OS: Linux OpenSUSE
Version control - Mercurial
Apache2
I run http ://my.os.name/ it gives me a page - thus apache is running.
I run http ://my.os.name:/hg - It shows me Mercurial page, thus mercurial is
showing up on http Internet Explorer page.
I'm able to create repositories/or do normal work in Mercurial.
What I need.
1. When I open the above Hg link
then, instead of showing me the Mercurial(Hg) repository page home page, it should first check whether I belong to my company or not i.e. it should authenticate using Windows Active Directory or LDAP server.
If I'm making any changes to a file or create a directory / repository in Hg, then it should make sure / authenticate/verify whether I have valid access to do that operation or not.
HOW can I do this, I need step by step help as I'm new in Apache/Mercurial authentication setup.
I have almost read all the Online help in setting this up and so far I'm able to get to a point whether when I open Hg link, I get a popup for username/password prompt, but its not taking it / not working.
I also dont want to create .htpasswd/ .htaccess or digest files. What I'm wondering is that if in Windows Active Directory, if I have a Security group created for ex: Company/Project1_readers, Company/Project1_Contributors, Company/Project1_Repository1_Readers, Company/Project1_Repository2_Contributors... and in those AD security group ids, if I have all the developers added, then using these groups in AD, I want to grant access to developers instead of adding those users in .hg/hgrc file.
(This is what usually we do in TFS (Team foundation Server) to grant/revoke access) instead of messing with files (adding/removing users) in every repository etc.
How can I do the above?
Kindly advise if the best way is only creating .htpasswd/.htaccess/.htdigest etc files...if I'm wrong in achieving the above scenario.
My httpd.conf file Includes another .conf file (which contains)
=========================================
<Directory /srv/www/hg>
Order deny,allow
Deny from All
AuthType Basic
# #AuthName "Apache Web Site: Login with your AD(Active Directory) credentials"
AuthName "Mercurial Repositories"
#
#
# AuthBasicProvider ldap
# AuthzLDAPAuthoritative off
# #AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
# AuthLDAPURL "ldap://10.211.16.1:389/?samAccountName?sub?(objectClass=user)"
## #ldap://ldap.your-domain.com:389/o=stooges?uid?sub
# AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
# #"cn=StoogeAdmin,o=stooges"
# AuthLDAPBindPassword secret1
require valid-user
# require ldap-user
Satisfy any
</Directory>
When I'm using the abvoe LDAP URL in Jenkins, Jenkins is successfully authenticating a user while logging in, then why the same is not working when it's in this server's .conf file. Note, in apache2, the above doesn't have to be in httpd.conf file. Include concept is letting me include the file.conf and file.conf contains the above code. This is as per Apache2 directions as mentioned in httpd.conf file.
Rest of the mercurial files hgwebdir.cgi, hgweb.cgi, hgweb.config are all good (as per online blogs I have read).
I have all the required modules loaded (as they are visible in /etc/apache2/sysconfig.d/loadmodule.conf file (modules which are required for LDAP auth i.e. mod_ldap, mod_authz_ldap etc etc related to ldap and apache).
OK, Prompt part which was not taking my Windows Ldap credentials is now working.
What did I put wrong.
- See line: for AuthLDAPURL and AuthLDAPBindPassword, those were the culprits in my post shown above.
- Cause was, I was new to Windows AD/LDAP concept, so couldn't get a hold of anyone from Systems team in my company. So tried my own hands. The first line for AuthLDAPURL, I got from the GLOBAL configuration file (config.xml) of one of our Jenkins instance.
Jenkins GUI for showing config doesn't show passwords (as they are masked) so there you'll see Manager's DN password as "* * * * * *".
So, I thought I should open the config.xml file of Jenkins instance and got the password "secret1" from there. Actually "secret1" is just an example, in reality it was some crazy value over there like "VVX12##!5GH".
So basically I used that earlier which didn't work as for LDAP authentication to work correctly, you have to talk to someone in SYSTEMS team or the person WHO actually did the setup in Jenkins instance for LDAP authentication there.
Finally I got the password, and it worked.
Resolution: See below what I changed.
One important thing to notice is that, in Jenkins, AUTHURL for LDAP was:
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
but,
from a Unix/Linux/in my case, SUSE machine, we have to change this line a little bit to
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
For more on this (Apache2.2 on connecting to Windows AD(Active Directory) authentication):
PS: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
and then
- I put the correct password for cn=xyzserver (Manager DN user id) in the file and all was good then.
