You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mike Rumph <mi...@oracle.com> on 2016/07/05 15:56:05 UTC
Re: [users@httpd]Login difficulty after integration of httpd with
LDAP
Adding a subject for easier tracking
On 7/5/2016 8:36 AM, Roger Paanini wrote:
> Hi Folks,
>
> I am trying to integrate httpd with LDAP (Active Directory) but I am
> running into some trouble: Every time I try to login, here is what I see:
>
> Tue Jul 05 09:23:50.471191 2016] [ssl:info] [pid 35839:tid
> 139644016523008] [client 10.204.1.1:51637 <http://10.204.1.1:51637/>]
> AH01964: Connection to child 66 established (server
> apachehost.my.com:443 <http://apachehost.my.com:443/>)
> [Tue Jul 05 09:23:50.471383 2016] [ssl:debug] [pid 35839:tid
> 139644016523008] ssl_engine_kernel.c(2101): [client 10.204.1.1:51637
> <http://10.204.1.1:51637/>] AH02043: SSL virtual host for servername
> apachehost.my.com <http://apachehost.my.com/> found
> [Tue Jul 05 09:23:50.487945 2016] [ssl:debug] [pid 35839:tid
> 139644016523008] ssl_engine_kernel.c(2028): [client 10.204.1.1:51637
> <http://10.204.1.1:51637/>] AH02041: Protocol: TLSv1.2, Cipher:
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> [Tue Jul 05 09:23:50.488842 2016] [ssl:debug] [pid 35839:tid
> 139644016523008] ssl_engine_kernel.c(366): [client 10.204.1.1:51637
> <http://10.204.1.1:51637/>] AH02034: Initial (No.1) HTTPS request
> received for child 66 (server apachehost.my.com:443
> <http://apachehost.my.com:443/>)
> [Tue Jul 05 09:23:50.488887 2016] [authz_core:debug] [pid 35839:tid
> 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637
> <http://10.204.1.1:51637/>] AH01626: authorization result of Require
> valid-user : denied (no authenticated user yet)
> [Tue Jul 05 09:23:50.488899 2016] [authz_core:debug] [pid 35839:tid
> 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637
> <http://10.204.1.1:51637/>] AH01626: authorization result of Require
> ldap-group "CN=Architecture Team,OU=Groups,OU=Core,DC=my,DC=com":
> denied (no authenticated user yet)
> [Tue Jul 05 09:23:50.488903 2016] [authz_core:debug] [pid 35839:tid
> 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637
> <http://10.204.1.1:51637/>] AH01626: authorization result of
> <RequireAny>: denied (no authenticated user yet)
> [Tue Jul 05 09:23:50.488925 2016] [authnz_ldap:debug] [pid 35839:tid
> 139644016523008] mod_authnz_ldap.c(516): [client 10.204.1.1:51637
> <http://10.204.1.1:51637/>] AH01691: auth_ldap authenticate: using URL
> ldaps://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?(objectclass=user)
> <http://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?%28objectclass=user%29>
> [Tue Jul 05 09:23:50.546246 2016] [proxy:debug] [pid 53629:tid
> 139644279056192] proxy_util.c(1790): AH00925: initializing worker
> http://appserver.my.com:8500/ shared
> [Tue Jul 05 09:23:50.546308 2016] [proxy:debug] [pid 53629:tid
> 139644279056192] proxy_util.c(1832): AH00927: initializing worker
> http://appserver.my.com:8500/ local
> [Tue Jul 05 09:23:50.546358 2016] [proxy:debug] [pid 53629:tid
> 139644279056192] proxy_util.c(1867): AH00930: initialized pool in
> child 53629 for (appserver.my.com <http://appserver.my.com/>) min=0
> max=25 smax=25
> [Tue Jul 05 09:23:50.546381 2016] [proxy:debug] [pid 53629:tid
> 139644279056192] proxy_util.c(1790): AH00925: initializing worker
> proxy:reverse shared
> [Tue Jul 05 09:23:50.546384 2016] [proxy:debug] [pid 53629:tid
> 139644279056192] proxy_util.c(1832): AH00927: initializing worker
> proxy:reverse local
> [Tue Jul 05 09:23:50.546396 2016] [proxy:debug] [pid 53629:tid
> 139644279056192] proxy_util.c(1867): AH00930: initialized pool in
> child 53629 for (*) min=0 max=25 smax=25
> [Tue Jul 05 09:23:50.546415 2016] [proxy:debug] [pid 53629:tid
> 139644279056192] proxy_util.c(1785): AH00924: worker
> http://appserver.my.com:8500/ shared already initialized
> [Tue Jul 05 09:23:50.546425 2016] [proxy:debug] [pid 53629:tid
> 139644279056192] proxy_util.c(1827): AH00926: worker
> http://appserver.my.com:8500/ local already initialized
> [Tue Jul 05 09:23:50.546624 2016] [mpm_event:debug] [pid 53629:tid
> 139644108920576] event.c(2096): AH02471: start_threads: Using epoll
> [Tue Jul 05 09:23:50.587187 2016] [authnz_ldap:info] [pid 35839:tid
> 139644016523008] [client 10.204.1.1:51637 <http://10.204.1.1:51637/>]
> AH01695: auth_ldap authenticate: user testuser authentication failed;
> URI /ui [User not found][No such object]
