Just before going "live" I noticed that mod_auth_mysql and mod_auth_ldap
do not "fail through" properly when protecting the same realm.
1] The mysql protected area below works as expected. entering a bad
password or unknown user produces the correct response.
[Fri Jan 27 19:34:10 2006] [error] [client 129.98.98.98] user jones:
password mismatch: /area51/
[Fri Jan 27 19:34:18 2006] [error] [client 129.98.98.98] MySQL user not
found: /area51/
2] The LDAP protected area works but it NEEDS to have the mysql
directives in place with AuthMysqlEnable set to off otherwise the server
returns the following error:
[Fri Jan 27 19:15:03 2006] [error] [client 129.98.98.98] MySQL user
jones not found: /area52
[Fri Jan 27 19:15:59 2006] [error] [client 129.98.98.98] MySQL ERROR:
Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
It's as if mod_auth_mysql is "stuck" in memory. With the mysql
directives in place the realm is properly protected.
3] The problem is in the third realm with LDAP not "failing through" to
MYSQL. The server always ignores LDAP regardless of the
AuthLDAPAuthoritative or AuthMySQLAuthoritative settings. Swapping the
order of the LDAP and MYSQL directives has no effect. A bad password
always results in:
[Fri Jan 27 19:52:41 2006] [error] [client 129.98.98.98] user jones:
password mismatch: /area53
. . . which is the mysql error return.
I know that the module load order is NOT supposed to matter but
systematically changing the load order of mod_auth_mysql and
mod_ladp/mod_auth_ldap produces the opposite results. The end result is
that that the MYSQL-LDAP protected realm does not "fail through" properly.
4] I've scoured the web, groups and blogs for any hint in using both
mod_auth_ldap together with mod_auth_mysql to protect a realm. I'm now
considering looking at Apache2.2
Any hint or area to look at would be much appreciated!
System stats
------------
OS=OS-X [10.3.9]
Apache = 2.0.55
mod_auth_ldap, mod_ldap = [apache's own module]
mod_auth_mysql = 3.0 [sourceforge]
Extracts from http.conf =
-------------------------
# Dynamic Shared Object (DSO) Support
LoadModule mysql_auth_module modules/mod_auth_mysql.so
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule php5_module modules/libphp5.so
<Directory />
Options FollowSymLinks
AllowOverride None
allow from all
</Directory>
<Directory /usr/local/apache2/htdocs/mysqlProtected>
Options FollowSymLinks
AuthType Basic
AuthName "area51-MySQL protected"
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLAuthoritative on
AuthMySQLEnable on
#AuthMySQLNoPasswd off
AuthMySQLPwEncryption crypt
require group administration
</Directory>
<Directory /usr/local/apache2/htdocs/ldapProtected>
Options FollowSymLinks
AuthType Basic
AuthName "ldap secured - area 52"
#Disabled mod_auth_mysql place holder- this has to do with the way
mod_auth_mysql
#sits in memory. Will not work any other way. mysql vs ldap order not
important.
#Very strange.
AuthMySQLAuthoritative off
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLEnable off
#AuthMySQLNoPasswd off
AuthMySQLPwEncryption crypt
require group meduser teaching_faculty testing administration
#allow authenticated access - ldap
AuthLDAPURL ldap://xxxx.xxxx.xxx.xxx:389/ou=people,dc=xxxx,dc=xxx,dc=xxx
AuthLDAPAuthoritative on
require valid-user
</Directory>
<Directory /usr/local/apache2/htdocs/area53>
Options FollowSymLinks
AuthType Basic
AuthName "LDAP and mysql secured area 53"
#mod_auth_ldap
AuthLDAPAuthoritative off
AuthLDAPURL
"ldap://xxxx.xxxx.xxx.xxx:389/ou=people,dc=xxxx,dc=xxx,dc=xxx";
require valid-user
#mod_auth_mysql
AuthMySQLHost xxx.xxxx.xxx.xxx
AuthMySQLUser httpd
AuthMySQLPassword xxxxx
AuthMySQLDB http_auth
AuthMysqlUserTable mysql_auth
AuthMySQLNameField username
AuthMySQLPasswordField passwd
AuthMysqlGroupTable mysql_groups
AuthMySQLGroupField groups
AuthMySQLAuthoritative On
AuthMySQLEnable on
#AuthMySQLNoPasswd on
AuthMySQLPwEncryption crypt
require group administration
</Directory>
Regards,
bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
