You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by William Nardone <wi...@tcs.com.INVALID> on 2020/05/04 21:26:00 UTC

[users@httpd] Problem with LDAP group authorization using AuthnProviderAlias

I'm having trouble getting LDAP group authorization working in combination with using AuthnProviderAlias.
When I include the LDAP conf lines in the <Location> block everything works as expected.  If I use a reference to an
AuthnProviderAlias, it does not work.

I'm experienced, but relatively new to Apache, hoping this is just a config problem on my end.

I'm running Apache 2.4.141
     httpd.conf has an include for "conf/extra/proxy-html.conf"
     proxy-html.conf has been modified to include several different files, each one defines a separate VH.  In this case,
"conf/extra/proxy_datapoint_t.conf"
     proxy_datapoint_t.conf is the file with the configuration for the VH I'm using.

I checked through the release notes and found that a similar problem was fixed back in 2.4.8, where the VH was not picking up the
ldap alias: PR 55622
     Changes with Apache 2.4.8 (not released)
         *) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
         stanzas under virtual hosts. PR 55622. [Eric Covener]
The bug report says it was fixed in 2.4.7 https://bz.apache.org/bugzilla/show_bug.cgi?id=55622
The problem is described in detail here: https://stackoverflow.com/questions/18874062/can-authnprovideralias-ldap-work-with-apache2-4-x

I also checked httpd.markmail.org and nothing similar since the time of the bug mentioned above.
I'm seeing the same kind of issues, but with ldap-group authorization.

Here is what I tried:
     With the ldap conf lines in the location block, "Require ldap-group yyyy" works.
     Using the AuthProviderAlias name in the location block, with the <AuthnProviderAlias> block at the beginning of the same file
(before the VH block), it fails.
     Additional testing with the AuthProviderAlias name in the location block also revealed that it works with a "Require
valid-user" and "Require user xxxx", but fails for "Require ldap-user xxxx" or "Require ldap-group yyyy"

Please let me know if there is something on my end that can be changed to get this working.

Here are the configs and log output.

Configuration that works, ldap conf lines in the Location block

     <LocationMatch /SoftwareDelivery/BELC/?.*>
         AuthType Basic
         AuthName SoftwareDelivery

         AuthBasicProvider ldap
         # bind info
             AuthLDAPBindDN "uid=ldap_apache,dc=telcordia,dc=com"
             AuthLDAPBindPassword exec:/usr/local/apache2/conf/.ldap_sun

         # search user
             AuthLDAPURL "ldap:// axesspt1.telcordia.com:7389/dc=telcordia,dc=com?uid?sub?(objectclass=*)"

             Require ldap-group cn=ProdBELC,ou=axess point,ou=web,dc=telcordia,dc=com

     </LocationMatch>

When the server is started (trace7) I see the following message:
[Mon May 04 13:21:12.162627 2020] [authnz_ldap:trace1] [pid 25575:tid 1] mod_authnz_ldap.c(1519): auth_ldap url parse:
`ldap:// axesspt1.telcordia.com:7389/dc=telcordia,dc=com?uid?sub?(objectclass=*)', Host: axesspt1.telcordia.com:7389, Port: 7389, DN:
dc=telcordia,dc=com, attrib: uid, scope: subtree, filter: (objectclass=*), connection mode: not using SSL

I am able to connect to the LDAP server and it successfully completes the calls to check the group membership

