Re: auth_ldap fails after upgrading to 2.4.9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey Eric,

Yeah, I _just_ ran across the "mod_ldap: When looking up sub-groups, use an implicit objectClass=* instead of an explicit cn=* filter." for 2.4.7.
I just haven't wrapped my head around it just yet.  Nor have I found the bug fix entry for this in https://issues.apache.org

> Can you summarize how the logging differs in the two releases?

Logging differences, sure thing...

Using the steve (success) and dev.frank (failure) examples before; they both start off with...

[Tue Apr 15 09:11:10.320110 2014] [ssl:info] [pid 4844:tid 1040] [client 100.200.300.401:55884] AH01964: Connection to child 52 established (server xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.321110 2014] [ssl:debug] [pid 4844:tid 1040] ssl_engine_kernel.c(1920): [client 100.200.300.401:55884] AH02043: SSL virtual host for servername xxxdev.xxx.example.edu found
[Tue Apr 15 09:11:10.541132 2014] [ssl:debug] [pid 4844:tid 1040] ssl_engine_kernel.c(1850): [client 100.200.300.401:55884] AH02041: Protocol: TLSv1.2, Cipher: RC4-SHA (128/128 bits)
[Tue Apr 15 09:11:10.543132 2014] [ssl:debug] [pid 4844:tid 1040] ssl_engine_kernel.c(226): [client 100.200.300.401:55884] AH02034: Initial (No.1) HTTPS request received for child 52 (server xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.543132 2014] [authz_core:debug] [pid 4844:tid 1040] mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Apr 15 09:11:10.543132 2014] [authz_core:debug] [pid 4844:tid 1040] mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 15 09:11:10.545132 2014] [ssl:debug] [pid 4844:tid 1040] ssl_engine_kernel.c(226): [client 100.200.300.401:55884] AH02034: Subsequent (No.2) HTTPS request received for child 52 (server xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.545132 2014] [authz_core:debug] [pid 4844:tid 1040] mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Apr 15 09:11:10.545132 2014] [authz_core:debug] [pid 4844:tid 1040] mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 15 09:11:10.545132 2014] [authnz_ldap:debug] [pid 4844:tid 1040] mod_authnz_ldap.c(500): [client 100.200.300.401:55884] AH01691: auth_ldap authenticate: using URL ldaps://ad.example.edu:636/DC=ad,DC=example,DC=edu?samAccountName?sub?(&(objectCategory=person)(|(CN=xxxtech)(memberOf=CN=dev_Admins,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_admins,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_Operators,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)))

But then, for steve the next line is:
[Tue Apr 15 09:11:10.551133 2014] [authnz_ldap:debug] [pid 4844:tid 1040] mod_authnz_ldap.c(592): [client 100.200.300.401:55884] AH01697: auth_ldap authenticate: accepting steve

Whereas for dev.frank, it's:
[Tue Apr 15 09:11:43.585436 2014] [authnz_ldap:info] [pid 4844:tid 1040] [client 100.200.300.401:55888] AH01695: auth_ldap authenticate: user dev.frank authentication failed; URI /svn/databaseProject [User not found][No Such Object]

Did that help?

> Would you be able to rebuild a patch, or ask your vendor to try
> selectively removing some of the recent LDAP changes?

I don't think they are willing to do this.  You can see for yourself from the original forum post; but they have done testing on their side and it works for them.  Thus, they have pointed me in the direction of httpd.

Am I willing?  Er, yes.  Just have to find the time and figure out _exactly_ how/what needs to be compiled for me to do testing.  The ideal situation would be for me to isolate httpd and just authenticate through it some how using my CollabNet Subversion Edge settings for LDAP.


On Tue, Apr 15, 2014 at 4:38 PM, Eric Covener <covener@xxxxxxxxx> wrote:
Can you summarize how the logging differs in the two releases?


Here are two candidates:

  *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
     instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]

  *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
     SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
     default, sans rebind authentication callback.
     [Jan Kaluza <kaluze AT redhat.com>]

Would you be able to rebuild a patch, or ask your vendor to try
selectively removing some of the recent LDAP changes?

On Tue, Apr 15, 2014 at 3:55 PM, Marshall Httpd
<httpd.questions@xxxxxxxxx> wrote:
> Hi,
>
> Our httpd.exe was recently upgraded from 2.4.6 to 2.4.9.  But, when that
> happened, some of our users can no longer authenticate via LDAP.  By "some",
> I mean that we have 2 domains.  Users from one domain are fine, but users in
> the 2nd domain can no longer authenticate.
>
> E.g. AD\steve can authenticate fine; but DOMAIN\dev.frank now gets
> "authentication failed"
>
> The general error goes something like:
> [authnz_ldap:info] [pid 4844:tid 1040] [client 100.200.300.401:55888]
> AH01695: auth_ldap authenticate: user dev.frank authentication failed; URI
> /svn/databaseProject [User not found][No Such Object]
>
> Has anyone experienced such a thing before?  And/or know of the fix?
>
> Full disclosure:  httpd.exe was upgraded by way of our CollabNet Subversion
> Edge upgrade.  I posed my question there first of course; but this really
> does seem like its a httpd issue.  And thus, here I am.
> I captured a great deal of logging information along with configuration
> settings in their forums.  It's available here:
> https://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=517643
>
>
> Thank you,
> Marshall



--
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux