------_=_NextPart_001_01CAB643.5178CF1F
Content-Type: multipart/alternative;
boundary="----_=_NextPart_002_01CAB643.5178CF1F"


------_=_NextPart_002_01CAB643.5178CF1F
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I'm trying to combine mod_authnz_ldap with a mod_perl PerlAuthenHandler.
I've got everything working correctly except that the mod_authnz_ldap
handler is being called twice...once before my PerlAuthenHandler [when
the request has not been properly configured] and once after.

This is a problem. I've been able to see this flow by using
AuthzLDAPAuthoritative off. [to get a "DECLINED" out of the first
invocation]. When I do, my require ldap-filter, etc., directives are
not treated as authoritative on the "second pass" when the request user
has been set correctly.

--Pete

---
Peter L. Thomas, pthomas [at] hpti.com
(w) 703-682-5308 (c) 703-615-7806 (pgr) 877-383-8910
<<Thomas, Peter L. (pthomas [at] HPTI.com).vcf>>

------_=_NextPart_002_01CAB643.5178CF1F
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7653.38">
<TITLE>Controlling which handlers run, and when</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">I'm trying to combine mod_authnz_ldap =
with a mod_perl PerlAuthenHandler.  I've got everything working =
correctly except that the mod_authnz_ldap handler is being called =
twice…once before my PerlAuthenHandler [when the request has not =
been properly configured] and once after.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">This is a problem.  I've been able =
to see this flow by using AuthzLDAPAuthoritative off. [to get a =
"DECLINED" out of the first invocation].  When I do, my =
require ldap-filter, etc., directives are not treated as authoritative =
on the "second pass" when the request user has been set =
correctly.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">--Pete</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">---</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Peter L. Thomas, </FONT><A =
HREF=3D"mailto:pthomas [at] hpti.com"><U><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">pthomas [at] hpti.com</FONT></U></A>

<BR><FONT SIZE=3D2 FACE=3D"Arial">(w) 703-682-5308 (c) 703-615-7806 =
(pgr) 877-383-8910</FONT>

<BR><FONT FACE=3D"Arial" SIZE=3D2 COLOR=3D"#000000"> <<Thomas, =
Peter L. (pthomas [at] HPTI.com).vcf>> </FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_002_01CAB643.5178CF1F--

------_=_NextPart_001_01CAB643.5178CF1F
Content-Type: text/x-vcard;
name="Thomas, Peter L. (pthomas [at] HPTI.com).vcf"
Content-Transfer-Encoding: base64
Content-Description: Thomas, Peter L. (pthomas [at] HPTI.com).vcf
Content-Disposition: attachment;
filename="Thomas, Peter L. (pthomas [at] HPTI.com).vcf"

QkVHSU46VkNBUkQNClZFUlNJT046Mi4xDQpOOlRob21hcztQZXRlcjtMLg0K Rk46VGhvbWFzLCBQ
ZXRlciBMLiAocHRob21hc0BIUFRJLmNvbSkNCk9SRzpIUFRpDQpUSVRMRTpM ZWFkZXJzaGlwDQpU
RUw7V09SSztWT0lDRTooNzAzKSA2ODItNTMwOA0KVEVMO0hPTUU7Vk9JQ0U6 KDU0MCkgNjY4LTcx
MjQNClRFTDtDRUxMO1ZPSUNFOig3MDMpIDYxNS03ODA2DQpURUw7Vk9JQ0U6 KDcwMykgOTU3LTkx
MjQNClRFTDtXT1JLO0ZBWDooNzAzKSA3MDctMDEwMw0KQURSO1dPUks6Ozsx MzE0NSBTYWdsZSBS
ZDtQdXJjZWxsdmlsbGU7VkE7MjAxMzItMTgzNTtVbml0ZWQgU3RhdGVzDQpM QUJFTDtXT1JLO0VO
Q09ESU5HPVFVT1RFRC1QUklOVEFCTEU6MTMxNDUgU2FnbGUgUmQ9MEQ9MEFQ dXJjZWxsdmlsbGUs
IFZBIDIwMTMyLTE4MzU9MEQ9MEFVbml0ZWQgU3RhdGVzDQpBRFI7SE9NRTo7 OzEzMTQ1IFNhZ2xl
IFJkO1B1cmNlbGx2aWxsZTtWQTsyMDEzMi0xODM1O1VuaXRlZCBTdGF0ZXMN CkxBQkVMO0hPTUU7
RU5DT0RJTkc9UVVPVEVELVBSSU5UQUJMRToxMzE0NSBTYWdsZSBSZD0wRD0w QVB1cmNlbGx2aWxs
ZSwgVkEgMjAxMzItMTgzNT0wRD0wQVVuaXRlZCBTdGF0ZXMNClVSTDtXT1JL Omh0dHA6Ly93d3cu
cGFpbmxlc3MtY29tcHV0aW5nLmNvbS9wZXRlYW5kcGFtDQpFTUFJTDtQUkVG O0lOVEVSTkVUOnB0
aG9tYXNASFBUSS5jb20NClJFVjoyMDA5MDgyNVQxNzA0MjBaDQpFTkQ6VkNB UkQNCg==


