After hours of searching the web and trying dozens of unsuccessful solutions - here is my question.
I'm currently configuring a webserver on RHEL 6.4 and httpd 2.2.15 behind another RHEL 6.4 server using squid 3.1.10 and HTTPS only. I'm also using mod_rpaf to simplify logging and identification of visitors behind the proxy.
My problem is to configure a simple password protected folder. When I try to access the folder, the password dialog pops up with the configured AuthName. So I know that the .htaccess is being parsed. But the dialog does not accept the correct credentials and gives me an error 401.
I messed around with:
different permissions for .htaccess, .htpasswd and parent folders
different absolute locations for the .htpasswd
all activated Apache modules that are available on my system
different encryption algorithms for .htpasswd (crypt, md5, sha, salted sha...)
AllowOverride All on the protected and parent folder
But what I really do not understand that even if I put a wrong location for AuthUserFile there is no error message in Apaches error_log like the well known Permission denied: Could not open password file. Even on LogLevel debug Therefore I think that something is wrong with that Directive AuthUserFile.
I hope there is someone out there knowing better methods to identify the problem.
This is my simple .htaccess I'm using for testing:
AuthType Basic
AuthName "Test123"
#AuthUserFile /var/www/test/.htpasswd
AuthUserFile /notexisting
Require valid-user
Finally I got it to work!
I tracked the error down to the squid reverse proxy by using lynx on my webserver and successfully accessing the protected folder from there.
With my new focus on squid I started googling again. Already the first link took me to the correct answer: squid did not allow the apache to handle user authentication.
Resulution:
Add login=PASS to the cache_peer command in your squid.conf
Related
I have a website hosted with nearlyfreespeech (saying it here so maybe someone who has a website hosted there can help.)
I have two files:
.htaccess
AuthType Basic
AuthName 'Reserved Area'
AuthUserFile /home/public/money/downloads/plugins/.htpasswd
Require valid-user
.htpasswd
I am not including anything here, as it's irrelevant.
The problem might be with the directory(?)
Also nearlyfreespeech's dashboard gives me those two things -- Don't know if they can be of any help.
Apache Site Root /fs7d/privacy/
Apache Document Root /fs7d/privacy/public/
The problem as you read from the title is "error 500".
I looked at the server logs and found out that the problem was actually the directory, now, question is, how do I find the proper directory to fix this error?
Thanks
I've just added an .htaccess and an .htpasswd to my web app and i'm now getting an error 500.
.htaccess :
AuthUserFile ./.htpasswd
AuthName "Password Protected Area"
AuthType Basic
<limit GET POST>
require valid-user
</limit>
.htpasswd
root:roe7nCYHcm0As
I've read on this web site that i had to enable "headers_module" and "rewrite_module" and then retart the server, which i did, but i'm still getting this error.
I'm using wampserver 2.2 (apache 2.4.2) on windows 7.
That's most probably because htaccess does not find your file's location.
If you use a relative path, then apache uses the server root which is /etc/apache2 in my case (ubuntu).
Just to be sure, click right on the password file and get the path and paste it to .htaccess. If it still not works, please copy and paste your error log here so that I can exactly see the error.
EDIT
I've seen your last comment now.
Some setups require that you store the encrypted version of the password. So for instance, instead of storing the password as
myuser:111
you should store like:
myuser:$apr1$E6YrxcHU$ilyC2mqfNSrQmle4KEAeq.
I don't have a Windows at hand right now so I cannot check it but earlier versions of Wamp had a password generator for .htpasswd under c:\wamp\Apache2\bin\htpasswd.exe. Try to check that program.
Otherwise, apache uses md5 by default to encrypt passwords. You can encrypt programmatically your password and then copy it to the password file.
I even blogged about this :)
Please let me know if it still doesn't work.
Actually it could well be that you have installed wamp into 'program files'
There are a few bits of Apache and PHP that dont like living in a folder structure that has a space in one of the folder names.
It is recommended that you install it to C:\wamp or D:\wamp or any drive you like but not one with a space in any folder name.
OS: Linux OpenSUSE
Version control - Mercurial
Apache2
I run http ://my.os.name/ it gives me a page - thus apache is running.
I run http ://my.os.name:/hg - It shows me Mercurial page, thus mercurial is
showing up on http Internet Explorer page.
I'm able to create repositories/or do normal work in Mercurial.
What I need.
1. When I open the above Hg link
then, instead of showing me the Mercurial(Hg) repository page home page, it should first check whether I belong to my company or not i.e. it should authenticate using Windows Active Directory or LDAP server.
