Controlling which handlers run, and when

------_=_NextPart_001_01CAB643.5178CF1F
Content-Type: multipart/alternative;
boundary="----_=_NextPart_002_01CAB643.5178CF1F"


------_=_NextPart_002_01CAB643.5178CF1F
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I'm trying to combine mod_authnz_ldap with a mod_perl PerlAuthenHandler.
I've got everything working correctly except that the mod_authnz_ldap
handler is being called twice...once before my PerlAuthenHandler [when
the request has not been properly configured] and once after.

This is a problem. I've been able to see this flow by using
AuthzLDAPAuthoritative off. [to get a "DECLINED" out of the first
invocation]. When I do, my require ldap-filter, etc., directives are
not treated as authoritative on the "second pass" when the request user
has been set correctly.

--Pete

---
Peter L. Thomas, pthomas@hpti.com
(w) 703-682-5308 (c) 703-615-7806 (pgr) 877-383-8910
<>=20

------_=_NextPart_002_01CAB643.5178CF1F
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable




charset=3Dus-ascii">
6.5.7653.38">

I'm trying to combine mod_authnz_ldap =
with a mod_perl PerlAuthenHandler.  I've got everything working =
correctly except that the mod_authnz_ldap handler is being called =
twice…once before my PerlAuthenHandler [when the request has not =
been properly configured] and once after.

This is a problem.  I've been able =
to see this flow by using AuthzLDAPAuthoritative off. [to get a =
"DECLINED" out of the first invocation].  When I do, my =
require ldap-filter, etc., directives are not treated as authoritative =
on the "second pass" when the request user has been set =
correctly.

--Pete

---


Peter L. Thomas, HREF=3D"mailto:pthomas@hpti.com"> FACE=3D"Arial">pthomas@hpti.com


(w) 703-682-5308 (c) 703-615-7806 =
(pgr) 877-383-8910


<<Thomas, =
Peter L. (pthomas@HPTI.com).vcf>>

RE: Controlling which handlers run, and when

------_=_NextPart_001_01CAB662.665A33D8
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I continue to fight with this. I added in "stub" handlers for Access,
I've determined that the authorization check of mod_authnz_ldap is being
executed in the Access phase of AAA. This isn't documented; it's
causing two problems: early auth failure as well as a side-effect of an
extra, useless LDAP query with a blank filter.
=20
How do I instruct Apache to remove mod_authnz_ldap's authorization
handler from the access phase, while leaving it in for authorization?
=20
Warmly,
=20
--Pete
=20
=20
________________________________

From: Thomas, Peter [mailto:pthomas@HPTI.com]=20
Sent: Thursday, February 25, 2010 12:53 PM
To: users@httpd.apache.org
Subject: [users@httpd] Controlling which handlers run, and when



I'm trying to combine mod_authnz_ldap with a mod_perl PerlAuthenHandler.
I've got everything working correctly except that the mod_authnz_ldap
handler is being called twice...once before my PerlAuthenHandler [when
the request has not been properly configured] and once after.

This is a problem. I've been able to see this flow by using
AuthzLDAPAuthoritative off. [to get a "DECLINED" out of the first
invocation]. When I do, my require ldap-filter, etc., directives are
not treated as authoritative on the "second pass" when the request user
has been set correctly.

--Pete=20

---=20
Peter L. Thomas, pthomas@hpti.com =20
(w) 703-682-5308 (c) 703-615-7806 (pgr) 877-383-8910=20
<>=20


------_=_NextPart_001_01CAB662.665A33D8
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



charset=3Dus-ascii">

I'm trying to combine mod_authnz_ldap =
with a mod_perl=20
PerlAuthenHandler.  I've got everything working correctly except =
that the=20
mod_authnz_ldap handler is being called twice…once before my =
PerlAuthenHandler=20
[when the request has not been properly configured] and once =
after.

This is a problem.  I've been able =
to see this=20
flow by using AuthzLDAPAuthoritative off. [to get a "DECLINED" out of =
the first=20
invocation].  When I do, my require ldap-filter, etc., directives =
are not=20
treated as authoritative on the "second pass" when the request user has =
been set=20
correctly.