------_=_NextPart_001_01CAB643.5178CF1F
Content-Type: text/plain; charset=us-ascii


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org
------_=_NextPart_001_01CAB643.5178CF1F--

------_=_NextPart_001_01CAB662.665A33D8
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I continue to fight with this. I added in "stub" handlers for Access,
I've determined that the authorization check of mod_authnz_ldap is being
executed in the Access phase of AAA. This isn't documented; it's
causing two problems: early auth failure as well as a side-effect of an
extra, useless LDAP query with a blank filter.

How do I instruct Apache to remove mod_authnz_ldap's authorization
handler from the access phase, while leaving it in for authorization?

Warmly,

--Pete


________________________________

From: Thomas, Peter [mailto:pthomas [at] HPTI.com]
Sent: Thursday, February 25, 2010 12:53 PM
To: users [at] httpd.apache.org
Subject: [users [at] httpd] Controlling which handlers run, and when



I'm trying to combine mod_authnz_ldap with a mod_perl PerlAuthenHandler.
I've got everything working correctly except that the mod_authnz_ldap
handler is being called twice...once before my PerlAuthenHandler [when
the request has not been properly configured] and once after.

This is a problem. I've been able to see this flow by using
AuthzLDAPAuthoritative off. [to get a "DECLINED" out of the first
invocation]. When I do, my require ldap-filter, etc., directives are
not treated as authoritative on the "second pass" when the request user
has been set correctly.

--Pete

---
Peter L. Thomas, pthomas [at] hpti.com <mailto:pthomas [at] hpti.com>
(w) 703-682-5308 (c) 703-615-7806 (pgr) 877-383-8910
<<Thomas, Peter L. (pthomas [at] HPTI.com).vcf>>


------_=_NextPart_001_01CAB662.665A33D8
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Controlling which handlers run, and when</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.3660" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010>I continue to fight with this.  I added =
in "stub"
handlers for Access, I've determined that the authorization check of
mod_authnz_ldap is being executed in the Access phase of AAA.  This =
isn't
documented; it's causing two problems:  early auth failure as well =
as a
side-effect of an extra, useless LDAP query with a blank
filter.</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010>How do I instruct Apache to remove =
mod_authnz_ldap's
authorization handler from the access phase, while leaving it in for
authorization?</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010>Warmly,</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010>--Pete</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN
class=3D279423021-25022010></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
</DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DTahoma size=3D2><B>From:</B> =
Thomas, Peter
[mailto:pthomas [at] HPTI.com] <BR><B>Sent:</B> Thursday, February 25, 2010 =
12:53
PM<BR><B>To:</B> users [at] httpd.apache.org<BR><B>Subject:</B> [users [at] httpd] =

Controlling which handlers run, and when<BR></FONT><BR></DIV>
<DIV></DIV><!-- Converted from text/rtf format -->
<P><FONT face=3DArial size=3D2>I'm trying to combine mod_authnz_ldap =
with a mod_perl
PerlAuthenHandler.  I've got everything working correctly except =
that the
mod_authnz_ldap handler is being called twice…once before my =
PerlAuthenHandler
[when the request has not been properly configured] and once =
after.</FONT></P>
<P><FONT face=3DArial size=3D2>This is a problem.  I've been able =
to see this
flow by using AuthzLDAPAuthoritative off. [to get a "DECLINED" out of =
the first
invocation].  When I do, my require ldap-filter, etc., directives =
are not
treated as authoritative on the "second pass" when the request user has =
been set
correctly.</FONT></P>
<P><FONT face=3DArial size=3D2>--Pete</FONT> </P>
<P><FONT face=3DArial size=3D2>---</FONT> <BR><FONT face=3DArial =
size=3D2>Peter L.
Thomas, </FONT><A href=3D"mailto:pthomas [at] hpti.com"><U><FONT face=3DArial =

color=3D#0000ff size=3D2>pthomas [at] hpti.com</FONT></U></A> <BR><FONT =
face=3DArial
size=3D2>(w) 703-682-5308 (c) 703-615-7806 (pgr) 877-383-8910</FONT> =
<BR><FONT
face=3DArial color=3D#000000 size=3D2><<Thomas, Peter L.
(pthomas [at] HPTI.com).vcf>> </FONT></P></BODY></HTML>