If I'm making any changes to a file or create a directory / repository in Hg, then it should make sure / authenticate/verify whether I have valid access to do that operation or not.
HOW can I do this, I need step by step help as I'm new in Apache/Mercurial authentication setup.
I have almost read all the Online help in setting this up and so far I'm able to get to a point whether when I open Hg link, I get a popup for username/password prompt, but its not taking it / not working.
I also dont want to create .htpasswd/ .htaccess or digest files. What I'm wondering is that if in Windows Active Directory, if I have a Security group created for ex: Company/Project1_readers, Company/Project1_Contributors, Company/Project1_Repository1_Readers, Company/Project1_Repository2_Contributors... and in those AD security group ids, if I have all the developers added, then using these groups in AD, I want to grant access to developers instead of adding those users in .hg/hgrc file.
(This is what usually we do in TFS (Team foundation Server) to grant/revoke access) instead of messing with files (adding/removing users) in every repository etc.
How can I do the above?
Kindly advise if the best way is only creating .htpasswd/.htaccess/.htdigest etc files...if I'm wrong in achieving the above scenario.
My httpd.conf file Includes another .conf file (which contains)
=========================================
<Directory /srv/www/hg>
Order deny,allow
Deny from All
AuthType Basic
# #AuthName "Apache Web Site: Login with your AD(Active Directory) credentials"
AuthName "Mercurial Repositories"
#
#
# AuthBasicProvider ldap
# AuthzLDAPAuthoritative off
# #AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
# AuthLDAPURL "ldap://10.211.16.1:389/?samAccountName?sub?(objectClass=user)"
## #ldap://ldap.your-domain.com:389/o=stooges?uid?sub
# AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
# #"cn=StoogeAdmin,o=stooges"
# AuthLDAPBindPassword secret1
require valid-user
# require ldap-user
Satisfy any
</Directory>
When I'm using the abvoe LDAP URL in Jenkins, Jenkins is successfully authenticating a user while logging in, then why the same is not working when it's in this server's .conf file. Note, in apache2, the above doesn't have to be in httpd.conf file. Include concept is letting me include the file.conf and file.conf contains the above code. This is as per Apache2 directions as mentioned in httpd.conf file.
Rest of the mercurial files hgwebdir.cgi, hgweb.cgi, hgweb.config are all good (as per online blogs I have read).
I have all the required modules loaded (as they are visible in /etc/apache2/sysconfig.d/loadmodule.conf file (modules which are required for LDAP auth i.e. mod_ldap, mod_authz_ldap etc etc related to ldap and apache).
OK, Prompt part which was not taking my Windows Ldap credentials is now working.
What did I put wrong.
- See line: for AuthLDAPURL and AuthLDAPBindPassword, those were the culprits in my post shown above.
- Cause was, I was new to Windows AD/LDAP concept, so couldn't get a hold of anyone from Systems team in my company. So tried my own hands. The first line for AuthLDAPURL, I got from the GLOBAL configuration file (config.xml) of one of our Jenkins instance.
Jenkins GUI for showing config doesn't show passwords (as they are masked) so there you'll see Manager's DN password as "* * * * * *".
So, I thought I should open the config.xml file of Jenkins instance and got the password "secret1" from there. Actually "secret1" is just an example, in reality it was some crazy value over there like "VVX12##!5GH".
So basically I used that earlier which didn't work as for LDAP authentication to work correctly, you have to talk to someone in SYSTEMS team or the person WHO actually did the setup in Jenkins instance for LDAP authentication there.
Finally I got the password, and it worked.
Resolution: See below what I changed.
One important thing to notice is that, in Jenkins, AUTHURL for LDAP was:
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
but,
from a Unix/Linux/in my case, SUSE machine, we have to change this line a little bit to
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
For more on this (Apache2.2 on connecting to Windows AD(Active Directory) authentication):
PS: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
and then
- I put the correct password for cn=xyzserver (Manager DN user id) in the file and all was good then.
Snapshot of apache config file or the file which you have created separately and included in your httpd.file or through /etc/sysconfig/apache2 filer (variable APACHE_INCLUDE...) now looks like:
<Directory /srv/www/htdocs/hg>
Order deny,allow
Deny from All
AuthType Basic
AuthName "LDAP Access - Mercurial"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
#AuthLDAPURL "ldap://10.211.16.1:389/OU=TSH,DC=Mason,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
AuthLDAPBindPassword CorrectPassword!
