apache authentication fails if password is sync'd through dirxml

(Last modified: 01Dec2005)

This document (10099761) is provided subject to the disclaimer at the end of this document.

fact

NetWare 6.5

OES

Apache 2

IDM 2

Mod_edir authentication

symptom

apache authentication fails if password is sync'd through dirxml

Failed to create path context for -632

fix

create_identity and NXCreatePathContext

Obtain libc.nlm dated November 4, 2005 or later. Until NW65SP6 is released you may need to call Novell Technical Support to get this libc.nlm.

http://support.novell.com/servlet/filefinder?name=libc.nlm

WORKAROUND:

Using nspmDistributionPassword and universal password instead of dirxml public/private key sync works (Meaning, apache will correctly authenticate users using mod_edir even after dirxml/IDM has changed/sync'd their passwords).

Password sync version 2.0 = nspmDistributionPassword

Password sync version 1.0 = Public/private sync

Here are my lab notes of configuring my two test trees to use Universal Password (UP) and Distribution password.

 My_Lab_Notes.pdf

Also use dsbrowse.nlm to see if the failing pw sync 1.0 user is missing Login Time Attribute.

 

Testing:


Using the 1.0 password sync method (public/private keys) the password will correctly sync from the source tree to the destination tree, however - apache configured for mod_edir (checks file system rights) fails to authenticate the user to the apache private page.  If you change /apache2/conf/httpd.conf

FROM:


<Directory SYS:/test/private>
Options Indexes Multiviews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
AuthLDAPAuthoritative On
AuthLDAPURL ldap://mywebsrv.novellrocks.com/ou=myou,ou=orgx,o=novell?cn?sub
require edir-user
</Directory>


TO:


<Directory SYS:/test/private>
Options Indexes Multiviews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
AuthLDAPAuthoritative On
AuthLDAPURL ldap://mywebsrv.novellrocks.com/ou=myou,ou=orgx,o=novell?cn?sub
Require valid-user
</Directory>


 Then the user can authenticate, even w/ the public/private key password sync method.
 Having apache look for valid-user works fine w/ the old dirxml password sync (public/private keys).  Also, a 3rd party proxy using ldap works fine.  Logging in with the Novell client works too, however apache will NOT authenticate a user if their password is sync'd through the publilc/private keys.  If one uses consoleone to change the password in the destination tree, then try to authenticate to the private pages it authenticates correctly.
 

 

 

document

Document Title: apache authentication fails if password is sync'd through dirxml
Document ID: 10099761
Solution ID: NOVL104347
Creation Date: 22Nov2005
Modified Date: 01Dec2005
Novell Product Class:Web Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.