------_=_NextPart_001_01CAB662.665A33D8--

On Thu, Feb 25, 2010 at 4:35 PM, Thomas, Peter <pthomas [at] hpti.com> wrote:
> I continue to fight with this.=A0 I added in "stub" handlers for Access, =
I've
> determined that the authorization check of mod_authnz_ldap is being execu=
ted
> in the Access phase of AAA.=A0 This isn't documented; it's causing two
> problems:=A0 early auth failure as well as a side-effect of an extra, use=
less
> LDAP query with a blank filter.
>
> How do I instruct Apache to remove mod_authnz_ldap's authorization handle=
r
> from the access phase, while leaving it in for authorization?
>

That doesn't seem possible, as mod_authnz_ldap doesn't hook
access_checker (and access_checker is before e.g. mod_auth_basic can
even perform authn -- how can you do authz if you don't know who the
user is?)

--
Eric Covener
covener [at] gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

Eric Covener replied:
>That doesn't seem possible, as mod_authnz_ldap doesn't hook
access_checker (and access_checker is before e.g. mod_auth_basic can
even perform authn -- how can you do authz if you don't know who the
user is?)

And yet it moves...see log excerpt below...

The only other possibility is that first ONLY the mod_authnz_ldap
authorization mechanism is running--and failing, and only THEN my two
mod_perl handlers [Access & Authen] run, followed by another invocation
of the mod_authnz_ldap authorization routine--which would work, except
for the first failure [ldap server bug, see below]. Is it possible that
what I'm seeing is actually two passes through the AAA stack for one
request? If so, why would this happen?

I am looking at the debug logs, and [once the mod_ssl debug spew is
done], I have...

[time...] [info] Initial (No.1) HTTPS request received for child 0
(server servername:443)

okay, we're in...

[time...] [warn] [client address...] ldap authorize: Userid is blank,
AuthType=3D(null)

But--right away--we're already trying to run mod_authnz_ldap's
authorization handler!

[time...] [debug] mod_authnz_ldap.c(582) [client address...] ldap
authorize: Creating LDAP req structure
[time...] [debug] mod_authnz_ldap.c(582) [client address...] auth_ldap
authorise: User DN not found, ldap_seach_ext_s() for user failed

Unsurprisingly, it fails, as I haven't set the request->user(...),
request->ap_auth_type(...), etc...

[time...] [info] [client address...] AccessHandler: SSL_CLIENT_S_DN_CN =
=3D
MyCN...

Ah-ha! Now my access handler is running, great!

[time...] [info] [client address...] AuthenHandler: SSL_CLIENT_S_DN_CN =
=3D
MyCN...

Followed by my authentication handler...no worries...

[time...] [debug] mod_authnz_ldap.c(582) [client address...] ldap
authorize: Creating LDAP req structure
[time...] [debug] mod_authnz_ldap.c(582) [client address...] auth_ldap
authorise: User DN not found, ldap_seach_ext_s() for user failed

This pass through SHOULD work, right? Sadly, my directory
administrator tells me that due to a bug in our LDAP server at this
point my connection has been "scrogged" [his word] by the earlier
invalid--and undesired--call from mod_authnz_ldap.

If it helps, my config stanza looks like this:

<Location "/ldap-status">
SSLOptions +StdEnvVars +OptRenegotiate
SSLUserName HTTPS_CLIENT_S_DN
SetHandler ldap-status

AuthType Basic
AuthName "Certificate Authentication"

AuthzLDAP Authoritative off
AuthLDAPURL "https://server/c=3Dus?dn"
# Hack to force authorization hook to run; it short circuits if there
is no Require ldap-* clause
Require ldap-filter "cn=3D*"
# May be redundant, as the filter expression will always work,
assuming we find any user at all
Require valid-user

# both handlers set user name, set auth type, and spit out logging so
we know where we are...theoretically I should only need one
PerlAccessHandler ORG::AccessSSL
PerlAuthenHandler ORG::AuthnSSL

</Location>

Warmly,

--Pete

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org