Snapshot of apache config file or the file which you have created separately and included in your httpd.file or through /etc/sysconfig/apache2 filer (variable APACHE_INCLUDE...) now looks like:
<Directory /srv/www/htdocs/hg>
Order deny,allow
Deny from All
AuthType Basic
AuthName "LDAP Access - Mercurial"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
#AuthLDAPURL "ldap://10.211.16.1:389/OU=TSH,DC=Mason,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
AuthLDAPBindPassword CorrectPassword!
# require ldap-user c149807
# AuthUserFile "/dev/null"
require valid-user
Satisfy any
</Directory>
I'll work on getting the user access part now on the actual repository as Auth part is done from IE(Internet Explorer) to Hg(Mercurial) from Linux/Unix/OpenSUSE machine.
if prompted multiple times for user credentials in mercurial. Setup Mercurial_Keyring and then
this question comes which nobody explained in an easy way.
??? how to make the [auth] xx.prefix = servername/hg_or_something work for all repositories under servername/hg location either if I use servername, servername's IP or servername's FQDN ?
ANSWER: Arun • 2 minutes ago
−
OK, I put this in ~/.hgrc (Linux/Unix -home directory's .hgrc hidden file) or Windows users %UserProfile%/mercurial.ini or %HOME%/mercurial.ini file.
[auth]
default1.schemes = http https
default1.prefix = hg_merc_server/hg
default1.username = c123456
default2.schemes = http https
default2.prefix = hg_merc_server.company.com/hg
default2.username = c123456
default3.schemes = http https
default3.prefix = 10.211.222.321/hg
default3.username = c123456
Now, I can checkout using either Server/IP/Server's FQDN.
Related
After hours of searching the web and trying dozens of unsuccessful solutions - here is my question.
I'm currently configuring a webserver on RHEL 6.4 and httpd 2.2.15 behind another RHEL 6.4 server using squid 3.1.10 and HTTPS only. I'm also using mod_rpaf to simplify logging and identification of visitors behind the proxy.
My problem is to configure a simple password protected folder. When I try to access the folder, the password dialog pops up with the configured AuthName. So I know that the .htaccess is being parsed. But the dialog does not accept the correct credentials and gives me an error 401.
I messed around with:
different permissions for .htaccess, .htpasswd and parent folders
different absolute locations for the .htpasswd
all activated Apache modules that are available on my system
different encryption algorithms for .htpasswd (crypt, md5, sha, salted sha...)
AllowOverride All on the protected and parent folder
But what I really do not understand that even if I put a wrong location for AuthUserFile there is no error message in Apaches error_log like the well known Permission denied: Could not open password file. Even on LogLevel debug Therefore I think that something is wrong with that Directive AuthUserFile.
I hope there is someone out there knowing better methods to identify the problem.
This is my simple .htaccess I'm using for testing:
AuthType Basic
AuthName "Test123"
#AuthUserFile /var/www/test/.htpasswd
AuthUserFile /notexisting
Require valid-user
Finally I got it to work!
I tracked the error down to the squid reverse proxy by using lynx on my webserver and successfully accessing the protected folder from there.
With my new focus on squid I started googling again. Already the first link took me to the correct answer: squid did not allow the apache to handle user authentication.
Resulution:
Add login=PASS to the cache_peer command in your squid.conf
I've just added an .htaccess and an .htpasswd to my web app and i'm now getting an error 500.
.htaccess :
AuthUserFile ./.htpasswd
AuthName "Password Protected Area"
AuthType Basic
<limit GET POST>
require valid-user
</limit>
.htpasswd
root:roe7nCYHcm0As
I've read on this web site that i had to enable "headers_module" and "rewrite_module" and then retart the server, which i did, but i'm still getting this error.
I'm using wampserver 2.2 (apache 2.4.2) on windows 7.
That's most probably because htaccess does not find your file's location.
If you use a relative path, then apache uses the server root which is /etc/apache2 in my case (ubuntu).
Just to be sure, click right on the password file and get the path and paste it to .htaccess. If it still not works, please copy and paste your error log here so that I can exactly see the error.
EDIT
I've seen your last comment now.
Some setups require that you store the encrypted version of the password. So for instance, instead of storing the password as
myuser:111
you should store like:
myuser:$apr1$E6YrxcHU$ilyC2mqfNSrQmle4KEAeq.
I don't have a Windows at hand right now so I cannot check it but earlier versions of Wamp had a password generator for .htpasswd under c:\wamp\Apache2\bin\htpasswd.exe. Try to check that program.
Otherwise, apache uses md5 by default to encrypt passwords. You can encrypt programmatically your password and then copy it to the password file.
I even blogged about this :)
Please let me know if it still doesn't work.
