Hi, I am trying to move a web application from httpd 2.2 to httpd 2.4 , and I need some assistance with a particular configuration The Authorization / Authentication schema in httpd 2.2 is as follows (this goes inside a <Directory> tag ): AuthUserFile /etc/hobbit/hobbitpasswd AuthGroupFile /etc/hobbit/hobbitgroup AuthType Basic AuthName "Hobbit user" AuthBasicProvider file ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN "REDACTED@xxxxxxxxxxx" AuthLDAPBindPassword "REDACTED" AuthzLDAPAuthoritative off AuthLDAPGroupAttributeIsDN on Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es Require group XymonUsers The intended logic is: "Search for the user / group in /etc/hobbit/hobbitpasswd / /etc/hobbit/hobbitgroup , then look in active directory. If the user belongs to the htaccess group "XymonUsers" o the Active directory group "XymonAccess", grant access. Reject otherwise." This is working correctly in httpd 2.2 AFAIK. I have tried doing something equivalent for httpd 2.4. This is my best attempt so far: <AuthnProviderAlias ldap arsyslan> AuthLDAPURL "ldap://REDACTED:3268 REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN "REDACTED@xxxxxxxxxxx" AuthLDAPBindPassword "REDACTED" #Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member AuthLDAPMaxSubGroupDepth 3 </AuthnProviderAlias> <AuthnProviderAlias file localfile> AuthUserFile /etc/xymon/xymonusers.htpasswd AuthGroupFile /etc/xymon/xymongroups.htpasswd AuthBasicAuthoritative off </AuthnProviderAlias> <AuthzProviderAlias ldap-group arsyslan-XymonAccess cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es> AuthLDAPURL "ldap://REDACTED:3268 REDACTED:3268/DC=arsyslan,DC=es" NONE AuthLDAPBindDN "REDACTED@xxxxxxxxxxx" AuthLDAPBindPassword "REDACTED" Require ldap-group cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es </AuthzProviderAlias> <AuthzProviderAlias group localfile-XymonUsers XymonUsers> AuthUserFile /etc/xymon/xymonusers.htpasswd AuthGroupFile /etc/xymon/xymongroups.htpasswd Require group XymonUsers </AuthzProviderAlias> And then inside the <Directory> tag: AuthType Basic AuthName "Xymon user" AuthBasicProvider localfile arsyslan AuthBasicAuthoritative off <RequireAny> Require localfile-XymonUsers Require arsyslan-XymonAccess </RequireAny> If I try to login with a user who exists in the /etc/xymon/xymonusers.htpasswd file, everything is fine. If I try to login with an AD user (not in ), I get: ==> /var/log/httpd/xymon_ssl_error_log <== [Fri Oct 13 15:59:30.926045 2017] [authz_groupfile:error] [pid 11980:tid 139834546947840] [client 10.23.53.39:39176] AH01666: Authorization of user REDACTED to access /xymon/gifs/green.gif failed, reason: user doesn't appear in group file (/etc/xymon/xymongroups.htpasswd). [Fri Oct 13 15:59:30.929906 2017] [authz_core:error] [pid 11980:tid 139834546947840] [client 10.23.53.39:39176] AH01631: user REDACTED: authorization failure for "/xymon/gifs/green.gif": And If I try to login with a user who does not exist neither in the file nor in AD, I get: ==> /var/log/httpd/xymon_ssl_error_log <== [Fri Oct 13 16:01:38.588067 2017] [authn_core:error] [pid 11904:tid 139834538555136] [client 10.23.53.39:39184] AH01796: AuthType Basic configured without corresponding module Can somebody provide assistance? Help will be much appreciated, I have been trying for a while now and I am stuck. -- Eduardo Mayoral Jimeno (emayoral@xxxxxxxx) Administrador de sistemas. Departamento de Plataformas. Arsys internet. +34 941 620 145 ext. 5153 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|