|
Home > Archive > Netware Webserver > May 2005 > securing apache
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| jeffrey tucker 2005-05-10, 5:45 pm |
| after several weeks i was able to fix some problems myself.
now i am trying to use LDAP to secure one particular folder. i have the
following in my apache config.
<Directory VOL1:/web/secure/>
Options ExecCGI Includes MultiViews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
AuthLDAPAuthoritative On
AuthLDAPURL ldaps://server-dns-name/o=crrm?uid?sub
require valid-user
</Directory>
the server is nw6.5.2. apache is 2.0.49. DSTRACE on the server shows no
activity after DSTRACE SCREEN ON and DSTRACE +LDAP and trying the SECURE
link after inputing various forms of credentials. i have softerra ldap
browser 2.6 which can browse LDAP on port 389.
all i am trying to do is setup a helpdesk am having 0.00000% luck. any
advice?
| |
|
| Morning.
jeffrey tucker wrote:
> after several weeks i was able to fix some problems myself.
>
> now i am trying to use LDAP to secure one particular folder. i have the
> following in my apache config.
>
> <Directory VOL1:/web/secure/>
> Options ExecCGI Includes MultiViews
> AllowOverride None
> Order deny,allow
> Allow from all
> AuthType Basic
> AuthName "Protected"
> AuthLDAPAuthoritative On
> AuthLDAPURL ldaps://server-dns-name/o=crrm?uid?sub
> require valid-user
> </Directory>
>
> the server is nw6.5.2. apache is 2.0.49. DSTRACE on the server shows no
> activity after DSTRACE SCREEN ON and DSTRACE +LDAP and trying the SECURE
> link after inputing various forms of credentials. i have softerra ldap
> browser 2.6 which can browse LDAP on port 389.
>
> all i am trying to do is setup a helpdesk am having 0.00000% luck. any
> advice?
Is your LDAP Server on the same machine as Apache? If yes, change the
AuthLDAPURL to use ldap:// and configure the LDAP server server to
accept clear text passwords. If the LDAP server is on another machine,
then check 1) you can ping it from the console of the Apache server, 2)
that port 636 is open on the LDAP server, 3) the Apache is configured to
allow SSL connection to the LDAP server (check the Directives for the
utilldap module in the Apache documetation, and 4) the LDAP Server has a
valid certificate allocated for its SSL link.
N.
| |
| jeffrey tucker 2005-05-11, 5:45 pm |
| thanks for the reply. i changed the LDAP url to non-secure port since it is
the same box. i also changed the server's group to allow clear text
passwords (true). i also set the screen display for everything. i still
cannot login.
i was able to get output to the dstrace screen and file:
LDAP Group config version 0 does not match executable config version 8
Starting dynamic upgrade
Dynamically upgrading LDAP Group object...
Upgrading LDAP Group attribute mappings (removing old)
DoSearch on connection 0x89b3fa80
Search request:
base: "o=CRRM"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(uid=cn=admin,o=crrm))"
attribute: "uid"
Sending operation result 0:"":"" to connection 0x89b3fa80
Work info status: Total:8 Peak:8 Busy:0
Thread pool status: Total:12 Peak:12 Busy:3
DoSearch on connection 0x89b3fa80
Search request:
base: "o=CRRM"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(uid=cn=admin,o=crrm))"
attribute: "uid"
Sending operation result 0:"":"" to connection 0x89b3fa80
whats next? i am still tinkering.
| |
| jeffrey tucker 2005-05-11, 5:45 pm |
| thanks for the reply (danke). this particular folder has never worked.
imanager and remote manager and ifolder work fine. i have just started to
setup this help desk software.
i tried norm's suggestion and it did not work either.
any other ideas?
| |
|
| G'Morning,
Do your user objects actually have a 'uid' property that can be seen
with your ldap browser? If not, change 'uid' to 'cn' in your AuthLDAPURL
directive. Note that you should be able to 'see' the LDAP tree even from
a workstation not authenticated to the network, and without providing
any login details for the browser; if you can't then you need to check
the 'Public' rights to the needed properties or create an LDAP proxy
user object that has.
N.
jeffrey tucker wrote:
> thanks for the reply. i changed the LDAP url to non-secure port since it is
> the same box. i also changed the server's group to allow clear text
> passwords (true). i also set the screen display for everything. i still
> cannot login.
>
> i was able to get output to the dstrace screen and file:
>
> LDAP Group config version 0 does not match executable config version 8
> Starting dynamic upgrade
> Dynamically upgrading LDAP Group object...
> Upgrading LDAP Group attribute mappings (removing old)
> DoSearch on connection 0x89b3fa80
> Search request:
> base: "o=CRRM"
> scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
> filter: "(&(objectclass=*)(uid=cn=admin,o=crrm))"
> attribute: "uid"
> Sending operation result 0:"":"" to connection 0x89b3fa80
> Work info status: Total:8 Peak:8 Busy:0
> Thread pool status: Total:12 Peak:12 Busy:3
> DoSearch on connection 0x89b3fa80
> Search request:
> base: "o=CRRM"
> scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
> filter: "(&(objectclass=*)(uid=cn=admin,o=crrm))"
> attribute: "uid"
> Sending operation result 0:"":"" to connection 0x89b3fa80
>
> whats next? i am still tinkering.