Actually it could well be that you have installed wamp into 'program files'
There are a few bits of Apache and PHP that dont like living in a folder structure that has a space in one of the folder names.
It is recommended that you install it to C:\wamp or D:\wamp or any drive you like but not one with a space in any folder name.
My dev setup: Mac OSX 10.7.4 / Apache 2.2.21 / PHP 5.3.10
I wish to add conditional logic to my .htaccess files depending on dev vs live environment. for example i want to have authentication on the live server but not on the dev server. i have in my httpd.conf
SetEnv DEV 1
I have confirmed that this var is set by checking the output from phpinfo(). then in my .htaccess file
<IfDefine !DEV>
AuthType Basic
AuthName "password protected"
AuthUserFile /path/to/.htpasswd
Require valid-user
</IfDefine>
...but I am still prompted for password on my local dev. it appears that the DEV variable is not available to .htaccess. I do have AllowOverride All set in my httpd.conf for my doc root. Any ideas?
I am fresh off of about 4 hours into this problem, and I believe I have the final answer and can summarize for everyone how to solve this particularly painfull problem.
I am using Windows 7 Home Premium with Apache 2.2x and Php 5.3 as my dev machine.
I too want to have a DEV environment variable, which I can use in my .htaccess files to turn off Rewriting and other directives which are not valid on my develpment environment but are critical to my production environment.
My .htaccess file looks like this;
<IfDefine !__DEV__>
AddType application/x-httpd-php53 .php
</IfDefine>
HostGator informed me that in order to have php 5.3 I needed to modify my htaccess file like this to enable it or I'd only have php 5.2. But I already have it on my dev machine so, this directive was causing my customer website to crash when I viewed it locally. Everything I'm about to explain has allowed me to keep ONE .htaccess file in my Git Repository, which works in both locations.
First, let me clear/sum up all the things I learned while scouring the internet for the way to use IfDefine and SetEnv to solve this issue;
The IfDefine directive in Apache, Only , ONLY and when I say only i mean ONLY, responds to parameters passed at the command line. Let me emphasize that a little. ONLY COMMAND LINE!
SetEnv and SetEnvIf, are two entirely different things. One (SetEnv) is for use in the conf files, setting environment variables (specific to apache) which are set at SERVER START TIME. SetEnfIf is used at REQUEST TIME and is only used to determine what to set based on REQUEST variables.
The IfDefine directive does not read variables set by SetEnv or SetEnvIf. Period. There's no argument, there's no question, there's no "but i thought..." NO. It doesn't, so get over it.
The short answer is NO, you can't just use "SetEnv DEV 1" in httpd.conf and then use IfDefine to detect it in your .htaccess file, which would seem intuitive and reasonable based on the syntax and nature of programming logic any of us are used to. Recall that we are not in fact programming anything, that these are config files and of course they don't conform to this expectation simply because it seems like they should.
The Answer
So this means that I have to figure out how to add a startup parameter to Apache, well for the Linux Guys, that answer is readily available, you just have to add the right stuff to the envvars file, but what about us poor windows junkies?
Well for windows users it gets more fun for the following reasons:
Windows does not allow you to permanently add startup parameters in the services configuration for Apache2.2 (it doesn't work, don't try it, I've done it a million times, trust me). This is true, if you go in there and try to put in your own parameters, it will only work one time and then the parameter field is empty the next time you open the dialog. I don't know why this is the case, but it seems that those parameters are intended for testing, not a permanent modification.
When Apache is installed it creates "Start", "Stop" and "Restart" shortcuts in the start menu, as well as installs the Apache Services Monitor. BUT the shortcuts in the start menu use different startup parameters than those used by apache services monitor. So if you start/stop apache using a combination of these methods you will get different results depending on what method you used. However, you can put the -D "__DEV__" in the start menu shortcut and it will work!
Steps to Solve It
To permanently and universally setup a __DEV__ environment variable which you can reference using IfDefine in .htaccess files, on a Windows Development environment which will work whether you start Apache using a service or the shortcuts in the start menu or using NET START/STOP on the command line, do the following:
Open the properties for the start menu shortcut and extract the command you find for starting Apache there. Mine was; "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe" -w -n "Apache2.2" -k start
Modify it to include the new -D __DEV__ variable, which MUST go at the start immediately following httpd.exe; "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe" -D "__DEV__" -w -n "Apache2.2" -k start
Your start menu shortcut will now start apache with your dev variable in place.
