[Auth_ldap] Problems during authentication phase with auth_ldap1.6.1 andapache 1.3.9

Gary Walker gwalker at blackboard.com
Tue Aug 15 07:42:19 PDT 2006 

The authentication is happening in clear.  The ssl is being handled by
stunnel, not auth_ldap.  I'm able to sniff the clear traffic by
tcpdumping the port on the localhost where the stunnel begins, hence my
report of being able to see the response toward the end of my posting.
Thanks.

Gary

On Tue, 2006-08-15 at 10:26 -0400, Ronnie Gilkey wrote:
> Gary,
> 
> Can you authenticate properly without using SSL?  In your
> configuration  
> you have:
> 
> #############
> 
> AuthLDAPURL     ldap://localhost:8001/dc=blackboard, dc=com 
> Localhost:8001 is linked to the SSL LDAP port on the LDAP server by 
> stunnel.
> 
> #############
> 
> Try connecting over plaintext to debug and use a traffic sniffer to  
> ensure that it is working properly-- ethereal works very well.  I
> would  
> also remove any blank spaces from the URL and DNs to be safe.
> 
> If you are going to connect over SSL your URL should use ldaps://
> not  
> ldap://.
> 
> Ronnie
> 
> --  
> Puryear Information Technology, LLC 
> Baton Rouge, LA * 225-706-8414 
> http://www.puryear-it.com
> 
> "Best Practices for Managing Linux and UNIX Servers" 
> Download your free copy: 
> http://www.puryear-it.com/bestpractices.htm
> 
> 
> Gary Walker wrote: 
> > Hi.  I'm new to the list and hoping someone can help me explain some
> of 
> > the following behaviors. 
> > 
> > I'm troubleshooting a problem with auth_ldap's behavior on an older 
> > system.  I'm using the latest auth_ldap source built against apache 
> > 1.3.9 and openldap 1.2.9.  Here's a sample of my .htaccess file: 
> > 
> > AuthLDAPAuthoritative   off 
> > AuthName        "Login" 
> > AuthType        Basic 
> > AuthLDAPVersion "3" 
> > AuthLDAPBindDN  "uid=searchuser, ou=specials, dc=blackboard,
> dc=com" 
> > AuthLDAPBindPassword    searchuserpassword 
> > AuthLDAPURL     ldap://localhost:8001/dc=blackboard, dc=com 
> > AuthUserFile    /dev/null 
> > <Limit PUT POST GET> 
> > require valid-user 
> > </Limit> 
> > 
> > Localhost:8001 is linked to the SSL LDAP port on the LDAP server by 
> > stunnel.  The LDAP server is running SunOne directory server 5.2P2. 
> > 
> > What's happening is this--auth_ldap is authenticating regardless of 
> > whether or not a valid password has been entered so long as a
> username 
> > which exists in the LDAP directory is used.  Here's the error log
> from 
> > apache: 
> > 
> > [Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(145): [client 
> > 10.10.107.100] {25005} Entering auth_ldap_connect_to_server 
> > [Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(165): [client 
> > 10.10.107.100] {25005} Opening connection to ldap server(s)
> `localhost' 
> > [Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(168): [client 
> > 10.10.107.100] {25005} LDAP OP: init 
> > [Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(288): [client 
> > 10.10.107.100] {25005} Binding to server `localhost' as
> uid=searchuser, 
> > ou=specials, dc=blackboard, dc=com/searchuserpassword 
> > [Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(298): [client 
> > 10.10.107.100] {25005} LDAP OP: simple bind 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(605): [client 
> > 10.10.107.100] {25005} Peforming a search (scope=2) with filter 
> > (&(objectclass=*)(uid=gwalker)) 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(609): [client 
> > 10.10.107.100] {25005} LDAP OP: search 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(616): [client 
> > 10.10.107.100] {25005} Server is down; reconnecting and starting
> over 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(112): [client 
> > 10.10.107.100] {25005} Server is down; reconnecting and starting
> over 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(116): [client 
> > 10.10.107.100] {25005} Freeing connection to ldap server(s)
> `localhost' 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(145): [client 
> > 10.10.107.100] {25005} Entering auth_ldap_connect_to_server 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(165): [client 
> > 10.10.107.100] {25005} Opening connection to ldap server(s)
> `localhost' 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(168): [client 
> > 10.10.107.100] {25005} LDAP OP: init 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(288): [client 
> > 10.10.107.100] {25005} Binding to server `localhost' as
> uid=searchuser, 
> > ou=specials, dc=blackboard, dc=com/searchuserpassword 
> > [Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(298): [client 
> > 10.10.107.100] {25005} LDAP OP: simple bind 
> > [Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(605): [client 
> > 10.10.107.100] {25005} Peforming a search (scope=2) with filter 
> > (&(objectclass=*)(uid=gwalker)) 
> > [Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(609): [client 
> > 10.10.107.100] {25005} LDAP OP: search 
> > [Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(616): [client 
> > 10.10.107.100] {25005} Server is down; reconnecting and starting
> over 
> > [Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(112): [client 
> > 10.10.107.100] {25005} Server is down; reconnecting and starting
> over 
> > [Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(116): [client 
> > 10.10.107.100] {25005} Freeing connection to ldap server(s)
> `localhost' 
> > [Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(145): [client 
> > 10.10.107.100] {25005} Entering auth_ldap_connect_to_server 
> > 
> > Now, the strange thing is this:  auth_ldap is reporting that the
> server 
> > is down/reconnecting/starting over.  When I tcpdump the port, I see 
> > clearly that the LDAP server responds to the search request with
> the 
> > record for the user, including the user's DN. 
> > 
> > Has anyone seen this behavior previously?  Is there anything I can
> do to 
> > resolve it? 
> > 
> > Thanks for your assistance, 
> > 
> > Gary 
> > gewalker at gmail.com 
> > gwalker at blackboard.com 
> > 
> > 
> > 
> > This e-mail is intended only for the personal and confidential use
> of the recipient(s) named above.  
> > It may include Blackboard confidential and proprietary information,
> and is not for redistribution. 
> > 
> > 
> > 
> > _______________________________________________ 
> > Auth_ldap mailing list 
> > Auth_ldap at rudedog.org 
> > http://www.rudedog.org/mailman/listinfo/auth_ldap 
> >    
> _______________________________________________ 
> Auth_ldap mailing list 
> Auth_ldap at rudedog.org 
> http://www.rudedog.org/mailman/listinfo/auth_ldap
>

More information about the Auth_ldap mailing list