[Mon May 04 13:21:51.061359 2020] [core:trace6] [pid 25594:tid 27] core_filters.c(524): [client 128.96.41.18:61686] will flush
because of FLUSH bucket
[Mon May 04 13:21:51.071648 2020] [core:trace5] [pid 25594:tid 27] protocol.c(708): [client 128.96.41.18:61686] Request received
from client: POST /SoftwareDelivery/BELC/sd_index.asp HTTP/1.1
[Mon May 04 13:21:51.072738 2020] [authnz_ldap:debug] [pid 25594:tid 27] mod_authnz_ldap.c(522): [client 128.96.41.18:61686]
AH01691: auth_ldap authenticate: using URL ldap:// axesspt1.telcordia.com:7389/dc=telcordia,dc=com?uid?sub?(objectclass=*), referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.073319 2020] [authnz_ldap:trace1] [pid 25594:tid 27] mod_authnz_ldap.c(543): [client 128.96.41.18:61686]
auth_ldap authenticate: final authn filter is (&(objectclass=*)(uid=willy)), referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.074183 2020] [ldap:trace5] [pid 25594:tid 27] util_ldap.c(329): [client 128.96.41.18:61686] LDC 262cb0 init,
referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.074311 2020] [ldap:trace4] [pid 25594:tid 27] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Mon May 04 13:21:51.088249 2020] [ldap:trace5] [pid 25594:tid 27] util_ldap.c(530): [client 128.96.41.18:61686] LDC 262cb0 bind,
referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.094202 2020] [ldap:trace5] [pid 25594:tid 27] util_ldap.c(530): [client 128.96.41.18:61686] LDC 262cb0 bind,
referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.094268 2020] [ldap:trace5] [pid 25594:tid 27] util_ldap.c(1843): [client 128.96.41.18:61686] LDC 262cb0 used
for authn, must be rebound, referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.094503 2020] [authnz_ldap:debug] [pid 25594:tid 27] mod_authnz_ldap.c(619): [client 128.96.41.18:61686]
AH01697: auth_ldap authenticate: accepting willy, referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.094649 2020] [authnz_ldap:debug] [pid 25594:tid 27] mod_authnz_ldap.c(919): [client 128.96.41.18:61686]
AH01713: auth_ldap authorize: require group: testing for group membership in "cn=ProdBELC,ou=axess
point,ou=web,dc=telcordia,dc=com", referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.094722 2020] [authnz_ldap:debug] [pid 25594:tid 27] mod_authnz_ldap.c(926): [client 128.96.41.18:61686]
AH01714: auth_ldap authorize: require group: testing for member: uid=willy,ou=People,dc=telcordia,dc=com (cn=ProdBELC,ou=axess
point,ou=web,dc=telcordia,dc=com), referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.096805 2020] [ldap:trace5] [pid 25594:tid 27] util_ldap.c(530): [client 128.96.41.18:61686] LDC 262cb0 bind,
referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.098614 2020] [ldap:trace5] [pid 25594:tid 27] util_ldap.c(1213): [client 128.96.41.18:61686]
ldap_compare_s(25ded8, cn=ProdBELC,ou=axess point,ou=web,dc=telcordia,dc=com, member, uid=willy,ou=People,dc=telcordia,dc=com) = No
such attribute, referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.098724 2020] [authnz_ldap:debug] [pid 25594:tid 27] mod_authnz_ldap.c(945): [client 128.96.41.18:61686]
AH01719: auth_ldap authorize: require group "cn=ProdBELC,ou=axess point,ou=web,dc=telcordia,dc=com": didn't match with attr member
[Comparison no such attribute (adding to cache)][16 - No such attribute], referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.098796 2020] [authnz_ldap:debug] [pid 25594:tid 27] mod_authnz_ldap.c(926): [client 128.96.41.18:61686]
AH01714: auth_ldap authorize: require group: testing for uniqueMember: uid=willy,ou=People,dc=telcordia,dc=com (cn=ProdBELC,ou=axess
point,ou=web,dc=telcordia,dc=com), referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.100692 2020] [ldap:trace5] [pid 25594:tid 27] util_ldap.c(1213): [client 128.96.41.18:61686]
ldap_compare_s(25ded8, cn=ProdBELC,ou=axess point,ou=web,dc=telcordia,dc=com, uniqueMember, uid=willy,ou=People,dc=telcordia,dc=com)
= Compare True, referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.100797 2020] [authnz_ldap:debug] [pid 25594:tid 27] mod_authnz_ldap.c(935): [client 128.96.41.18:61686]
AH01715: auth_ldap authorize: require group: authorization successful (attribute uniqueMember) [Comparison true (adding to cache)][6
- Compare True], referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:21:51.102914 2020] [ssl:info] [pid 25594:tid 27] [remote 128.96.41.67:443] AH01964: Connection to child 0 established
(server axpdevs.intec.telcordia.com:4444)
[Mon May 04 13:21:51.196651 2020] [core:trace6] [pid 25594:tid 27] core_filters.c(524): [remote 128.96.41.67:443] will flush because
of FLUSH bucket

If I move the lines out of the Location and VH blocks but leave it in the same file in an <AuthnProviderAlias ldap ldap_sun > block
it fails.

