[Auth_ldap] Unpredictable behaviour auth_ldap with Virtual Host

Mauro Ranchicchio mauro.ran at libero.it
Tue Nov 18 10:35:59 PST 2003 

Hi all,
I'm experiencing a strange unpredictable behaviour using OpenLDAP authentication
over a virtual host listening on port 443 (https)

I'm using the following servers:
Apache 1.3.27 with mod_ssl  and  auth_ldap 1.6.0  (on Linux Mandrake 9.1 Pro)
OpenLDAP 2.0
The two servers run on the same host.

When accessing the LDAP-protected directories, I am prompted for the
authentication, I enter successfully, but with apparently random periodicity, I
am prompted again for user+pwd when I try to access directories for which I
still possess the right to enter.

The weirdest fact is that sometimes it happens, other times it all seems to work
well, but the problem still arises later, on some subsequent attempt.

When it happens, I get 401 status on Apache access_log (Authorization
Required...again) and this message appears on the error_log:

Search must return exactly 1 entry; found 0 entries for search
(&(objectclass=*)(cn=XXXX)): URI /somedirectory/

The same search is *always successful* when performed with ldapsearch on command
line or with some ldap interface tools!

This is an excerpt of the file /etc/httpd/conf/ssl/ssl.default-vhost.conf with
the definition of the Virtual Host for https service:

<VirtualHost _default_:443>

   DocumentRoot /var/wssl/html
   ServerName XX.XX.XX.XX
.................
   AccessConfig conf/access-ssl.conf
.................   
<Directory /var/wssl/html>
        Options -Indexes FollowSymLinks MultiViews
        AllowOverride All
        <IfModule mod_access.c>
                Order allow,deny
                Allow from all
        </IfModule> 
   </Directory>

</VirtualHost>


The file access-ssl.conf  is included with the directive AccessConfig (see
above) and it contains blocks with the following template for the protection of
the single subdirectories of the secure web space (the rationale for the access
is group-based):

<Directory /var/wssl/html/subdir/>
        AuthName "Blah blah blah"
        AuthType Basic
        AuthLDAPBindDN cn=searchuser,ou=People,dc=xxxxxx,dc=it
        AuthLDAPBindPassword realpassword
        AuthLDAPURL ldap://localhost:389/ou=People,dc=xxxxxx,dc=it?cn?sub
        require group cn=realgroupcn, dc=xxxxxx, dc=it
</Directory>

To access the document root, instead, it's enough to be a *valid user* in the
ldap database, so the last block in the AccessConfig file looks like this (no
need to belong to a particular group, this time):

<Directory /var/wssl/html/>
        AuthName "Doh doh doh"
        AuthType Basic
        AuthLDAPBindDN cn=searchuser,ou=People,dc=xxxxxx,dc=it
        AuthLDAPBindPassword realpassword
        AuthLDAPURL ldap://localhost:389/ou=People,dc=xxxxxx,dc=it?cn?sub
        require valid-user
</Directory>

No .htaccess files are used anywhere.

Since this is the virtual host, there's also a non-secure web space with a
different document root, obviously accessible via http protocol on port 80.

Hope for some kind of help!
Thanks in advance...

Mauro

More information about the Auth_ldap mailing list