# require ldap-user c149807
# AuthUserFile "/dev/null"
require valid-user
Satisfy any
</Directory>
I'll work on getting the user access part now on the actual repository as Auth part is done from IE(Internet Explorer) to Hg(Mercurial) from Linux/Unix/OpenSUSE machine.
if prompted multiple times for user credentials in mercurial. Setup Mercurial_Keyring and then
this question comes which nobody explained in an easy way.
??? how to make the [auth] xx.prefix = servername/hg_or_something work for all repositories under servername/hg location either if I use servername, servername's IP or servername's FQDN ?
ANSWER: Arun • 2 minutes ago
−
OK, I put this in ~/.hgrc (Linux/Unix -home directory's .hgrc hidden file) or Windows users %UserProfile%/mercurial.ini or %HOME%/mercurial.ini file.
[auth]
default1.schemes = http https
default1.prefix = hg_merc_server/hg
default1.username = c123456
default2.schemes = http https
default2.prefix = hg_merc_server.company.com/hg
default2.username = c123456
default3.schemes = http https
default3.prefix = 10.211.222.321/hg
default3.username = c123456
Now, I can checkout using either Server/IP/Server's FQDN.
I've been working with a simple authentication process on localhost, here is the .htaccess file:
AuthType Basic
AuthName "Admin login page"
AuthUserFile /Application/XAMPP/htdocs/.htpasswd
AuthGroupFile /dev/null
Require User admin#coastalbooks.com.au
I have created the related .htpasswd file, the browser can prompt for me to enter the username and password.
However, when I tried to access the protected index.html, after entering the credentials, Firefox only got me a http 500 error.
Tried to use Firebug and curl to inspect the response, only to see the 500 status code, nothing else could give me a clearer idea of what went wrong.
Also check the access.log under XAMPP's Apache logs folder, still just got 500 errors without detailed feedback.
Any thoughts? What would you use to debug in such a case?
Many thanks in advance!
Edited:
Tried to add another new user to the .htpasswd file, but still cannot get rid of the http 500 error.
The access.log file will only show you info about the requests, not errors. Look for error.log or error_log (or something similar) in the same folder.
If it's not in the same folder, check your virtual host definition and httpd.conf files to see where the error log is stored.
I'm trying to use LDAP authentication for a Subversion repository, accessed via Apache HTTP Server.
Whatever I try, Apache generates the following error message:
authentication failed; URI /repos/branches/my-branch [ldap_search_ext_s() for user failed][Operations Error]
I've used the AD explorer from Sysinternals to connect to my AD server, and can see data in there, so I presume it's a problem with my LDAP URL search string. I've tried several variations, but always get the above error. Here's what I have in my httpd.conf. Any suggestions or ideas to diagnose this would be appreciated.
<Location /repos>
DAV svn
SVNPath C:\repos
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthName "IT Subversion repository"
AuthLDAPURL "ldap://x.y.z.com:389/DC=y,DC=z,DC=com?sAMAccountName?sub?(objectClass=user)" NONE
Require valid-user
</Location>
My problem was sold by changing port from 389 to 3268. Port 389 looks only for Local Direcotry but 3268 looks for Global Directory. Confusing is that in LDAP browser (JXplorer for example) works both ports properly.
It appears that you're using Active Directory, which does not allow anonymous binding. Try adding the following:
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account.
AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword some_secret_password
I had something simular, although stranger. At first it when testing, but after some Apache restarts and configuration fine-tuning it stopped working.
After a long search on the internet, it appears I had to change the port from 389 to 3268. This solved my "[ldap_search_ext_s() for user failed][Operations Error]" errors for some reason. I still don't understand why, or why it worked at first, but it did for me.
Had the same problem, you need to specify in /etc/ldap/ldap.conf:
REFERRALS off
Solved my problem.
I had this problem recently you need to add 3 additional parameters
AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"
AuthLDAPBindPassword some_secret_password
Like jgnagy suggested, also it also helped me when i added
Satisfy Any
LDAPReferrals just plain didn't exist in earlier versions, so there's nothing to turn off, really...
I guess if you managed to match a newer LDAP/Apache which has LDAP Referral as an option, and were trying to use and older AD, you'd have to turn it off.
For anybody else finding this, you should try these in order:
telnet YOUR_AD_SERVER 389
Either you get a Connect and something like Escape character is ~, or you've got the wrong name/IP for your AD, or your firewalls are blocking access from your computer to AD on port 389.
Next, install the openldap command line tools, openldap-clients, and see if you can use ldapsearch (read the man page) to perform a search directly to your AD server, without Apache in the middle.