HPE Community
Operating System - HP-UX
1830194 Members
12171 Online
109999 Solutions
New Discussion

HPWS 2.15 Apache mod_auth_ldap authentication issue (passwords with accent)

 
Michal Kovac
Trusted Contributor

‎03-26-2006 07:18 PM

‎03-26-2006 07:18 PM

HPWS 2.15 Apache mod_auth_ldap authentication issue (passwords with accent)

Hello,
we have an issue with apache ldap users authentication - users which have passwords containing characters with accent are not sucessfully authenticated.




Apache httpd.conf:

Alias /test "/usr/share/test"

AuthName "TEST3 domain name and password"
AuthType Basic
Require valid-user
AuthLDAPURL ldap://192.168.22.149:3268/dc=mstest3dom,dc=cz?sAMAccountName?sub?(objectCategory=Person)(objectClass=User)
AuthLDAPBindDN "cn=ldapproxyuser,cn=Users,dc=mstest3dom,dc=cz"
AuthLDAPBindPassword "ldapproxyuser"
AuthLDAPEnabled on
AuthLDAPAuthoritative on





Apache error_log:

[Thu Mar 23 17:32:58 2006] [notice] Apache/2.0.55 HP-UX_Apache-based_Web_Server (Unix) DAV/2 PHP/5.0.4 configured -- resuming normal operations
[Thu Mar 23 17:33:28 2006] [warn] [client 192.168.22.163] [29459] auth_ldap authenticate: user test4 authentication failed; URI /test [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Thu Mar 23 17:33:30 2006] [warn] [client 192.168.22.163] [29459] auth_ldap authenticate: user test4 authentication failed; URI /test [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Thu Mar 23 17:33:30 2006] [warn] [client 192.168.22.163] [29459] auth_ldap authenticate: user test4 authentication failed; URI /test [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]




Environment:

# uname -a
HP-UX hpux B.11.11 U 9000/800 593776517 unlimited-user license
# /opt/hpws/apache/bin/httpd -V
Server version: Apache/2.0.55 HP-UX_Apache-based_Web_Server
Server built: Jan 10 2006 13:36:51
Server's Module Magic Number: 20020903:11
Architecture: 32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D APR_PROCESS_LOCK_IS_GLOBAL
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/opt/hpws/apache"
-D DEFAULT_CHROOT_DIR=""
-D SUEXEC_BIN="/opt/hpws/apache/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
#

LDAP server is MS Active Directory (MS Windows 2000 server)




User test4:

has password "test4ž"
ž = 9E (in windows-1250 encoding)
ž = C5 BE (in utf8 encoding)
... after "manual" password encoding to utf8 and copy&paste "test4Ĺľ" user authenticate OK.




Packet sniffer results:

apache@win send passwords utf8 encoded - auth. is OK
apache@hpux send passwords windows-1250 encoded (browser encoding) - auth. ERROR




Other/notes:

Playing with locales/environment variables of apache user does not help.
Is there (in Apache or OS ...) some other way how to tell apache to make utf8 password encoding before its send to LDAP server (mod_charset_lite? ...)?




Thank you,
Michal
0 Kudos
6 REPLIES 6
Peter Godron
Honored Contributor

‎03-28-2006 10:57 PM

‎03-28-2006 10:57 PM

Re: HPWS 2.15 Apache mod_auth_ldap authentication issue (passwords with accent)

Michal,
have you looked for AuthLDAPCharsetConversion and AuthLDAPConvertFromLanguage
0 Kudos
Peter Godron
Honored Contributor

‎03-30-2006 07:05 PM

‎03-30-2006 07:05 PM

Re: HPWS 2.15 Apache mod_auth_ldap authentication issue (passwords with accent)

Michal,
any update on this?
0 Kudos
Michal Kovac
Trusted Contributor

‎04-10-2006 07:45 PM

‎04-10-2006 07:45 PM

Re: HPWS 2.15 Apache mod_auth_ldap authentication issue (passwords with accent)

Peter,
thank you for ideas, but IMHO this directives are not implemented in this version:

-http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

-# strings /opt/hpws/apache/modules/mod_auth_ldap.so|grep AuthLDAP
Unrecognized value for AuthLDAPAliasDereference directive
Too many AuthLDAPGroupAttribute directives
AuthLDAPCharsetConfig
AuthLDAPFrontPageHack
AuthLDAPEnabled
AuthLDAPDereferenceAliases
AuthLDAPGroupAttributeIsDN
AuthLDAPGroupAttribute
AuthLDAPCompareDNOnServer
AuthLDAPAuthoritative
AuthLDAPRemoteUserIsDN
AuthLDAPBindPassword
AuthLDAPBindDN
AuthLDAPURL

Michal
0 Kudos
Michal Kovac
Trusted Contributor

‎04-10-2006 07:48 PM

‎04-10-2006 07:48 PM

Re: HPWS 2.15 Apache mod_auth_ldap authentication issue (passwords with accent)

Solved by workaround.
0 Kudos
Peter Godron
Honored Contributor

‎04-10-2006 08:47 PM

‎04-10-2006 08:47 PM

Re: HPWS 2.15 Apache mod_auth_ldap authentication issue (passwords with accent)

Michal,
could you please detail the workaround, so that future users with the same problem can benefit from your solution.
0 Kudos
Michal Kovac
Trusted Contributor

‎04-17-2006 07:54 PM

‎04-17-2006 07:54 PM

Re: HPWS 2.15 Apache mod_auth_ldap authentication issue (passwords with accent)

Instead of mod_auth_ldap.so use mod_auth_external.so (see http://unixpapa.com/mod_auth_external.html) and calling of ldapsearch from LDAP-UX Client Services (see http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA).
Michal
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.