> [Tue Jul 05 09:23:50.587224 2016] [auth_basic:error] [pid 35839:tid
> 139644016523008] [client 10.204.1.1:51637 <http://10.204.1.1:51637/>]
> AH01618: user testuser not found: /ui
> [Tue Jul 05 09:23:55.577658 2016] [ssl:debug] [pid 35839:tid
> 139643823490816] ssl_engine_io.c(1033): [remote 10.204.1.1:51637
> <http://10.204.1.1:51637/>] AH02001: Connection closed to child 66
> with standard shutdown (server apachehost.my.com:443
> <http://apachehost.my.com:443/>)
>
>
> And here is the configuration snippet from httpd.conf:
>
> LDAPTrustedGlobalCert CA_BASE64
> /usr/local/apache2/conf/certs/ldapCert.pem
> LDAPVerifyServerCert Off
>
> <Location />
> AuthType Basic
> AuthLDAPBindDN "CN=ldap,OU=acct,DC=my,DC=com"
> AuthLDAPBindPassword ******
> AuthBasicProvider ldap
> AuthName "LDAP - login"
> AuthLDAPURL
> "ldaps://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?(objectclass=user)
> <http://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?%28objectclass=user%29>"
> Require valid-user
> Require ldap-group "CN=Architecture
> Team,OU=Groups,OU=Core,DC=my,DC=com"
> AuthLDAPRemoteUserAttribute uid
> #RewriteEngine On
> #RewriteCond %{LA-U:REMOTE_USER} (.+)
> #RewriteRule .* - [E=RU:%1]
> #RequestHeader set REMOTE_USER %{RU}e
> </Location>
>
> Any clues on what I am missing or how to go about debugging this issue?
>
> Thanks in advance!
>
Re: [users@httpd]Login difficulty after integration of httpd with LDAP
Posted by Roger Paanini <ro...@gmail.com>.
Eric, I just found the problem: there is a typo in ldap URL: sAMAccountName
has an i at the end. After I removed it, it is working fine.
AuthLDAPURL "ldaps://my.com:636/DC=my,DC=com?sAMAccountName*i*?sub?(
objectclass=user)
<http://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?(objectclass=user)>"
Your suggestion to do ldapsearch made me look through these values and that
is how I found it.
Thanks for the help!
On Tue, Jul 5, 2016 at 1:41 PM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Jul 5, 2016 at 2:32 PM, Roger Paanini <ro...@gmail.com>
> wrote:
> > I have redacted the response to protect confidential info. Do you need
> the
> > full response?
>
>
> I don't think so. Could you capture both searches in wireshark and see
> how they differ at a low level? Something might stand out
> side-by-side.
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd]Login difficulty after integration of httpd with LDAP
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jul 5, 2016 at 2:32 PM, Roger Paanini <ro...@gmail.com> wrote:
> I have redacted the response to protect confidential info. Do you need the
> full response?
I don't think so. Could you capture both searches in wireshark and see
how they differ at a low level? Something might stand out
side-by-side.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd]Login difficulty after integration of httpd with LDAP
Posted by Roger Paanini <ro...@gmail.com>.
Eric, this command works perfectly fine:
ldapsearch -x -h my.com -D "CN=ldap,OU=acct,DC=my,DC=com" -w ***** -b
"dc=my,dc=com" -s sub "(&(sAMAccountName=testuser)(objectClass=user))"
I have redacted the response to protect confidential info. Do you need the
full response?
Thanks!
On Tue, Jul 5, 2016 at 11:03 AM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Jul 5, 2016 at 11:56 AM, Mike Rumph <mi...@oracle.com> wrote:
> > [Tue Jul 05 09:23:50.587187 2016] [authnz_ldap:info] [pid 35839:tid
> > 139644016523008] [client 10.204.1.1:51637] AH01695: auth_ldap
> authenticate:
> > user testuser authentication failed; URI /ui [User not found][No such
> > object]
>
>
> Can you show a command-line ldapsearch that shows
> sAMAccountNameI=testuser when searching your LDAP with a base of the
> DC=... in the AuthLDAPURL? If not, show any ldapsearch that finds
> that user?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd]Login difficulty after integration of httpd with LDAP
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jul 5, 2016 at 11:56 AM, Mike Rumph <mi...@oracle.com> wrote:
> [Tue Jul 05 09:23:50.587187 2016] [authnz_ldap:info] [pid 35839:tid
> 139644016523008] [client 10.204.1.1:51637] AH01695: auth_ldap authenticate:
> user testuser authentication failed; URI /ui [User not found][No such
> object]
Can you show a command-line ldapsearch that shows
sAMAccountNameI=testuser when searching your LDAP with a base of the
DC=... in the AuthLDAPURL? If not, show any ldapsearch that finds
that user?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org