Re: LDAP not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, Apr 6, 2018 at 12:54 PM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
Hi all,

I have no idea what's going on and why my setup that's been working for years suddenly stopped working so have to ask here after had done extensive debugging.

Maybe something has changed in the ldap and/or authentication/authorization modules but the effect is same on apache 2.2.22 and 2.4.18 -> I'm not getting the basic authentication pop-up any more and the site access is unprotected.

I have the following config enabled:

<IfModule mod_ldap.c>
<AuthnProviderAlias ldap ldap1>
        AuthBasicAuthoritative off
        AuthBasicProvider ldap
        AuthLDAPURL ldap://ldap1.domain.com:389/ou=Users,dc=domain,dc=com?uid STARTTLS
        AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com
        AuthLDAPBindPassword password
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN on
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap2>
        AuthBasicAuthoritative off
        AuthBasicProvider ldap
        AuthLDAPURL ldap://ldap2.domain.com:389/ou=Users,dc=domain,dc=com?uid STARTTLS
        AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com
        AuthLDAPBindPassword password
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN on
</AuthnProviderAlias>
</IfModule>

and referenced in the default virtual host as:

    <IfModule mod_ldap.c>
        AuthBasicProvider ldap1 ldap2
        AuthType Basic
        AuthName "Secure access"
        Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com"
        Require valid-user
        Satisfy all
    </IfModule>

Even with debugging enabled all I can see in the logs is:

[Fri Apr 06 02:26:21.260285 2018] [authz_core:debug] [pid 10784:tid 140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535] AH01626: authorization result of Require all granted: granted
[Fri Apr 06 02:26:21.260367 2018] [authz_core:debug] [pid 10784:tid 140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535] AH01626: authorization result of <RequireAny>: granted

It's like the whole LDAP thing is just being ignored. I can also confirm in the LDAP server side logs the Apache server never even tries making a connection.

What can be the problem? Any ideas?

Thanks
 
Replying to myself, solved for 2.4 by removing the <IfModule> condition which does not work and changing "Require all" from allowed to denied:

        Require all denied
        AuthBasicProvider ldap1 ldap2
        AuthType Basic
        AuthName "Secure access"
        Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com"
        Require valid-user
        Satisfy all

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux