Assistance with file + ldap auth config moving from httpd 2.2 to 2.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

    I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
and I need some assistance with a particular configuration

    The Authorization / Authentication schema in httpd 2.2 is as follows
(this goes inside a <Directory> tag ):

    AuthUserFile /etc/hobbit/hobbitpasswd
    AuthGroupFile /etc/hobbit/hobbitgroup
    AuthType Basic
    AuthName "Hobbit user"

    AuthBasicProvider file ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL
"ldap://REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)"
NONE
    AuthLDAPBindDN "REDACTED@xxxxxxxxxxx"
    AuthLDAPBindPassword "REDACTED"
    AuthzLDAPAuthoritative off
    AuthLDAPGroupAttributeIsDN on
    Require ldap-filter
memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
    Require group XymonUsers

The intended logic is: "Search for the user / group in
/etc/hobbit/hobbitpasswd  / /etc/hobbit/hobbitgroup , then look in
active directory. If the user belongs to the htaccess group "XymonUsers"
o the Active directory group "XymonAccess", grant access. Reject
otherwise." This is working correctly in httpd 2.2 AFAIK.


I have tried doing something equivalent for httpd 2.4. This is my best
attempt so far:


<AuthnProviderAlias ldap arsyslan>
  AuthLDAPURL "ldap://REDACTED:3268
REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
  AuthLDAPBindDN "REDACTED@xxxxxxxxxxx"
  AuthLDAPBindPassword "REDACTED"
  #Require ldap-filter
memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
  AuthLDAPGroupAttributeIsDN on
  AuthLDAPGroupAttribute member
  AuthLDAPMaxSubGroupDepth 3
</AuthnProviderAlias>

<AuthnProviderAlias file localfile>
  AuthUserFile /etc/xymon/xymonusers.htpasswd
  AuthGroupFile /etc/xymon/xymongroups.htpasswd
  AuthBasicAuthoritative off
</AuthnProviderAlias>


<AuthzProviderAlias ldap-group arsyslan-XymonAccess
cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es>
  AuthLDAPURL "ldap://REDACTED:3268 REDACTED:3268/DC=arsyslan,DC=es" NONE
  AuthLDAPBindDN "REDACTED@xxxxxxxxxxx"
  AuthLDAPBindPassword "REDACTED"
  Require ldap-group
cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
</AuthzProviderAlias>

<AuthzProviderAlias group localfile-XymonUsers XymonUsers>
  AuthUserFile /etc/xymon/xymonusers.htpasswd
  AuthGroupFile /etc/xymon/xymongroups.htpasswd
  Require group XymonUsers
</AuthzProviderAlias>


And then inside the <Directory> tag:

      AuthType Basic
      AuthName "Xymon user"

      AuthBasicProvider localfile arsyslan
      AuthBasicAuthoritative off
      <RequireAny>
        Require localfile-XymonUsers
        Require arsyslan-XymonAccess
      </RequireAny>

If I try to login with a user who exists in the
/etc/xymon/xymonusers.htpasswd file, everything is fine.

If I try to login with an AD user (not in ), I get:

==> /var/log/httpd/xymon_ssl_error_log <==
[Fri Oct 13 15:59:30.926045 2017] [authz_groupfile:error] [pid 11980:tid
139834546947840] [client 10.23.53.39:39176] AH01666: Authorization of
user REDACTED to access /xymon/gifs/green.gif failed, reason: user
doesn't appear in group file (/etc/xymon/xymongroups.htpasswd).
[Fri Oct 13 15:59:30.929906 2017] [authz_core:error] [pid 11980:tid
139834546947840] [client 10.23.53.39:39176] AH01631: user REDACTED:
authorization failure for "/xymon/gifs/green.gif":


And If I try to login with a user who does not exist neither in the file
nor in AD, I get:

==> /var/log/httpd/xymon_ssl_error_log <==
[Fri Oct 13 16:01:38.588067 2017] [authn_core:error] [pid 11904:tid
139834538555136] [client 10.23.53.39:39184] AH01796: AuthType Basic
configured without corresponding module

Can somebody provide assistance? Help will be much appreciated, I have
been trying for a while now and I am stuck.

-- 
Eduardo Mayoral Jimeno (emayoral@xxxxxxxx)
Administrador de sistemas. Departamento de Plataformas. Arsys internet.
+34 941 620 145 ext. 5153


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux