Apache on OSX 10.4 Tiger uses local account first

[gmongardi at napc.com (Grant M.)]

Hey all,
    I was just wondering if anyone else had encountered this issue yet.
We sell an application that runs on Apache and uses Basic Apache
Authentication for user accounts (there is an optional secure
authentication module as well). Well we had a customer who had extremely
slow browsing under several of the accounts and we spent several days
attempting to troubleshoot it. Other accounts worked just fine. We
completely reinstalled the application and recreated all of the
accounts, groups and settings from scratch, and still browsing was
_painfully_ slow on the same accounts.
    Well it turns out that on Tiger, the Apache mod_auth has been
completely replaced by something called mod_auth_apple (on an upgrade
from 10.3, it leaves mod_auth but turns it off), which it appears looks
to the local system accounts first for authentication, and then
_falls_back_ to the standard Apache authentication. It apparently does
this for _every_ HTTP request. If there is a user of the same name as
the Apache user, it will attempt to authenticate as the system user
first. This is fine if you use the system user account's password.
However, if you use the Apache user's password, and it doesn't match the
system, the result _can_ be slow browsing. Based upon testing, we're not
sure what all of the variables are to produce the slow browsing -
sometimes it works, other times it doesn't. It may have something to do
with using LDAP/AD for system users, but I've yet to prove that.
   So anyway, I was just wondering if anyone else has encountered this
issue, or anything similar? Is there some way to tell mod_auth_apple to
stop looking at local accounts?
Thanks,
Grant M.
-- 
Grant Mongardi
Systems Engineer
NAPC

gmongardi at napc.com
http://www.napc.com/
781.894.3114 phone
781.894.3997 fax


NAPC | technology matters