LDAP authentification from 2.0 to 2.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
I posted the same question on alt.apache.configuration some time ago
but got
no answer and decided to try also here.

I am setting up a test server with apache 2.2.0 and having trouble
with LDAP
authentification.

This is (or was in 2.0) my configuration:


SSLRequireSSL

Options Indexes FollowSymLinks

# LDAP
AuthLDAPURL "ldaps://1.example.com 2.example.com
3.example.com/ou=users,ou=id,ou=auth,
o=example,c=com?uid?one?(objectClass=*)"
AuthLDAPBindDN
"CN=linuxlo_proxy,OU=admins,OU=id,OU=auth,O=example,C=com"
AuthLDAPBindPassword "**********"
AuthzLDAPAuthoritative Off

# Authenticattion
Require valid-user
AuthType Basic
AuthName "Some text"



Authentication fails with the following error:

[error] Internal error: pcfg_openfile() called with NULL filename
[error] [client 129.132.57.95] (9)Bad file descriptor: Could not
open password file: (null)

I could agree on the fact the the passwd file cannot be opened since
there
is none :-). My problem is: why Apache does not use LDAP but looks for a
password file.

Many thanks in advance,

Matteo

- --
Matteo Corti
ETH Zurich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFETPSTLEG/T0gggJsRAnV3AJ9xjdHENHgqtkjI+AQgV/wj+E21XACg tmWn
o7oXn90wqPibVjFnvA/2sS0=
=Lx0c
-----END PGP SIGNATURE-----

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP authentification from 2.0 to 2.2

--------------ms010101060208030901040307
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi Matteo,

I've run into the same error, here's an example config that works for us:


AuthType Basic
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthLDAPBindDN cn=blah,dc=blah2,dc=blah3
AuthLDAPBindPassword "************"
AuthLDAPURL "ldaps://similar to yours"
AuthzLDAPAuthoritative off
Require valid-user


It's something about the AuthType Basic expecting a htpasswd file when
using it with require valid-user, but I don't completely understand how
these are supposed to mix and match with the new 2.2.0 auth configs.

Matt




Matteo Corti wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
> I posted the same question on alt.apache.configuration some time ago
> but got
> no answer and decided to try also here.
>
> I am setting up a test server with apache 2.2.0 and having trouble
> with LDAP
> authentification.
>
> This is (or was in 2.0) my configuration:
>
>
> SSLRequireSSL
>
> Options Indexes FollowSymLinks
>
> # LDAP
> AuthLDAPURL "ldaps://1.example.com 2.example.com
> 3.example.com/ou=users,ou=id,ou=auth,
> o=example,c=com?uid?one?(objectClass=*)"
> AuthLDAPBindDN
> "CN=linuxlo_proxy,OU=admins,OU=id,OU=auth,O=example,C=com"
> AuthLDAPBindPassword "**********"
> AuthzLDAPAuthoritative Off
>
> # Authenticattion
> Require valid-user
> AuthType Basic
> AuthName "Some text"
>
>
>
> Authentication fails with the following error:
>
> [error] Internal error: pcfg_openfile() called with NULL filename
> [error] [client 129.132.57.95] (9)Bad file descriptor: Could not
> open password file: (null)
>
> I could agree on the fact the the passwd file cannot be opened since
> there
> is none :-). My problem is: why Apache does not use LDAP but looks for a
> password file.
>
> Many thanks in advance,
>
> Matteo
>
> - -- Matteo Corti
> ETH Zurich -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFETPSTLEG/T0gggJsRAnV3AJ9xjdHENHgqtkjI+AQgV/wj+E21XACg tmWn
> o7oXn90wqPibVjFnvA/2sS0=
> =Lx0c
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


