Authentication, LDAP, phpMyAdmin

I’ve had a long standing problem. Every time I rebuild my main server (which contains my websites, my mail, my ldap directory, etc), I get myself wrapped around the axle with authentication. I particularly seem to get into trouble with authenticating access to phpMyAdmin. I use ldap for basic authentication in apache. This morning I figured out some obvious things (they are always obvious once you figure them out). I write this down so that the next time I make the same mistake, I’ll have someplace to look to trigger my memory. If it should happen that anyone else who suffers from the same density could get any help from this, so much the better.

One of the obvious facts that was tripping me up: the authentication settings in the phpMyAdmin config file are not about protecting access to phpMyAdmin at all, but are solely about how phpMyAdmin acquires the credentials it will use to gain access to the mysql server. If I need to control access to phpMyAdmin, it has to be done independently. And  I have usually applied some authentication at the apache level to prevent web visitors from getting at things (like phpMyAdmin) that they have no business using. So generally I have a “require valid-user” protecting phpMyAdmin.

If I set phpMyAdmin config to use auth-type of http, then I’m (probably) going to get two different prompts for credentials. The first is from apache, deciding whether I am allowed access to phpMyAdmin at all. This will authenticate against my ldap directory. The second prompt, is actually phpMyAdmin prompting me for the credentials on the MySql database, and of course this authenticates against the mysql internal database. Note too, that I will get two different prompts only if the domain string from the two different authentication attempts differ.

I often was using the same userid for both of these locations, but sometimes they have different passwords (as was true this morning). If I have different domain strings, I get two consecutive http authentication prompts that require the same userid but different passwords. (It is even worse if I had the same domain strings, but needed different passwords because that can never succeed).

This is obvious now. But for some reason I hadn’t thought it through, and wasn’t expecting it. So I would get the first prompt, enter the (correct) password for that userid in the ldap directory, and would be surprised wnen I immediately got another prompt. I would automatically assume it was the same prompt repeated (I wouldn’t notice the slightly different domain string)  — that I must have mistyped the password (or that my configuration was screwed up). If I re-entered the same password again it would fail, of course (because I was now authenticating against the mysql database), and now would repeat the prompt again.

During the course of troubleshooting this, what would generally happen in my case, the browser would capture and cache the password for the first prompt. I’d mess with config files, looking for what was wrong, and at some point I would stumble into entering the correct alternate password for the second prompt, and it would be cached too, and suddenly it would seem to work. I was always on the trail of something else, and would just ignore the anomaly. Write it off to cosmic rays and go on. Must have fixed it… grumble, grumble, don’t know what the hell I did, grumble, grumble, gotta take time to figure this out some day.

Today was the day.

One way around this for my situation, was simply to tell phpMyAdmin to set auth-type to cookie. Then it will pop up a little auth screen of it’s own prompting for the mysql credentials. It is obvious that his screen is from phpMyAdmin, not from apache protecting phpmyadmin, and even a dullard knows what to do then.