You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eduardo Mayoral <em...@arsys.es> on 2017/10/13 14:06:00 UTC
[users@httpd] Assistance with file + ldap auth config moving from httpd 2.2 to 2.4
Hi,
I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
and I need some assistance with a particular configuration
The Authorization / Authentication schema in httpd 2.2 is as follows
(this goes inside a <Directory> tag ):
AuthUserFile /etc/hobbit/hobbitpasswd
AuthGroupFile /etc/hobbit/hobbitgroup
AuthType Basic
AuthName "Hobbit user"
AuthBasicProvider file ldap
AuthzLDAPAuthoritative off
AuthLDAPURL
"ldap://REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN "REDACTED@arsyslan.es"
AuthLDAPBindPassword "REDACTED"
AuthzLDAPAuthoritative off
AuthLDAPGroupAttributeIsDN on
Require ldap-filter
memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
Require group XymonUsers
The intended logic is: "Search for the user / group in
/etc/hobbit/hobbitpasswd / /etc/hobbit/hobbitgroup , then look in
active directory. If the user belongs to the htaccess group "XymonUsers"
o the Active directory group "XymonAccess", grant access. Reject
otherwise." This is working correctly in httpd 2.2 AFAIK.
I have tried doing something equivalent for httpd 2.4. This is my best
attempt so far:
<AuthnProviderAlias ldap arsyslan>
AuthLDAPURL "ldap://REDACTED:3268
REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "REDACTED@arsyslan.es"
AuthLDAPBindPassword "REDACTED"
#Require ldap-filter
memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
AuthLDAPMaxSubGroupDepth 3
</AuthnProviderAlias>
<AuthnProviderAlias file localfile>
AuthUserFile /etc/xymon/xymonusers.htpasswd
AuthGroupFile /etc/xymon/xymongroups.htpasswd
AuthBasicAuthoritative off
</AuthnProviderAlias>
<AuthzProviderAlias ldap-group arsyslan-XymonAccess
cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es>
AuthLDAPURL "ldap://REDACTED:3268 REDACTED:3268/DC=arsyslan,DC=es" NONE
AuthLDAPBindDN "REDACTED@arsyslan.es"
AuthLDAPBindPassword "REDACTED"
Require ldap-group
cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
</AuthzProviderAlias>
<AuthzProviderAlias group localfile-XymonUsers XymonUsers>
AuthUserFile /etc/xymon/xymonusers.htpasswd
AuthGroupFile /etc/xymon/xymongroups.htpasswd
Require group XymonUsers
</AuthzProviderAlias>
And then inside the <Directory> tag:
AuthType Basic
AuthName "Xymon user"
AuthBasicProvider localfile arsyslan
AuthBasicAuthoritative off
<RequireAny>
Require localfile-XymonUsers
Require arsyslan-XymonAccess
</RequireAny>
If I try to login with a user who exists in the
/etc/xymon/xymonusers.htpasswd file, everything is fine.
If I try to login with an AD user (not in ), I get:
==> /var/log/httpd/xymon_ssl_error_log <==
[Fri Oct 13 15:59:30.926045 2017] [authz_groupfile:error] [pid 11980:tid
139834546947840] [client 10.23.53.39:39176] AH01666: Authorization of
user REDACTED to access /xymon/gifs/green.gif failed, reason: user
doesn't appear in group file (/etc/xymon/xymongroups.htpasswd).
[Fri Oct 13 15:59:30.929906 2017] [authz_core:error] [pid 11980:tid
139834546947840] [client 10.23.53.39:39176] AH01631: user REDACTED:
authorization failure for "/xymon/gifs/green.gif":
And If I try to login with a user who does not exist neither in the file
nor in AD, I get:
==> /var/log/httpd/xymon_ssl_error_log <==
[Fri Oct 13 16:01:38.588067 2017] [authn_core:error] [pid 11904:tid
139834538555136] [client 10.23.53.39:39184] AH01796: AuthType Basic
configured without corresponding module
Can somebody provide assistance? Help will be much appreciated, I have
been trying for a while now and I am stuck.
--
Eduardo Mayoral Jimeno (emayoral@arsys.es)
Administrador de sistemas. Departamento de Plataformas. Arsys internet.
+34 941 620 145 ext. 5153
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Assistance with file + ldap auth config moving from
httpd 2.2 to 2.4
Posted by Eduardo Mayoral <em...@arsys.es>.