--------------ms010101060208030901040307
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIII9TCC
AtUwggI+oAMCAQICAw6iwTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJa QTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNTA0MTQyNzM4WhcNMDYw NTA0MTQyNzM4
WjBGMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSMwIQYJKoZI hvcNAQkBFhRt
Ym9ja29sQGNhcmxldG9uLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKmw
YqrWqs6f3xB+QGjRj5kF90cvyr2/gKmknyrm8zYqeUO8XSWTEF+yj9b7mNIV DlLUUV7nV/Ok
XpR+b1OIGK4XwYz1ZjC4VoCey0O/Vi6erWMGsEeXfuw1AzRLngAp6t50G2ii 4kov7MCgfKuF
zR8G7MwzZu/qSErGrLRz/tKP66aMWtEkhtiQLf/aUev8ZrnEfQauOcXq/BRJ kj6DisHEj7xE
qbMK0NZMlE9TnezgbCcQa1jrHMRcU7GUCyI6K/0nphq7o9G/I1tnDB5Blm9S DD5xNSj0NjjE
CAZ5kQMHLmkSh+9Mk/UQ3km+bA4SBAlMu7onFZRR9wRB6k0Zi4ECAwEAAaMx MC8wHwYDVR0R
BBgwFoEUbWJvY2tvbEBjYXJsZXRvbi5lZHUwDAYDVR0TAQH/BAIwADANBgkq hkiG9w0BAQQF
AAOBgQBJl8w2lbavaZ5CI7aUVOFkism/JeDmNPsbaYXhVXNmJ9sv+FpEs/gP Lx0hjj0dXGvp
BoV9GPY0FChnSwJCwW3NG844eiUe+oSfwolMl6tOqubqL6nm0hf5h7KctY3J 8WlFeqVg9u4j
yoQkejlC2lJAIB2w6X9zoX8mIW8kQTKw2DCCAtUwggI+oAMCAQICAw6iwTAN BgkqhkiG9w0B
AQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwHhcN
MDUwNTA0MTQyNzM4WhcNMDYwNTA0MTQyNzM4WjBGMR8wHQYDVQQDExZUaGF3 dGUgRnJlZW1h
aWwgTWVtYmVyMSMwIQYJKoZIhvcNAQkBFhRtYm9ja29sQGNhcmxldG9uLmVk dTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmwYqrWqs6f3xB+QGjRj5kF90cv yr2/gKmknyrm
8zYqeUO8XSWTEF+yj9b7mNIVDlLUUV7nV/OkXpR+b1OIGK4XwYz1ZjC4VoCe y0O/Vi6erWMG
sEeXfuw1AzRLngAp6t50G2ii4kov7MCgfKuFzR8G7MwzZu/qSErGrLRz/tKP 66aMWtEkhtiQ
Lf/aUev8ZrnEfQauOcXq/BRJkj6DisHEj7xEqbMK0NZMlE9TnezgbCcQa1jr HMRcU7GUCyI6
K/0nphq7o9G/I1tnDB5Blm9SDD5xNSj0NjjECAZ5kQMHLmkSh+9Mk/UQ3km+ bA4SBAlMu7on
FZRR9wRB6k0Zi4ECAwEAAaMxMC8wHwYDVR0RBBgwFoEUbWJvY2tvbEBjYXJs ZXRvbi5lZHUw
DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQBJl8w2lbavaZ5CI7aU VOFkism/JeDm
NPsbaYXhVXNmJ9sv+FpEs/gPLx0hjj0dXGvpBoV9GPY0FChnSwJCwW3NG844 eiUe+oSfwolM
l6tOqubqL6nm0hf5h7KctY3J8WlFeqVg9u4jyoQkejlC2lJAIB2w6X9zoX8m IW8kQTKw2DCC
Az8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpB MRUwEwYDVQQI
EwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMR VGhhd3RlIENv
bnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2 aXNpb24xJDAi
BgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3 DQEJARYccGVy
c29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0x MzA3MTYyMzU5
NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu ZyAoUHR5KSBM
dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu ZyBDQTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p /6Me7L3N9Vvy
Gna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+R NiQqE88r1fOC
dz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sC AwEAAaOBlDCB
kTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6 Ly9jcmwudGhh
d3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQE AwIBBjApBgNV
HREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZI hvcNAQEFBQAD
gYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQ IJNwPP2t4WFi
w9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYI Tq726jTlEBpb
NU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJBgNV BAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQD EyNUaGF3dGUg
UGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDqLBMAkGBSsOAwIaBQCg ggGnMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA2MDQyNDE4 MTI0NVowIwYJ
KoZIhvcNAQkEMRYEFDkP/dFtUXL5BikcTOtMzCfjY4ESMFIGCSqGSIb3DQEJ DzFFMEMwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsO AwIHMA0GCCqG
SIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAj BgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBAgMOosEwegYLKoZIhvcNAQkQAgsxa6BpMGIx CzAJBgNVBAYT
AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSww KgYDVQQDEyNU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDqLBMA0GCSqG SIb3DQEBAQUA
BIIBAJrspuVdkUi5TLpgSI6TRsE8rOCAOIVPbDPSjfYzTyTDkyyZYFw0S33s o0H1EO0IsHdG
YJZLDZxFDIbM2s0+Qc94O5saz0CN47zOnZh6jioWuu09NvMF9H3ijk3vMBSb gZC5QhZv8Q4N
knexgjJG3/TYj4WyJAurYERvyug1Z9D/10cmNPWkRlAvBkbC7y/Cqrya7blP th+1VahR32uQ
JvqPv+aaLlxwwKKIo0qpDAly5djq00y1AeEfZDcyNZAmgfy6fmL+0DKXtMEO yB5aymCOGGw8
1kI7u5Pa+HubrywGnjdTv+HNDB2YRz1Wr84TBZ2kGSeB4/fbjDHRAd82rVIA AAAAAAA=
--------------ms010101060208030901040307--

Re: LDAP authentification from 2.0 to 2.2

--Apple-Mail-3-99544708
Content-Type: multipart/alternative; boundary=Apple-Mail-2-99544534


--Apple-Mail-2-99544534
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

Hello Matteo,

I think you got two errors in your configuration:


Require valid-user

must be

Require ldap-user

if you use LDAP-Authentication.


And since Apache 2.2.0 You have to tell apache which basic provider
to use:

AuthBasicProvider ldap


maybe this helps...

kind regards



Am 24.04.2006 um 17:53 schrieb Matteo Corti:

> Require valid-user

---
F a l k o Z u r e l l
-----------------------------------------------------
mail: mailto:falko@zurell.de
web: http://www.zurell.de
gpg: http://www.zurell.de/falko.zurell-gpg-key.asc
blog: http://www.explain-it.org/wordpress/
icq: 327004879



--Apple-Mail-2-99544534
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1

-khtml-line-break: after-white-space; ">Hello Matteo,