     <AuthnProviderAlias ldap ldap-sun >

         # bind info
             AuthLDAPBindDN "uid=ldap_apache,dc=telcordia,dc=com"
             AuthLDAPBindPassword exec:/usr/local/apache2/conf/.ldap_sun

         # search user
             AuthLDAPURL "ldap:// axesspt1.telcordia.com:7389/dc=telcordia,dc=com?uid?sub?(objectclass=*)"

     </AuthnProviderAlias>

   <VirtualHost *:4444>
  . . . .
     <LocationMatch /SoftwareDelivery/BELC/?.*>
         AuthType Basic
         AuthName SoftwareDelivery

         AuthBasicProvider ldap-sun

             Require ldap-group cn=ProdBELC,ou=axess point,ou=web,dc=telcordia,dc=com

     </LocationMatch>

When the server is started (trace7) I do not see the "auth_ldap url parse:" trace message.
The initial bind and user authentication works, but then none of the group ldap calls are made.

[Mon May 04 13:40:53.596269 2020] [core:trace6] [pid 26344:tid 27] core_filters.c(524): [client 128.96.41.18:61899] will flush
because of FLUSH bucket
[Mon May 04 13:40:53.603380 2020] [core:trace5] [pid 26344:tid 27] protocol.c(708): [client 128.96.41.18:61899] Request received
from client: POST /SoftwareDelivery/BELC/sd_index.asp HTTP/1.1
[Mon May 04 13:40:53.604090 2020] [authnz_ldap:debug] [pid 26344:tid 27] mod_authnz_ldap.c(522): [client 128.96.41.18:61899]
AH01691: auth_ldap authenticate: using URL ldap:// axesspt1.telcordia.com:7389/dc=telcordia,dc=com?uid?sub?(objectclass=*), referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.604190 2020] [authnz_ldap:trace1] [pid 26344:tid 27] mod_authnz_ldap.c(543): [client 128.96.41.18:61899]
auth_ldap authenticate: final authn filter is (&(objectclass=*)(uid=willy)), referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.604978 2020] [ldap:trace5] [pid 26344:tid 27] util_ldap.c(329): [client 128.96.41.18:61899] LDC 2be610 init,
referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.605106 2020] [ldap:trace4] [pid 26344:tid 27] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Mon May 04 13:40:53.621118 2020] [ldap:trace5] [pid 26344:tid 27] util_ldap.c(530): [client 128.96.41.18:61899] LDC 2be610 bind,
referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.626949 2020] [ldap:trace5] [pid 26344:tid 27] util_ldap.c(530): [client 128.96.41.18:61899] LDC 2be610 bind,
referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.627011 2020] [ldap:trace5] [pid 26344:tid 27] util_ldap.c(1843): [client 128.96.41.18:61899] LDC 2be610 used
for authn, must be rebound, referer: https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.627196 2020] [authnz_ldap:debug] [pid 26344:tid 27] mod_authnz_ldap.c(619): [client 128.96.41.18:61899]
AH01697: auth_ldap authenticate: accepting willy, referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.627279 2020] [authz_core:error] [pid 26344:tid 27] [client 128.96.41.18:61899] AH01631: user willy:
authorization failure for "/SoftwareDelivery/BELC/sd_index.asp": , referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.627352 2020] [core:trace3] [pid 26344:tid 27] request.c(117): [client 128.96.41.18:61899] auth phase 'check
authorization' gave status 401: /SoftwareDelivery/BELC/sd_index.asp, referer:
https://axpdevs.intec.telcordia.com:4444/SoftwareDelivery/scripts/sdDefault.asp
[Mon May 04 13:40:53.627485 2020] [headers:debug] [pid 26344:tid 27] mod_headers.c(899): AH01503: headers: ap_headers_error_filter()
[Mon May 04 13:40:58.638066 2020] [core:trace6] [pid 26344:tid 26] core_filters.c(524): [client 128.96.41.18:61899] will flush
because of FLUSH bucket


=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you