Apache2 htaccess via PAM Mysql (etch)
After nearly three days sweating on this im now stuck.
I want apache to authenticate access solely via mysql. The new mod-authn-dbd is reputed to be buggy, and the old mod-auth-apache2-mysql is absent in debian etch. So it appears im stuck with pam, which, if no longer maintained, is nearly working. Oddly, access works when it matchs a /etc/passwd user, which I dont want!. Everything else fails to login, and presents a new login prompt, except where a mysql entry matches, in which case the PAM log (mysql) says: entry user pid host ts AUTHENTICATION SUCCESS test 6193 (unknown) 2008-02-28 10:14:24 yet the browser gets: 401 Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. and var/log/apache/error.log gets PAM: user 'ee' - invalid account: User not known to the underlying authentication module and /var/log/auth.log gets Feb 28 11:16:21 solarbus1 apache2: pam_mysql - SELECT solarbus.spacepersons.password FROM so larbus.spacepersons WHERE solarbus.spacepersons.username = 'ee' Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_sql_log() called. Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_format_string() called Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_quick_escape() called. Feb 28 11:16:21 solarbus1 last message repeated 8 times Feb 28 11:16:21 solarbus1 apache2: pam_mysql - INSERT INTO pamlog (entry, user, host, pid, t s) VALUES ('AUTHENTICATION SUCCESS', 'ee', '(unknown)', '6193', NOW()) Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_sql_log() returning 0. Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_check_passwd() returning 0. Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_sm_authenticate() returning 0. Feb 28 11:16:21 solarbus1 apache2: (pam_unix) could not identify user (from getpwnam(ee)) Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_release_ctx() called. Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_destroy_ctx() called. Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_close_db() called. Looks like pam_mysql is oking it but pam_unix is being authoritative. Dont know enough about pam to know why Any clues appreciated. Peter Heres my /etc/pam.d/apache2 auth require pam_mysql.so verbose=1 user=peter passwd=xxxxx host=127.0.0.1 db=solarb us table=solarbus.spacepersons usercolumn=solarbus.spacepersons.username passwdcolumn=sola rbus.spacepersons.password crypt=0 sqllog=true logtable=pamlog logmsgcolumn=entry logusercol umn=user logpidcolumn=pid loghostcolumn=host logtimecolumn=ts and /var/www/.htaccess AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName "Intranet" AuthUserFile /dev/null AuthBasicAuthoritative Off require valid-user |
I found out that it only has to match that the username is present as a system user. It does not matter if the password is wrong ,ie
system users: peter, password pop999 mysql users: peter, password mum999 jane, password dad888 mod-pam will authenticate for: peter password mum999 but not for: jane, password dad888 pam-unix is testing to see that an account exists only. Not actually authenticating. I thought by setting the auth control in pam config to 'sufficient', and remove the includes to common-account and common-auth, and setting htaccess to AuthbasicAuthoratiive to off that this shouldnt happen. Ive also RTFM and its not too inspiring. "mod_pam is no longer maintained , but it mostly works with apache 1.3 and 2.0" Given that etch is using 2.2 i guess could be part of the problem? P. |
All times are GMT -5. The time now is 04:19 AM. |