Go to a command line (as administrator)
Type: net stop apache2.2 (or whatever your service name is for apache)
Now type in (or copy-paste) the same command as is used in the start menu shortcut above into the command line but make the following change to it; "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe" -D "__DEV__" -w -n "Apache2.2" -k config
Note the change of the word start to config. What this magical command does is saves the settings you are seeing on the screen to the settings stored with the service in Windows. Hit Enter. From this point forward your variable will be passed whenever you start the service, the Apache Services Monitor starts the service, or windows starts the service.
Sorry for the novel everyone, I hope it helps some other weary soul out there to have all this info summarized and explained, I know it would have helped me! :D
Another option to my first answer is use the Allow directive.
Look at: http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow
Order deny,allow
Deny from all
AuthType Basic
AuthName "password protected"
AuthUserFile /path/to/.htpasswd
Require valid-user
Allow from env=DEV
Satisfy Any
This will only check if DEV exists not the value, thats how apache works. Replace (or add) "Allow" with "Allow from 127.0.0.1" to have your localhost always be in dev mode.
This states that any of the conditions are acceptable, where the conditions are: password or from 127.0.0.1. If you develop on your localhost you can use 127.0.0.1, or just replace that with any ip you develop with. This don't need to be wrapped in anything, just placed in your htaccess file. I use virtual hosts, so I would place it there.
Source (I changed it to look your your original code):
http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html#allow-conditional
2 years on and I'm having similar issues. Specifically, we are auto-deploying to an AWS OpsWorks stack and have no control over the placement of a .htpasswd file (used to obscure work during development).
Our final working solution was along the lines of this (Apache 2.2.25):
# check the host against a regex, defining env=DEV if it matches
# this guy matches localhost, dev.project and 10.1.X.X
SetEnvIfNoCase Host "^(localhost|dev\.project|10\.1(\.\d+){2})$" DEV
AuthType Basic
AuthName "Restricted"
# auth file location, in our case defined by an AWS OpsWorks auto-deployment
# this only gets loaded if the regex above doesn't match, which is handy
AuthUserFile /srv/www/project/current/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=DEV
This solution is flexible enough to allow multiple development environments access while auth checking any number of others. No need for ignoring or editing the htaccess before a git commit. An environment variable might seem overkill but it allows for a regular expression and could be used elsewhere as well.
See: http://httpd.apache.org/docs/2.2/howto/access.html
Solution for Debian/Ubuntu:
In /etc/apache2/envars one has to change:
## If you would like to pass arguments to the web server, add them below
## to the APACHE_ARGUMENTS environment.
#export APACHE_ARGUMENTS=''
to
## If you would like to pass arguments to the web server, add them below
## to the APACHE_ARGUMENTS environment.
export APACHE_ARGUMENTS='-D __DEV__'
Now one can use
<IfDefine !__DEV__>
...
</IfDefine>
I do love answering questions, but a quick google search gave me your answer. Check out the apache documentation:
http://httpd.apache.org/docs/2.0/mod/core.html#ifdefine
The IfDefine directive can only test a "parameter-name", and a "parameter-name" is a variable set by httpd on startup.
Also check out this site, and scroll down to the table:
http://turboflash.wordpress.com/2010/05/27/apache-environment-variables-visibility-with-setenv-setenvif-and-rewriterule-directives/
What you are asking is still possible if you just start your dev webserver like this:
$ httpd -DDEV
This will define the variable DEV. Note that you don't need to set it to anything, being defined is basically setting it to 1/true. If it doesn't exist it's like being set to false/0/null/etc...
I've solved this problem using a different approach based on AccessFileName directive.
In my MAMP environment, I've added the following to <VirtualHost> configuration:
AccessFileName .htaccess_dev
Then, I've scanned the application directory for .htaccess files and created corresponding symlinks to the .htaccess_dev version so to have identical versions for all of them and have the application to work on my development environment.
Then, I've located the only .htaccess file containing the path to the .htpasswd file and removed the symlink and created instead a modified copy of it.
I've this in .htaccess file:
## production
AuthType Basic
AuthName "Admin"
AuthUserFile /srv/users/prod/apps/appname/public/sys-admin/.htpasswd
require valid-user
And this in .htaccess_dev
## development
AuthType Basic
AuthName "Admin"
AuthUserFile /Users/fregini/Work/MAMP/appname/sys-admin/.htpasswd
require valid-user
I'm trying to use LDAP authentication for a Subversion repository, accessed via Apache HTTP Server.
Whatever I try, Apache generates the following error message:
authentication failed; URI /repos/branches/my-branch [ldap_search_ext_s() for user failed][Operations Error]
I've used the AD explorer from Sysinternals to connect to my AD server, and can see data in there, so I presume it's a problem with my LDAP URL search string. I've tried several variations, but always get the above error. Here's what I have in my httpd.conf. Any suggestions or ideas to diagnose this would be appreciated.
