Re: Cannot authentication locally when LDAP is unavailable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When the LDAP server is offline, the request never fails. It just sits there..

[Mon Jan 13 08:23:45 2014] [debug] mod_authnz_ldap.c(977): LDAP: auth_ldap not using SSL connections
[Mon Jan 13 08:23:45 2014] [debug] mod_authnz_ldap.c(582): [client 10.1.1.1] ldap authorize: Creating LDAP req structure
[Mon Jan 13 08:24:01 2014] [debug] mod_authnz_ldap.c(377): [client 10.1.1.1] [18488] auth_ldap authenticate: using URL ldap://ldap.server.com:389/OU=Users,DC=server,DC=com?sAMAccountName
[Mon Jan 13 08:25:25 2014] [debug] mod_authnz_ldap.c(594): [client 10.1.1.1] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed

The third line there is when I put in the local-file user credentials.  After about 90 seconds, I made LDAP available again and the browser immediately authenticated as the local user and the failed bind was logged, as that user is not in LDAP.  You can see the LDAP didnt fail until it was available.  

Shouldnt this config: 1) try the local file first; and, 2) time-out after a period of time?  I thought I saw the default timeout period was 10 seconds?




---
Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |  Phone: 920.788.7900  x 4158  |  Direct: 920.423.4158  |  ryamry@xxxxxxxxxxxxxxxxxx


On Mon, Jan 13, 2014 at 7:35 AM, Eric Covener <covener@xxxxxxxxx> wrote:
your symptom is very odd, because your configuration should try
file-based authn first.  Can you bump the logging to DEBUG?  A failed
LDAP connection should be logged.

Also, upgrading to either a contemporary 2.2 release or 2.4 wouldn't hurt!

On Mon, Jan 13, 2014 at 8:10 AM, Rob Yamry <ryamry@xxxxxxxxxxxxxxxxxx> wrote:
> Are there any options I can try with this to get it working as needed?  Any
> other thoughts or help would be appreciated!
>
>
> ---
> Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |  Phone:
> 920.788.7900 x 4158  |  Direct: 920.423.4158  |  ryamry@xxxxxxxxxxxxxxxxxx
>
>
> On Thu, Jan 9, 2014 at 12:26 PM, Rob Yamry <ryamry@xxxxxxxxxxxxxxxxxx>
> wrote:
>>
>> I retract that log entry.  The time stamp seemed off after I sent it and I
>> retested it.  Nothing gets logged in the access_log or error_log.  Yes its
>> 2.2.10.  Authentication is the problem.
>>
>>
>> ---
>> Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |
>> Phone: 920.788.7900 x 4158  |  Direct: 920.423.4158  |
>> ryamry@xxxxxxxxxxxxxxxxxx
>>
>>
>> On Thu, Jan 9, 2014 at 11:52 AM, Rob Yamry <ryamry@xxxxxxxxxxxxxxxxxx>
>> wrote:
>>>
>>> error.log states:
>>>
>>> [Thu Jan 09 10:22:36 2014] [warn] [client 10.9.2.49] [18090] auth_ldap
>>> authenticate: user user1 authentication failed; URI /index.php [User not
>>> found][No such object]
>>>
>>> At this point the ldap server was offline.  Of course, that user only
>>> resides locally in the AuthUserFile.
>>>
>>>
>>> ---
>>> Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |
>>> Phone: 920.788.7900  x 4158  |  Direct: 920.423.4158  |
>>> ryamry@xxxxxxxxxxxxxxxxxx
>>>
>>>
>>> On Thu, Jan 9, 2014 at 11:33 AM, Eric Covener <covener@xxxxxxxxx> wrote:
>>>>
>>>> On Thu, Jan 9, 2014 at 12:28 PM, Rob Yamry <ryamry@xxxxxxxxxxxxxxxxxx>
>>>> wrote:
>>>> > Hello-
>>>> >   Im having a problem where local authentication will not work when
>>>> > when the
>>>> > configured LDAP server is unavailble.  When the ldap server is online
>>>> > I can
>>>> > authenticate fine against ldap and local file.  However, when the ldap
>>>> > server is offline, I cannot authenticate with the user1 account.
>>>> >
>>>> > Id appreciate any help you could provide.  Ive searched a lot on this
>>>> > and
>>>> > found many examples, all very similar to my config below, but I still
>>>> > cannot
>>>> > failback authentication to local file when ldap is unavailable.  Im
>>>> > running
>>>> > Apache/2.2.10
>>>> >
>>>> > AuthName "Server Access"
>>>> > AuthType Basic
>>>> > # Check ldap auth first, then file auth
>>>> > AuthBasicProvider file ldap
>>>> > AuthUserFile /etc/apache2/htpasswd
>>>> > AuthzLDAPAuthoritative off
>>>> > AuthLDAPURL
>>>> > ldap://ldap.domain.com:389/OU=Users,DC=domain,DC=com?sAMAccountName
>>>> > AuthLDAPBindDN "domain\ldap_user"
>>>> > AuthLDAPBindPassword password
>>>> > AuthLDAPGroupAttributeIsDN off
>>>> >
>>>>
>>>> logs?
>>>>
>>>> really 2.2.10 or w/ patches?
>>>>
>>>> > Require user user1
>>>> > Require ldap-attribute memberOf=CN=groupName,DC=domain,DC=com
>>>> >
>>>>
>>>> is it authentication or authorization that fails?
>>>>
>>>> --
>>>> Eric Covener
>>>> covener@xxxxxxxxx
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>
>>>
>>
>



--
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux