-Mail-2-99544534
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
-khtml-line-break: after-white-space; ">Hello Matteo,
class=3D"khtml-block-placeholder">
I think you got two errors =
in your configuration:
class=3D"khtml-block-placeholder">
class=3D"khtml-block-placeholder">
Require =
valid-user
must=
be
Require =
ldap-user=A0
if=
you use LDAP-Authentication.
class=3D"khtml-block-placeholder">
class=3D"khtml-block-placeholder">
And since Apache 2.2.0 You =
have to tell apache which basic provider to use:
class=3D"khtml-block-placeholder">
AuthBasicProvider =
ldap
class=3D"khtml-block-placeholder">
maybe this =
helps...
kind =
regards
class=3D"khtml-block-placeholder">
Am 24.04.2006 =
um 17:53 schrieb Matteo Corti:
class=3D"Apple-interchange-newline">
style=3D"margin: 0.0px 0.0px 0.0px 0.0px">
size=3D"3" style=3D"font: 12.0px Helvetica">Require =
valid-user
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; =
">
---
F a l k o=A0 Z u r e l =
l
-----------------------------------------------------
V>mail:
href=3D"mailto:falko@zurell.de">mailto:falko@zurell.de
web: =
=A0gpg=
:
href=3D"http://www.zurell.de/falko.zurell-gpg-key.asc">http: //www.zurell.d=
e/falko.zurell-gpg-key.asc
blog:
href=3D"http://www.explain-it.org/wordpress/">http://www.exp lain-it.org/wo=
rdpress/
=A0 =A0icq: 327004879
class=3D"Apple-interchange-newline"> =
=
--Apple-Mail-2-99544534--
--Apple-Mail-3-99544708
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: Signierter Teil der Nachricht
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFETTTFtTKq5c2jvb4RApbjAKCapPwe+RSNyMMLClJQ7oBL7gr4fACf diow
OK0wMwB8MWrfkfCgXLv6R+E=
=IMbh
-----END PGP SIGNATURE-----
--Apple-Mail-3-99544708--