Shibboleth + Basic Auth in earlier versions of Apache (specifically 2.2)

Pottinger, Hardy J. PottingerHJ at missouri.edu
Thu Oct 15 17:23:50 EDT 2015 

> The SP documentation on htaccess usage describes reccommended steps to take on older versions to reduce conflicts in semantics and avoid some of them

Thanks, Scott. Can you help point me in the right direction here? In a nutshell, I'm trying to support both Shibboleth and Basic Auth on the same vhost, most of the site is protected by Shibboleth, a few pages are exempt from this (via Satisfy Any) and that's working. However, when I attempt to protect one page with Basic Auth (it's an xmlrpc link, and thus Shibboleth isn't suitable, it needs to be Basic Auth). When I visit this page, I see a 401 Error, and the Apache error log indicates:

[error] [client 555.555.55.55 ] access to /project/login/rpc failed, reason: verification of user id '<null>' not configured

Here's the pertinent configuration for this page:

   <Location "/project/login/rpc">
     ShibRequireSession Off 
     ProxyPass         https://projecturl:443/project/login/rpc
     ProxyPassReverse  https://projecturl:443/project/login/rpc
     Order allow,deny
     Allow from all
     AuthType Basic
     AuthName "Project RPC"
     AuthBasicProvider file
     AuthUserFile /path/to/htpassword
     Require valid-user
     Satisfy Any 
   </Location>

Searching on the error lead me to the previous discussion on this mail list, which lead me to the ShibCompatValidUser setting... Alas, I cannot (yet) use this setting.


________________________________________
From: users [users-bounces at shibboleth.net] on behalf of Cantor, Scott [cantor.2 at osu.edu]
Sent: Thursday, October 15, 2015 12:23 PM
To: Shib Users
Subject: Re: Shibboleth + Basic Auth in earlier versions of Apache (specifically 2.2)

On 10/15/15, 1:00 PM, "users on behalf of Pottinger, Hardy J." <users-bounces at shibboleth.net on behalf of PottingerHJ at missouri.edu> wrote:



>Hi, I can see from the list archives that Apache basic authentication is known to not work quite correctly [1] with Shibboleth 2.5.2 out of the box.

On Apache 2.4 anyway.

> If you want to mix the two authentication methods, you must turn on ShibCompatValidUser. Which would be very helpful to me, if I were using Apache HTTPD 2.4. I'm not, I'm using 2.2.15 (the latest available in the RHEL repositories). And yet, I'm seeing similar behavior when trying to mix basic auth and Shib in the same vhost. So, right now, I'm asking my sysadmins to upgrade our HTTPD version to 2.4, so I can utilize the ShibCompatValidUser setting. But, I figured I'd at least ask if this is a known bug with the shib module for earlier versions of Apache?

No, not if other configuration problems aren't involved. Apache itself is not designed to handle this in older versions, and it works poorly in some scenarios. The SP documentation on htaccess usage describes reccommended steps to take on older versions to reduce conflicts in semantics and avoid some of them.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list