[Auth_ldap] Unpredictable behaviour auth_ldap with Virtual Host
mauro.ran at libero.it
Tue Nov 18 10:35:59 PST 2003
I'm experiencing a strange unpredictable behaviour using OpenLDAP authentication
over a virtual host listening on port 443 (https)
I'm using the following servers:
Apache 1.3.27 with mod_ssl and auth_ldap 1.6.0 (on Linux Mandrake 9.1 Pro)
The two servers run on the same host.
When accessing the LDAP-protected directories, I am prompted for the
authentication, I enter successfully, but with apparently random periodicity, I
am prompted again for user+pwd when I try to access directories for which I
still possess the right to enter.
The weirdest fact is that sometimes it happens, other times it all seems to work
well, but the problem still arises later, on some subsequent attempt.
When it happens, I get 401 status on Apache access_log (Authorization
Required...again) and this message appears on the error_log:
Search must return exactly 1 entry; found 0 entries for search
(&(objectclass=*)(cn=XXXX)): URI /somedirectory/
The same search is *always successful* when performed with ldapsearch on command
line or with some ldap interface tools!
This is an excerpt of the file /etc/httpd/conf/ssl/ssl.default-vhost.conf with
the definition of the Virtual Host for https service:
Options -Indexes FollowSymLinks MultiViews
Allow from all
The file access-ssl.conf is included with the directive AccessConfig (see
above) and it contains blocks with the following template for the protection of
the single subdirectories of the secure web space (the rationale for the access
AuthName "Blah blah blah"
require group cn=realgroupcn, dc=xxxxxx, dc=it
To access the document root, instead, it's enough to be a *valid user* in the
ldap database, so the last block in the AccessConfig file looks like this (no
need to belong to a particular group, this time):
AuthName "Doh doh doh"
No .htaccess files are used anywhere.
Since this is the virtual host, there's also a non-secure web space with a
different document root, obviously accessible via http protocol on port 80.
Hope for some kind of help!
Thanks in advance...
More information about the Auth_ldap