>
>
| |
| jeffrey tucker 2005-05-12, 5:45 pm |
| thanks, i changed the entry to ldap://nor_srv3.rrmm.net/o=CRRM?cn?sub
the login to the secure folder still failed. i see
""(&(objectclass=*)(cn=cn=admin,o=crrm))" which seems odd.
DoSearch on connection 0x89b3fa80
Search request:
base: "o=CRRM"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(cn=cn=admin,o=crrm))"
attribute: "cn"
Sending operation result 0:"":"" to connection 0x89b3fa80
DoSearch on connection 0x89b3fa80
Search request:
base: "o=CRRM"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(cn=cn=admin,o=crrm))"
attribute: "cn"
Sending operation result 0:"":"" to connection 0x89b3fa80
i even did dirk's suggested steps with same results. the apache admin logs
in using the same credentials and syntax with these results
New TLS connection 0x90057b60 from 192.168.0.5:6820, monitor = 0x1c1, index
= 20
Monitor 0x1c1 initiating TLS handshake on connection 0x90057b60
DoTLSHandshake on connection 0x90057b60
Completed TLS handshake on connection 0x90057b60
DoBind on connection 0x90057b60
Bind name:cn=admin,o=crrm, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x90057b60
DoSearch on connection 0x90057b60
Search request:
base: "cn=admin,o=crrm"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "cn=Admin,o=CRRM" to connection 0x90057b60
Sending operation result 0:"":"" to connection 0x90057b60
DoSearch on connection 0x90057b60
Search request:
base: "cn=admin,o=crrm"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "cn=Admin,o=CRRM" to connection 0x90057b60
Sending operation result 0:"":"" to connection 0x90057b60
DoSearch on connection 0x90057b60
Search request:
base: "o=crrm"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "o=CRRM" to connection 0x90057b60
Sending operation result 0:"":"" to connection 0x90057b60
DoSearch on connection 0x90057b60
Search request:
base: "cn=Apache Group,o=crrm"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "cn=Apache Group,o=CRRM" to connection
0x90057b60
Sending operation result 0:"":"" to connection 0x90057b60
anything else i can try? i am thoroughly confused.
thanks again.
"NormW" <normw@bocnet.com.au> wrote in message
news:n2uge.6639$IU1.3823@prv-forum2.provo.novell.com...
> G'Morning,
> Do your user objects actually have a 'uid' property that can be seen
> with your ldap browser? If not, change 'uid' to 'cn' in your AuthLDAPURL
> directive. Note that you should be able to 'see' the LDAP tree even from
> a workstation not authenticated to the network, and without providing
> any login details for the browser; if you can't then you need to check
> the 'Public' rights to the needed properties or create an LDAP proxy
> user object that has.
> N.
| |
| jeffrey tucker 2005-05-12, 5:45 pm |
| i tried to create a new proxy user. still failing. the failed operation at
the bottom has weird "cn=cn=" (double)
any other ideas?
thanks
------
OPERATION SUCCESSFUL ON APACHE ADMIN LOGIN
------
New TLS connection 0x90057b60 from 192.168.0.5:6820, monitor = 0x1c1, index
= 20
Monitor 0x1c1 initiating TLS handshake on connection 0x90057b60
DoTLSHandshake on connection 0x90057b60
Completed TLS handshake on connection 0x90057b60
DoBind on connection 0x90057b60
Bind name:cn=admin,o=crrm, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x90057b60
DoSearch on connection 0x90057b60
Search request:
base: "cn=admin,o=crrm"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "cn=Admin,o=CRRM" to connection 0x90057b60
Sending operation result 0:"":"" to connection 0x90057b60
DoSearch on connection 0x90057b60
Search request:
base: "cn=admin,o=crrm"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "cn=Admin,o=CRRM" to connection 0x90057b60
Sending operation result 0:"":"" to connection 0x90057b60
DoSearch on connection 0x90057b60
Search request:
base: "o=crrm"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "o=CRRM" to connection 0x90057b60
Sending operation result 0:"":"" to connection 0x90057b60
DoSearch on connection 0x90057b60
Search request:
base: "cn=Apache Group,o=crrm"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "cn=Apache Group,o=CRRM" to connection
0x90057b60
Sending operation result 0:"":"" to connection 0x90057b60
------
OPERATION FAILED ON NEW FOLDER
------
DoSearch on connection 0x89b3fa80
Search request:
base: "o=CRRM"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(cn=cn=admin,o=crrm))"
attribute: "cn"
Sending operation result 0:"":"" to connection 0x89b3fa80
DoSearch on connection 0x89b3fa80
Search request:
base: "o=CRRM"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(cn=cn=admin,o=crrm))"
attribute: "cn"
Sending operation result 0:"":"" to connection 0x89b3fa80
"Dirk Heimann" <dirk.heimann@westlotto.de> wrote in message
news:v4Cge.6932$IU1.1428@prv-forum2.provo.novell.com...
> iManager, remote manager and ifolder don't need a ldap proxy. third party
products need an ladpproxy user!
> try it, it should works fine!
|
|
|
|
|