<Location /repos>
DAV svn
SVNPath C:\repos
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthName "IT Subversion repository"
AuthLDAPURL "ldap://x.y.z.com:389/DC=y,DC=z,DC=com?sAMAccountName?sub?(objectClass=user)" NONE
Require valid-user
</Location>
My problem was sold by changing port from 389 to 3268. Port 389 looks only for Local Direcotry but 3268 looks for Global Directory. Confusing is that in LDAP browser (JXplorer for example) works both ports properly.
It appears that you're using Active Directory, which does not allow anonymous binding. Try adding the following:
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account.
AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword some_secret_password
I had something simular, although stranger. At first it when testing, but after some Apache restarts and configuration fine-tuning it stopped working.
After a long search on the internet, it appears I had to change the port from 389 to 3268. This solved my "[ldap_search_ext_s() for user failed][Operations Error]" errors for some reason. I still don't understand why, or why it worked at first, but it did for me.
Had the same problem, you need to specify in /etc/ldap/ldap.conf:
REFERRALS off
Solved my problem.
I had this problem recently you need to add 3 additional parameters
AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"
AuthLDAPBindPassword some_secret_password
Like jgnagy suggested, also it also helped me when i added
Satisfy Any
LDAPReferrals just plain didn't exist in earlier versions, so there's nothing to turn off, really...
I guess if you managed to match a newer LDAP/Apache which has LDAP Referral as an option, and were trying to use and older AD, you'd have to turn it off.
For anybody else finding this, you should try these in order:
telnet YOUR_AD_SERVER 389
Either you get a Connect and something like Escape character is ~, or you've got the wrong name/IP for your AD, or your firewalls are blocking access from your computer to AD on port 389.
Next, install the openldap command line tools, openldap-clients, and see if you can use ldapsearch (read the man page) to perform a search directly to your AD server, without Apache in the middle.
I have a domain that will be accessed by a small, private group of people. So I want to control access via authentication.
The domain has a collection of applications installed that each have their own sub-domain. Eg: domain.com, app1.domain.com, app2.domain.com, app3.domain.com
I'd love to have a single sign-on solution so they don't have to authenticate themselves for each application. Also, the applications are written in different languages (PHP, Python and Perl) so authenticating users through an Apache module is ideal.
I am new to digest authentication, but it seems like a good solution. I have used htdigest to create my users. I have configured my domain and sub-domains (See below).
If I go to the domain or any of the sub-domains it will prompt for a username and password. If I enter a correct username and password, it will authenticate me and the page will load. However, if I go to another sub-domain, it will ask for me to enter a username and password again. If I enter the same username and password, it will work.
So the password file is OK, and authentication is OK, but the problem seems to lie in the configuration of the AuthDigestDomain.
I have searched all over the net to find an example of using Digest authentication on multiple domains, but I cannot find a specific example that solves my problem.
I am hoping someone here can assist. Do I put the same authentication information in every Directory? Should I be using Directory or Location or Files? Have I missed something all-together?
Thanks in advance!
Below is an example of my Apache config for domain.com:
<Directory /var/www>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
And here is an example of app1.domain.com:
<Directory /var/lib/app1>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
To baffle things even further, this works when using IE6, but not Firefox or Chrome. Is it the clients not sending the authentication properly, or is is the server not sending the correct credentials?
I have also been reading up on RFC 2617 and written the authentication headers using PHP to ensure that the request/response challenge is correct. This hasn't helped at all!
Most browsers do not respect the Digest "domain" directive and will not resend credentials for other URIs. As far as I know, Opera is the only browser that honors it.
For Opera, the server(s) must respond with the same "realm" string for each URI in the domain list. In other words, if domain="/test /example", the server needs to send "Test Realm - example.com" in the WWW-Authenticate header for both of those URIs. I assume Opera does this because it stores H(A1) instead of the actual password for security. Read into RFC2617 for more on this.
Here's my cross-browser solution to this problem: http://travisce.com/arest/
I have no experience with something like this myself. But I just took a look at the Apache documentation and found this:
The AuthDigestNonceLifetime directive
controls how long the server nonce is
valid. [...] If seconds is less than 0
then the nonce never expires.
So it seems to me that 0 seconds (the value you are using) is either illegal or really tells Apache to expire the nonce after 0 seconds which would exactly explain the behavior you are geting.
Could a wildcard on the AuthDigestDomain help?
*.domain.com