You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Igor Cicimov <ic...@gmail.com> on 2018/04/06 02:54:01 UTC

[users@httpd] LDAP not working

Hi all,

I have no idea what's going on and why my setup that's been working for
years suddenly stopped working so have to ask here after had done extensive
debugging.

Maybe something has changed in the ldap and/or authentication/authorization
modules but the effect is same on apache 2.2.22 and 2.4.18 -> I'm not
getting the basic authentication pop-up any more and the site access is
unprotected.

I have the following config enabled:

<IfModule mod_ldap.c>
<AuthnProviderAlias ldap ldap1>
        AuthBasicAuthoritative off
        AuthBasicProvider ldap
        AuthLDAPURL ldap://
ldap1.domain.com:389/ou=Users,dc=domain,dc=com?uid STARTTLS
        AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com
        AuthLDAPBindPassword password
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN on
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap2>
        AuthBasicAuthoritative off
        AuthBasicProvider ldap
        AuthLDAPURL ldap://
ldap2.domain.com:389/ou=Users,dc=domain,dc=com?uid STARTTLS
        AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com
        AuthLDAPBindPassword password
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN on
</AuthnProviderAlias>
</IfModule>

and referenced in the default virtual host as:

    <IfModule mod_ldap.c>
        AuthBasicProvider ldap1 ldap2
        AuthType Basic
        AuthName "Secure access"
        Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com"
        Require valid-user
        Satisfy all
    </IfModule>

Even with debugging enabled all I can see in the logs is:

[Fri Apr 06 02:26:21.260285 2018] [authz_core:debug] [pid 10784:tid
140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535]
AH01626: authorization result of Require all granted: granted
[Fri Apr 06 02:26:21.260367 2018] [authz_core:debug] [pid 10784:tid
140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535]
AH01626: authorization result of <RequireAny>: granted

It's like the whole LDAP thing is just being ignored. I can also confirm in
the LDAP server side logs the Apache server never even tries making a
connection.

What can be the problem? Any ideas?

Thanks

[users@httpd] Re: LDAP not working

Posted by Igor Cicimov <ic...@gmail.com>.

On Fri, Apr 6, 2018 at 12:54 PM, Igor Cicimov <ic...@gmail.com> wrote:

> Hi all,
>
> I have no idea what's going on and why my setup that's been working for
> years suddenly stopped working so have to ask here after had done extensive
> debugging.
>
> Maybe something has changed in the ldap and/or
> authentication/authorization modules but the effect is same on apache
> 2.2.22 and 2.4.18 -> I'm not getting the basic authentication pop-up any
> more and the site access is unprotected.
>
> I have the following config enabled:
>
> <IfModule mod_ldap.c>
> <AuthnProviderAlias ldap ldap1>
>         AuthBasicAuthoritative off
>         AuthBasicProvider ldap
>         AuthLDAPURL ldap://ldap1.domain.com:389/
> ou=Users,dc=domain,dc=com?uid STARTTLS
>         AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com
>         AuthLDAPBindPassword password
>         AuthLDAPGroupAttribute memberUid
>         AuthLDAPGroupAttributeIsDN on
> </AuthnProviderAlias>
>
> <AuthnProviderAlias ldap ldap2>
>         AuthBasicAuthoritative off
>         AuthBasicProvider ldap
>         AuthLDAPURL ldap://ldap2.domain.com:389/
> ou=Users,dc=domain,dc=com?uid STARTTLS
>         AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com
>         AuthLDAPBindPassword password
>         AuthLDAPGroupAttribute memberUid
>         AuthLDAPGroupAttributeIsDN on
> </AuthnProviderAlias>
> </IfModule>
>
> and referenced in the default virtual host as:
>
>     <IfModule mod_ldap.c>
>         AuthBasicProvider ldap1 ldap2
>         AuthType Basic
>         AuthName "Secure access"
>         Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com"
>         Require valid-user
>         Satisfy all
>     </IfModule>
>
> Even with debugging enabled all I can see in the logs is:
>
> [Fri Apr 06 02:26:21.260285 2018] [authz_core:debug] [pid 10784:tid
> 140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535]
> AH01626: authorization result of Require all granted: granted
> [Fri Apr 06 02:26:21.260367 2018] [authz_core:debug] [pid 10784:tid
> 140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535]
> AH01626: authorization result of <RequireAny>: granted
>
> It's like the whole LDAP thing is just being ignored. I can also confirm
> in the LDAP server side logs the Apache server never even tries making a
> connection.
>
> What can be the problem? Any ideas?
>
> Thanks
>

Replying to myself, solved for 2.4 by removing the <IfModule> condition
which does not work and changing "Require all" from allowed to denied:

        Require all denied
        AuthBasicProvider ldap1 ldap2
        AuthType Basic
        AuthName "Secure access"
        Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com"
        Require valid-user
        Satisfy all