httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject [users@httpd] Re: LDAP not working
Date Fri, 06 Apr 2018 04:23:02 GMT
On Fri, Apr 6, 2018 at 12:54 PM, Igor Cicimov <icicimov@gmail.com> wrote:

> Hi all,
>
> I have no idea what's going on and why my setup that's been working for
> years suddenly stopped working so have to ask here after had done extensive
> debugging.
>
> Maybe something has changed in the ldap and/or
> authentication/authorization modules but the effect is same on apache
> 2.2.22 and 2.4.18 -> I'm not getting the basic authentication pop-up any
> more and the site access is unprotected.
>
> I have the following config enabled:
>
> <IfModule mod_ldap.c>
> <AuthnProviderAlias ldap ldap1>
>         AuthBasicAuthoritative off
>         AuthBasicProvider ldap
>         AuthLDAPURL ldap://ldap1.domain.com:389/
> ou=Users,dc=domain,dc=com?uid STARTTLS
>         AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com
>         AuthLDAPBindPassword password
>         AuthLDAPGroupAttribute memberUid
>         AuthLDAPGroupAttributeIsDN on
> </AuthnProviderAlias>
>
> <AuthnProviderAlias ldap ldap2>
>         AuthBasicAuthoritative off
>         AuthBasicProvider ldap
>         AuthLDAPURL ldap://ldap2.domain.com:389/
> ou=Users,dc=domain,dc=com?uid STARTTLS
>         AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com
>         AuthLDAPBindPassword password
>         AuthLDAPGroupAttribute memberUid
>         AuthLDAPGroupAttributeIsDN on
> </AuthnProviderAlias>
> </IfModule>
>
> and referenced in the default virtual host as:
>
>     <IfModule mod_ldap.c>
>         AuthBasicProvider ldap1 ldap2
>         AuthType Basic
>         AuthName "Secure access"
>         Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com"
>         Require valid-user
>         Satisfy all
>     </IfModule>
>
> Even with debugging enabled all I can see in the logs is:
>
> [Fri Apr 06 02:26:21.260285 2018] [authz_core:debug] [pid 10784:tid
> 140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535]
> AH01626: authorization result of Require all granted: granted
> [Fri Apr 06 02:26:21.260367 2018] [authz_core:debug] [pid 10784:tid
> 140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535]
> AH01626: authorization result of <RequireAny>: granted
>
> It's like the whole LDAP thing is just being ignored. I can also confirm
> in the LDAP server side logs the Apache server never even tries making a
> connection.
>
> What can be the problem? Any ideas?
>
> Thanks
>

Replying to myself, solved for 2.4 by removing the <IfModule> condition
which does not work and changing "Require all" from allowed to denied:

        Require all denied
        AuthBasicProvider ldap1 ldap2
        AuthType Basic
        AuthName "Secure access"
        Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com"
        Require valid-user
        Satisfy all

Mime
View raw message