You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Christophe Jaillet <ch...@wanadoo.fr> on 2018/05/22 19:53:40 UTC
[users@httpd] Re: Apache 2.4: Users autenthication in Active Directory
Le 22/05/2018 à 14:14, aguayo33 a écrit :
> Hi!
> Thanks in advance!
> I need help with Apache configuration to enable login through Active directory.
> I want allow login if a user is member of a group contained in other group.
> Now I have this:
> Alias /nagios /opt/nagios/share
> <Directory "/opt/nagios/share">
> Options ExecCGI
> AllowOverride None
> Order allow,deny
> Allow from all
> AuthType Basic
> AuthName "Acceso restringido"
> AuthBasicProvider ldap
> AuthLDAPURL
> "ldap://server/DC=domain,DC=red?sAMAccountName?sub?(objectClass=*)"
> AuthLDAPBindDN user@domain.red
> AuthLDAPBindPassword "xxxxxx"
> Require ldap-group CN=NAGIOS_EXP,OU=Groups,OU=Administracion
> Autonomica,OU=<domain>,DC=domain,DC=red
> </Directory>
>
> And Can´t login. If I put: require valid-user it´s go well.
>
> [Mon May 21 13:36:05.060787 2018] [authnz_ldap:debug] [pid 9315]
> mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap
> authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion
> Autonomica,OU=<domain>,DC=domain,DC=red": failed [Comparison
> complete][34 - Invalid DN syntax], checking sub-groups
> [Mon May 21 13:36:05.062229 2018] [authnz_ldap:debug] [pid 9315]
> mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap
> authorise: require group (sub-group)
> "CN=NAGIOS_EXP,OU=Groups,OU=Administracion
> Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN
> failed group verification. [member][34 - Invalid DN syntax]
> [Mon May 21 13:36:05.062250 2018] [authnz_ldap:debug] [pid 9315]
> mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap
> authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion
> Autonomica,OU=<domain>,DC=domain,DC=red": failed [DN failed group
> verification.][34 - Invalid DN syntax], checking sub-groups
> [Mon May 21 13:36:05.063471 2018] [authnz_ldap:debug] [pid 9315]
> mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap
> authorise: require group (sub-group)
> "CN=NAGIOS_EXP,OU=Groups,OU=Administracion
> Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN
> failed group verification. [uniqueMember][34 - Invalid DN syntax]
> [Mon May 21 13:36:05.063481 2018] [authnz_ldap:debug] [pid 9315]
> mod_authnz_ldap.c(996): [client 10.10.10.10:51069] AH01720: auth_ldap
> authorize group: authorization denied for user ext-agumarjo to
> /nagios/
> [Mon May 21 13:36:05.063486 2018] [authz_core:debug] [pid 9315]
> mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626:
> authorization result of Require ldap-group
> CN=NAGIOS_EXP,OU=Groups,OU=Administracion
> Autonomica,OU=<domain>,DC=domain,DC=red: denied
> [Mon May 21 13:36:05.063489 2018] [authz_core:debug] [pid 9315]
> mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626:
> authorization result of <RequireAny>: denied
> [Mon May 21 13:36:05.063492 2018] [authz_core:error] [pid 9315]
> [client 10.10.10.10:51069] AH01631: user ext-agumarjo: authorization
> failure for "/nagios/":
>
> What is I doing bad?
> THANKS!
>
Hi,
just my 2c as I'm not an LDAP user, but "OU=<domain>" looks spurious,
because of the '<' and '>'.
Is it intended?
CJ
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache 2.4: Users autenthication in Active Directory
Posted by Christophe Jaillet <ch...@wanadoo.fr>.
Le 22/05/2018 à 21:53, Christophe Jaillet a écrit :
> Le 22/05/2018 à 14:14, aguayo33 a écrit :
>> Hi!
>> Thanks in advance!
>> I need help with Apache configuration to enable login through Active
>> directory.
>> I want allow login if a user is member of a group contained in other
>> group.
>> Now I have this:
>> Alias /nagios /opt/nagios/share
>> <Directory "/opt/nagios/share">
>> Options ExecCGI
>> AllowOverride None
>> Order allow,deny
>> Allow from all
>> AuthType Basic
>> AuthName "Acceso restringido"
>> AuthBasicProvider ldap
>> AuthLDAPURL
>> "ldap://server/DC=domain,DC=red?sAMAccountName?sub?(objectClass=*)"
>> AuthLDAPBindDN user@domain.red
>> AuthLDAPBindPassword "xxxxxx"
>> Require ldap-group CN=NAGIOS_EXP,OU=Groups,OU=Administracion
>> Autonomica,OU=<domain>,DC=domain,DC=red
>> </Directory>
>>
>> And Can´t login. If I put: require valid-user it´s go well.
>>
>> [Mon May 21 13:36:05.060787 2018] [authnz_ldap:debug] [pid 9315]
>> mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap
>> authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion
>> Autonomica,OU=<domain>,DC=domain,DC=red": failed [Comparison
>> complete][34 - Invalid DN syntax], checking sub-groups
>> [Mon May 21 13:36:05.062229 2018] [authnz_ldap:debug] [pid 9315]
>> mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap
>> authorise: require group (sub-group)
>> "CN=NAGIOS_EXP,OU=Groups,OU=Administracion
>> Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN
>> failed group verification. [member][34 - Invalid DN syntax]
>> [Mon May 21 13:36:05.062250 2018] [authnz_ldap:debug] [pid 9315]
>> mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap
>> authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion
>> Autonomica,OU=<domain>,DC=domain,DC=red": failed [DN failed group
>> verification.][34 - Invalid DN syntax], checking sub-groups
>> [Mon May 21 13:36:05.063471 2018] [authnz_ldap:debug] [pid 9315]
>> mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap
>> authorise: require group (sub-group)
>> "CN=NAGIOS_EXP,OU=Groups,OU=Administracion
>> Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN
>> failed group verification. [uniqueMember][34 - Invalid DN syntax]
>> [Mon May 21 13:36:05.063481 2018] [authnz_ldap:debug] [pid 9315]
>> mod_authnz_ldap.c(996): [client 10.10.10.10:51069] AH01720: auth_ldap
>> authorize group: authorization denied for user ext-agumarjo to
>> /nagios/
>> [Mon May 21 13:36:05.063486 2018] [authz_core:debug] [pid 9315]
>> mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626:
>> authorization result of Require ldap-group
>> CN=NAGIOS_EXP,OU=Groups,OU=Administracion
>> Autonomica,OU=<domain>,DC=domain,DC=red: denied
>> [Mon May 21 13:36:05.063489 2018] [authz_core:debug] [pid 9315]
>> mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626:
>> authorization result of <RequireAny>: denied
>> [Mon May 21 13:36:05.063492 2018] [authz_core:error] [pid 9315]
>> [client 10.10.10.10:51069] AH01631: user ext-agumarjo: authorization
>> failure for "/nagios/":
>>
>> What is I doing bad?
>> THANKS!
>>
>
> Hi,
>
> just my 2c as I'm not an LDAP user, but "OU=<domain>" looks spurious,
> because of the '<' and '>'.
> Is it intended?
>
> CJ
Also, even if un-related to your question, you should have a look at the
note at the top of
https://httpd.apache.org/docs/2.4/en/mod/mod_access_compat.html
In your example "Order allow,deny" and "Allow from all" should not be
needed.
CJ
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org