Hi List,
I am sorry to bother you with this, but I am banging my head
for days now and I don't seem to make any progress.
I want to supply our users with a way to upload files onto our
servers without the hassle of FTP or SCP. DAV seemed like a
good idea since a lot of systems already have built-in DAV
clients. Also, in order to keep things maintainable, I thought
LDAP authentication instead of file based authentication would
be the right approach.
I have to admit that my ldap knowledge is nowhere near sufficient
but it'll take me some time to read the books I've ordered. No FAQ
or online HOWTO or mailing-list archive I've read over the last
5 days seems to be of any help.
After setting up an openldap server and creating a basic
testing structure I tried to get apache to authenticate
the DAV location via mod_authz_ldap.
This is what I have got so far :
### httpd.conf ###
Alias /U000001 "/var/www/webdav/U000001"
<Directory "/var/www/webdav/U000001">
Dav On
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
DavMinTimeout 6000
<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Order Allow,Deny
Allow from all
AuthType Basic
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthName "DOMAIN DAV Upload"
AuthLDAPBindDN "cn=Manager,dc=domain,dc=org"
AuthLDAPBindPassword "mysecretpassword"
AuthLDAPURL
ldap://127.0.0.1:389/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectClass=person)
Require ldap-user U000001
</Limit>
</Directory>
################
The test user is U000001 but I am not sure if this is correct as I've found
a lot of examples incorporating UID which I have not set in my LDAP
structure.
Can't I just use the CN ?
### dav.ldif ###
dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org
objectclass: person
objectClass: inetOrgPerson
cn: U000001
sn: U000001
mail: [EMAIL PROTECTED]
userpassword: test
################
The modules are loaded and Apache successfully connects to LDAP. As soon
as I
try to access the DAV folder I can't connect and error_log states the
following:
### error_log ###
[Tue Jul 10 13:31:32 2007] [error] [client 212.18.3.4] user U000001:
authentication failure for "/U000001": Password Mismatch
[Tue Jul 10 13:31:36 2007] [warn] [client 212.18.3.4] [20232] auth_ldap
authenticate: user U000001 authentication failed; URI /U000001
[ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
#################
Here's what slapd returns during this phase:
### slapd debug ###
=> access_allowed: search access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: read access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "entry" requested
<= root access granted
=> access_allowed: read access granted by manage(=mwrscxd)
=> access_allowed: read access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "cn" requested
<= root access granted
=> access_allowed: read access granted by manage(=mwrscxd)
=> access_allowed: auth access to
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org" "userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: no res from state (userPassword)
=> acl_mask: access to entry
"cn=U000001,ou=DAV,dc=global,dc=domain,dc=org", attr "userPassword"
requested
=> acl_mask: to value by "", (=0)
<= acl_mask: no more <who> clauses, returning =0 (stop)
=> slap_access_allowed: auth access denied by =0
=> access_allowed: no more rules
###################
Here's my first question:
How is the password to be stored in LDAP ? Plain ? SHA ?
I couldn't find any documentation regarding this as most people's
questions I've found in mailing-lists or archives use Active
Directory instead of OpenLDAP.
From my point of view the Basic authentication does the following :
auth_string = base64_encode ("U000001:test");
where "U000001" is the submitted username and "test" the password.
After tcpdumping all traffic the browser submitted "VTAwMDAwMTp0ZXN0"
which I think is the correct base64 encoding for "U000001:test".
So. What is wrong ? Is it my LDAPUrl ? Is it the way I've stored
the userPassword ?
Is there any way to raise the debug level of mod_ldap or auth_ldap
in order to see what exactly the mismatch looks like ?
When I manually query the LDAP with
ldapsearch -W -v -D "cn=Manager,dc=domain,dc=org" -b
"ou=DAV,dc=global,dc=domain,dc=org" "(objectClass=person)"
I get this:
### ldap search ###
ldap_initialize( <DEFAULT> )
filter: (objectClass=person)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=DAV,dc=global,dc=domain,dc=org> with scope subtree
# filter: (objectClass=person)
# requesting: ALL
#
# U000001, DAV, global.radion.org
dn: cn=U000001,ou=DAV,dc=global,dc=domain,dc=org
objectClass: person
objectClass: inetOrgPerson
cn: U000001
sn: U000001
mail: [EMAIL PROTECTED]
userPassword:: VlRBd01EQXdNVHAwWlhOMCA=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
###
I've also tried to store the userPassword in plaintext but apart
from being unwanted it didn't work either.
If anyone has any hints it would be greatly appreciated so thanks
a lot in advance.
All the best to you out there and a big thank you for all the
efforts put into Apache to make it one of the most popular
webservers out there for free ;)
Kamil
--
Kamil Wencel
RADION Imaginery
Swakopmunder Str. 1
81827 Munich
---------------------------------------------------------
voice office : +49 89 4522058-1
voice mobile : +49 174 3050550
fax-server : +49 89 4522058-9
----------------------------------------------------------
browser : http://imaginery.radion.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