Thanks to everybody for their support. With trace8 loglevel I saw the
problem was with the Active directory group membership. I reverted to
what I was using in apache 2.2 for that part:
Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
Also, I removed AuthBasicAuthoritative off because it caused non-existent users to produce a 500 error instead of a 401.
Again, thank you very much for the help!
Eduardo Mayoral Jimeno (emayoral@arsys.es)
Administrador de sistemas. Departamento de Plataformas. Arsys internet.
+34 941 620 145 ext. 5153
On 13/10/17 18:10, Eric Covener wrote:
> Can you crank up the loglevel to trace8? I believe there are some
> spurious error messages when authz modules are reporting their
> individual results vs. getting rolled up to RequireAny.
>
> On Fri, Oct 13, 2017 at 11:46 AM, Eduardo Mayoral <em...@arsys.es> wrote:
>> Hi, Eric,
>>
>> Thanks for your fast answer. The reason for the provider aliases is
>> that once I get this config working I would like to re-use it for about
>> 6 different directories.
>>
>> However, I have tried to flatten the configuration according to your
>> suggestion. I repeated the tests, exact same result. Flattened config
>> follows:
>>
>> AuthType Basic
>> AuthName "Xymon user"
>>
>> AuthBasicProvider file ldap
>> AuthBasicAuthoritative off
>>
>> AuthLDAPURL "ldap://REDACTED:3268
>> REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
>> AuthLDAPBindDN "REDACTED@arsyslan.es"
>> AuthLDAPBindPassword "REDACTED"
>> AuthLDAPGroupAttributeIsDN on
>> AuthLDAPGroupAttribute member
>> AuthLDAPMaxSubGroupDepth 3
>>
>> AuthUserFile /etc/xymon/xymonusers.htpasswd
>> AuthGroupFile /etc/xymon/xymongroups.htpasswd
>>
>>
>> <RequireAny>
>> Require group XymonUsers
>> Require ldap-group
>> cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
>> </RequireAny>
>>
>>
>> Eduardo Mayoral Jimeno (emayoral@arsys.es)
>> Administrador de sistemas. Departamento de Plataformas. Arsys internet.
>> +34 941 620 145 ext. 5153
>>
>> On 13/10/17 16:47, Eric Covener wrote:
>>> On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral <em...@arsys.es> wrote:
>>>> Hi,
>>>>
>>>> I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
>>> I don't think all of those provider-aliases are necessary. Did you a
>>> try a more simpler/direct port of the config?
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Assistance with file + ldap auth config moving from
httpd 2.2 to 2.4
Posted by Galen Johnson <so...@gmail.com>.
Eduardo,
It looks like you're trying to get it working with Xymon so you might want
to ask on that list as well. I had a heck of a time getting it to work but
I ended up using mod_authnz_external.c to configure it to use PAM. This is
the config I use:
<IfModule mod_authnz_external.c>
# Require SSL connection for password protection.
SSLRequireSSL
AuthBasicProvider external file
AuthExternal pwauth
AuthGroupFile /etc/xymon/xymongroups
GroupExternal unixgroup
<RequireAll>
# "valid-user" restricts access to anyone who is logged in.
Require valid-user
# "group xymon" restricts access to users who have logged in,
AND
# are members of the "xymon" group in xymongroups.
Require group xymon
</RequireAll>
</IfModule>
While not exactly what you're doing, I hope this helps nudge you in the
right direction.
=G=
On Fri, Oct 13, 2017 at 12:10 PM, Eric Covener <co...@gmail.com> wrote:
> Can you crank up the loglevel to trace8? I believe there are some
> spurious error messages when authz modules are reporting their
> individual results vs. getting rolled up to RequireAny.
>
> On Fri, Oct 13, 2017 at 11:46 AM, Eduardo Mayoral <em...@arsys.es>
> wrote:
> > Hi, Eric,
> >
> > Thanks for your fast answer. The reason for the provider aliases is
> > that once I get this config working I would like to re-use it for about
> > 6 different directories.
> >
> > However, I have tried to flatten the configuration according to your
> > suggestion. I repeated the tests, exact same result. Flattened config
> > follows:
> >
> > AuthType Basic
> > AuthName "Xymon user"
> >
> > AuthBasicProvider file ldap
> > AuthBasicAuthoritative off
> >
> > AuthLDAPURL "ldap://REDACTED:3268
> > REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
> > AuthLDAPBindDN "REDACTED@arsyslan.es"
> > AuthLDAPBindPassword "REDACTED"
> > AuthLDAPGroupAttributeIsDN on
> > AuthLDAPGroupAttribute member
> > AuthLDAPMaxSubGroupDepth 3
> >
> > AuthUserFile /etc/xymon/xymonusers.htpasswd
> > AuthGroupFile /etc/xymon/xymongroups.htpasswd
> >
> >
> > <RequireAny>
> > Require group XymonUsers
> > Require ldap-group
> > cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
> > </RequireAny>
> >
> >
> > Eduardo Mayoral Jimeno (emayoral@arsys.es)
> > Administrador de sistemas. Departamento de Plataformas. Arsys internet.
