I just got Apache/LDAP authentication working (almost) on a new SLES 10 server.
When I visit one of the protected areas on my website I get the Apache Authentication pop-up window where I can LDAP authenticate to gain access to the protected folder.
But I'm getting wierd behaviour.
If I type in a valid user but the incorrect password, it lets me retry authentication.
If I type in a non-valid user (like 'aldfklsf' or even leave the username field blank) then I get an error 500 page and do not get the opportunity to retry authentication.
I have cache disabled... Try to refresh the page to get the Apache authentication window to come back and it doesn't. I just keep getting the error 500 page. Looking in the Apache error logs it says: user aldfklsf not found, every time I refresh the page. It's like it's hanging on to that username.
Is there some setting in Apache that will allow me to attempt to authenticate again?
Here's the entirety of the conf file that is protecting the directory:
<Directory "/media/nss/VOL1/ProtectedDir">
Options Indexes Multiviews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
Require valid-user
AuthBasicAuthoritative Off
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthLDAPURL ldap://10.20.32.3/o=wlwv?uid?sub
</Directory>
An update. I found this in the Apache documentation:
Under normal circumstances, the Apache access control modules will pass unrecognized user IDs on to the next access control module in line. Only if the user ID is recognized and the password is validated (or not) will it give the usual success or "authentication failed" messages.
This seems to be the answer. Unfortunately I do not understand Apache enough to take the information from that page and implement it so that it works correctly.
Can anyone help?