--Pete

---
size=3D2>Peter L.=20
Thomas,
color=3D#0000ff size=3D2>pthomas@hpti.com
face=3DArial=20
size=3D2>(w) 703-682-5308 (c) 703-615-7806 (pgr) 877-383-8910 =

face=3DArial color=3D#000000 size=3D2><<Thomas, Peter L.=20
(pthomas@HPTI.com).vcf>>

Re: Controlling which handlers run, and when

On Thu, Feb 25, 2010 at 4:35 PM, Thomas, Peter wrote:
> I continue to fight with this.=A0 I added in "stub" handlers for Access, =
I've
> determined that the authorization check of mod_authnz_ldap is being execu=
ted
> in the Access phase of AAA.=A0 This isn't documented; it's causing two
> problems:=A0 early auth failure as well as a side-effect of an extra, use=
less
> LDAP query with a blank filter.
>
> How do I instruct Apache to remove mod_authnz_ldap's authorization handle=
r
> from the access phase, while leaving it in for authorization?
>

That doesn't seem possible, as mod_authnz_ldap doesn't hook
access_checker (and access_checker is before e.g. mod_auth_basic can
even perform authn -- how can you do authz if you don't know who the
user is?)

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Controlling which handlers run, and when

Eric Covener replied:
>That doesn't seem possible, as mod_authnz_ldap doesn't hook
access_checker (and access_checker is before e.g. mod_auth_basic can
even perform authn -- how can you do authz if you don't know who the
user is?)

And yet it moves...see log excerpt below...

The only other possibility is that first ONLY the mod_authnz_ldap
authorization mechanism is running--and failing, and only THEN my two
mod_perl handlers [Access & Authen] run, followed by another invocation
of the mod_authnz_ldap authorization routine--which would work, except
for the first failure [ldap server bug, see below]. Is it possible that
what I'm seeing is actually two passes through the AAA stack for one
request? If so, why would this happen?

I am looking at the debug logs, and [once the mod_ssl debug spew is
done], I have...

[time...] [info] Initial (No.1) HTTPS request received for child 0
(server servername:443)

okay, we're in...

[time...] [warn] [client address...] ldap authorize: Userid is blank,
AuthType=3D(null)

But--right away--we're already trying to run mod_authnz_ldap's
authorization handler!

[time...] [debug] mod_authnz_ldap.c(582) [client address...] ldap
authorize: Creating LDAP req structure
[time...] [debug] mod_authnz_ldap.c(582) [client address...] auth_ldap
authorise: User DN not found, ldap_seach_ext_s() for user failed

Unsurprisingly, it fails, as I haven't set the request->user(...),
request->ap_auth_type(...), etc...

[time...] [info] [client address...] AccessHandler: SSL_CLIENT_S_DN_CN =
=3D
MyCN...

Ah-ha! Now my access handler is running, great!

[time...] [info] [client address...] AuthenHandler: SSL_CLIENT_S_DN_CN =
=3D
MyCN...

Followed by my authentication handler...no worries...

[time...] [debug] mod_authnz_ldap.c(582) [client address...] ldap
authorize: Creating LDAP req structure
[time...] [debug] mod_authnz_ldap.c(582) [client address...] auth_ldap
authorise: User DN not found, ldap_seach_ext_s() for user failed

This pass through SHOULD work, right? Sadly, my directory
administrator tells me that due to a bug in our LDAP server at this
point my connection has been "scrogged" [his word] by the earlier
invalid--and undesired--call from mod_authnz_ldap.

If it helps, my config stanza looks like this:


SSLOptions +StdEnvVars +OptRenegotiate
SSLUserName HTTPS_CLIENT_S_DN
SetHandler ldap-status

AuthType Basic
AuthName "Certificate Authentication"
=20
AuthzLDAP Authoritative off
AuthLDAPURL "https://server/c=3Dus?dn"
# Hack to force authorization hook to run; it short circuits if there
is no Require ldap-* clause
Require ldap-filter "cn=3D*"
# May be redundant, as the filter expression will always work,
assuming we find any user at all
Require valid-user

# both handlers set user name, set auth type, and spit out logging so
we know where we are...theoretically I should only need one
PerlAccessHandler ORG::AccessSSL
PerlAuthenHandler ORG::AuthnSSL



Warmly,

--Pete

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org