> > +34 941 620 145 ext. 5153
> >
> > On 13/10/17 16:47, Eric Covener wrote:
> >> On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral <em...@arsys.es>
> wrote:
> >>> Hi,
> >>>
> >>> I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
> >> I don't think all of those provider-aliases are necessary. Did you a
> >> try a more simpler/direct port of the config?
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Assistance with file + ldap auth config moving from
httpd 2.2 to 2.4
Posted by Eric Covener <co...@gmail.com>.
Can you crank up the loglevel to trace8? I believe there are some
spurious error messages when authz modules are reporting their
individual results vs. getting rolled up to RequireAny.
On Fri, Oct 13, 2017 at 11:46 AM, Eduardo Mayoral <em...@arsys.es> wrote:
> Hi, Eric,
>
> Thanks for your fast answer. The reason for the provider aliases is
> that once I get this config working I would like to re-use it for about
> 6 different directories.
>
> However, I have tried to flatten the configuration according to your
> suggestion. I repeated the tests, exact same result. Flattened config
> follows:
>
> AuthType Basic
> AuthName "Xymon user"
>
> AuthBasicProvider file ldap
> AuthBasicAuthoritative off
>
> AuthLDAPURL "ldap://REDACTED:3268
> REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
> AuthLDAPBindDN "REDACTED@arsyslan.es"
> AuthLDAPBindPassword "REDACTED"
> AuthLDAPGroupAttributeIsDN on
> AuthLDAPGroupAttribute member
> AuthLDAPMaxSubGroupDepth 3
>
> AuthUserFile /etc/xymon/xymonusers.htpasswd
> AuthGroupFile /etc/xymon/xymongroups.htpasswd
>
>
> <RequireAny>
> Require group XymonUsers
> Require ldap-group
> cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
> </RequireAny>
>
>
> Eduardo Mayoral Jimeno (emayoral@arsys.es)
> Administrador de sistemas. Departamento de Plataformas. Arsys internet.
> +34 941 620 145 ext. 5153
>
> On 13/10/17 16:47, Eric Covener wrote:
>> On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral <em...@arsys.es> wrote:
>>> Hi,
>>>
>>> I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
>> I don't think all of those provider-aliases are necessary. Did you a
>> try a more simpler/direct port of the config?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Assistance with file + ldap auth config moving from
httpd 2.2 to 2.4
Posted by Eduardo Mayoral <em...@arsys.es>.
Hi, Eric,
Thanks for your fast answer. The reason for the provider aliases is
that once I get this config working I would like to re-use it for about
6 different directories.
However, I have tried to flatten the configuration according to your
suggestion. I repeated the tests, exact same result. Flattened config
follows:
AuthType Basic
AuthName "Xymon user"
AuthBasicProvider file ldap
AuthBasicAuthoritative off
AuthLDAPURL "ldap://REDACTED:3268
REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "REDACTED@arsyslan.es"
AuthLDAPBindPassword "REDACTED"
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
AuthLDAPMaxSubGroupDepth 3
AuthUserFile /etc/xymon/xymonusers.htpasswd
AuthGroupFile /etc/xymon/xymongroups.htpasswd
<RequireAny>
Require group XymonUsers
Require ldap-group
cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
</RequireAny>
Eduardo Mayoral Jimeno (emayoral@arsys.es)
Administrador de sistemas. Departamento de Plataformas. Arsys internet.
+34 941 620 145 ext. 5153
On 13/10/17 16:47, Eric Covener wrote:
> On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral <em...@arsys.es> wrote:
>> Hi,
>>
>> I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
> I don't think all of those provider-aliases are necessary. Did you a
> try a more simpler/direct port of the config?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Assistance with file + ldap auth config moving from
httpd 2.2 to 2.4
Posted by Eric Covener <co...@gmail.com>.
On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral <em...@arsys.es> wrote:
> Hi,
>
> I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
I don't think all of those provider-aliases are necessary. Did you a
try a more simpler/direct port of the config?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org