You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by William Paredes <bi...@einstein.yu.edu> on 2013/08/15 19:09:36 UTC

[users@httpd] Apache 2.4 fails to call LDAP auth modules

Greetings!
It's been a few days that I'm struggling with this one:

I don't get the authentication dialog window prompting for a user name & password when I enter an LDAP protected realm:

<Directory /Library/Webserver/Documents/ldapProtected>
  AuthType Basic
  AuthBasicProvider ldap
  AuthName "Testing LDAP"
  AuthLDAPBindDN "CN=cn_name,OU=ou_account,DC=ad,DC=uds,DC=yu,DC=edu"
  AuthLDAPBindPassword "pwrd"
  AuthLDAPURL "ldap://ldap.address:389/DC=ad,DC=uds,DC=yu,DC=edu"
  Require ldap-user jones
</Directory>

However, I do get the authentication dialog with a user file:

 <Directory "/Library/WebServer/Documents/fileProtected">
    AuthType Basic
    AuthName "New Test Auth Required"
    AuthUserFile "/etc/htpasswd/.htpasswd"
    Require valid-user
    Options Indexes FollowSymLinks MultiViews
    AllowOverride AuthConfig
    Order allow,deny
    Allow from all
  </Directory>

When I navigate to the LDAP protected directory I get into the directory without the authentication dialog.
When I navigate to the file protected directory I'm challenged with the authentication window.

I built the following with the usual ./configure, make, sudo make install [no errors]:

[apr 1.4.8]  ./configure --prefix=/usr/local/apr

[apr-util 1.5.2]  ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr --with-ldap  --with-mysql=/usr/local/mysql  --with-ldap-lib=/usr/local/openldap/lib --with-ldap-include=/usr/local/openldap/include/

[apache 2.4.6]  ./configure --enable-layout=MacMini --enable-modules=most --with-ssl=/usr --with-mpm-prefork --enable-ssl --enable-so --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --enable-authnz-ldap --enable-ldap --with-ldap

I've set the apache LogLevel to debug and LDAPLibraryDebug to 7 but they have not revealed anything useful other than the following when I access the LDAP realms without being challenged:

mod_authz_core.c(802): [client 129.98.101.122:51668] AH01626: authorization result of Require all granted: granted

[Tue Aug 13 18:22:55.544690 2013] [authz_core:debug] [pid 60859:tid 4447301632] mod_authz_core.c(802): [client 129.98.101.122:51668] AH01626: authorization result of <RequireAny>: granted


So how would I begin to trouble shoot this puzzle?
[OS X 10.8.4; 2.7GHz Intel Core i7; 16GB; mac mini desktop]

Thanks,
-bill

Re: [users@httpd] Apache 2.4 fails to call LDAP auth modules

Posted by Igor Cicimov <ic...@gmail.com>.

On 16/08/2013 3:10 AM, "William Paredes" <bi...@einstein.yu.edu>
wrote:
>
> Greetings!
> It's been a few days that I'm struggling with this one:
>
> I don't get the authentication dialog window prompting for a user name &
password when I enter an LDAP protected realm:
>
> <Directory /Library/Webserver/Documents/ldapProtected>
>   AuthType Basic
>   AuthBasicProvider ldap
>   AuthName "Testing LDAP"
>   AuthLDAPBindDN "CN=cn_name,OU=ou_account,DC=ad,DC=uds,DC=yu,DC=edu"
>   AuthLDAPBindPassword "pwrd"
>   AuthLDAPURL "ldap://ldap.address:389/DC=ad,DC=uds,DC=yu,DC=edu"
>   Require ldap-user jones
> </Directory>
>
> However, I do get the authentication dialog with a user file:
>
>  <Directory "/Library/WebServer/Documents/fileProtected">
>     AuthType Basic
>     AuthName "New Test Auth Required"
>     AuthUserFile "/etc/htpasswd/.htpasswd"
>     Require valid-user
>     Options Indexes FollowSymLinks MultiViews
>     AllowOverride AuthConfig
>     Order allow,deny
>     Allow from all
>   </Directory>
>
> When I navigate to the LDAP protected directory I get into the directory
without the authentication dialog.
> When I navigate to the file protected directory I'm challenged with the
authentication window.
>
> I built the following with the usual ./configure, make, sudo make install
[no errors]:
>
> [apr 1.4.8]  ./configure --prefix=/usr/local/apr
>
> [apr-util 1.5.2]  ./configure --prefix=/usr/local/apr-util
--with-apr=/usr/local/apr --with-ldap  --with-mysql=/usr/local/mysql
 --with-ldap-lib=/usr/local/openldap/lib
--with-ldap-include=/usr/local/openldap/include/
>
> [apache 2.4.6]  ./configure --enable-layout=MacMini --enable-modules=most
--with-ssl=/usr --with-mpm-prefork --enable-ssl --enable-so
--with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
--enable-authnz-ldap --enable-ldap --with-ldap
>
> I've set the apache LogLevel to debug and LDAPLibraryDebug to 7 but they
have not revealed anything useful other than the following when I access
the LDAP realms without being challenged:
>
> mod_authz_core.c(802): [client 129.98.101.122:51668] AH01626:
authorization result of Require all granted: granted
>
> [Tue Aug 13 18:22:55.544690 2013] [authz_core:debug] [pid 60859:tid
4447301632] mod_authz_core.c(802): [client 129.98.101.122:51668] AH01626:
authorization result of <RequireAny>: granted
>
>
> So how would I begin to trouble shoot this puzzle?
> [OS X 10.8.4; 2.7GHz Intel Core i7; 16GB; mac mini desktop]
>

Start by confirming your ldap account is working outside apache using
ldapsearch or ldapbind lets say. Have you done that? Have you confirmed the
ldap connection works at all?

> Thanks,
> -bill