topic Re: Apache: authentication in Operating System - OpenVMS

Apache: authentication

Willem Grooters — Wed, 10 Jun 2009 08:24:45 GMT

OpenVMS 7.3-2, Apache 2.1-1; two systems, not clustered together.

The webserver has been setup to serve virtual host, (port-based), and basically, the configuration las been setup as in attached file. This file is included at the end of httpd.conf

http://node1:port/appl/index.html and http://node1:port/appl-cgi/script triggers authentication on first access, and authentication is passed to subsequent requests.

http://node2:port/appl/index.html does NOT trigger authentication, and the following error is displayed:

You don't have permission to access /appl/index.html on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

The same applies to access to the cgi-scripts.

The base configuration contains the following differences:

AllowOverride None vs. AuthConfig
UsecanonicalName On vs. Off

APACHE$WWW has READ+WRITE access to all files it needs to access, either by a granted rights identifier (system 1) of explicitly (system 2) by an ACE on directories and files.

Any hints what could cause the difference?

Re: Apache: authentication

Willem Grooters — Wed, 10 Jun 2009 08:51:24 GMT

Additional:

On node2, Documentroot has been set to top directory:

DocumentRoot /rootdir/appl

which requires authentication.
Now the authentication is triggered, but the credentials are not passed in subsequent requests that follwo this path.

Access and errorlog show the result (see attached file)

Re: Apache: authentication

Camiel Vanderhoeven — Wed, 10 Jun 2009 08:58:21 GMT

Hi Willem,

Do you have .htaccess filees in any of the directories? If so, what are their contents?

Re: Apache: authentication

Willem Grooters — Wed, 10 Jun 2009 09:24:52 GMT

No .htaccess files.

Re: Apache: authentication

Willem Grooters — Wed, 10 Jun 2009 10:48:08 GMT

I just found out that SSL has been enabled just before the include - and it contains SSLEngine On - before a virtual host using the information is defined.
Could that be of influence?

Re: Apache: authentication

Camiel Vanderhoeven — Thu, 11 Jun 2009 04:55:45 GMT

Hi Willem,

I can't see why any of the differences between the two configurations should casue this. Are you sure there are no other differences that went unnoticed?

All versions are the same?

The only thing I can think of is changing those settings that differ on node 2 to match those on node 1, and see if that does the trick. Once we know exactly what triggers the differing behaviour, we might be able to work out why.

Re: Apache: authentication

Willem Grooters — Thu, 11 Jun 2009 12:02:52 GMT

Solved.
Though the directroy itself allowed APACHE$WWW READ+WRITE access, parent directories allowed EXECUTE access only. It was found that adding READ access solved this issue.

As a result, when using ACL protection, ALL directories in the path require ACE:
(ID=APACHE$WWW, ACCESS=READ+EXECUTE)

Re: Apache: authentication

Willem Grooters — Thu, 11 Jun 2009 12:03:36 GMT

Missing protection level...