Apache 2 and Ldap Auth
-
@jrc said in Apache 2 and Ldap Auth:
@thwr said in Apache 2 and Ldap Auth:
Just two things coming to mind:
- Two-hop issue
- Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive
I am pretty sure that It's not a TCP connection issue. But I am not sure what you mean by two hop issue.
The problem with the connection is not about the connection itself, but how NTLM - for example - works. NTLM authenticates a single connection, which is basically the opposite of how HTTP works. I'm mentioning NTLM here because I don't know which mechanism in in use when you auth against your AD from the Apache module.
About the double-hop-issue (sorry, two-hop was the wrong term): https://blogs.msdn.microsoft.com/besidethepoint/2010/05/08/double-hop-authentication-why-ntlm-fails-and-kerberos-works/
But again, I'm just guessing here.
-
Ahh, I think I follow. That does not sound right though. The log seems to indicate that it makes the connection fine, and the only error in there is one that clearly means credentials are the problem (the res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580>, res_matched: <> line, 52e = invalid credentials). But here;s the thing, I have no idea if this is the credentials for the binding account or the end user account. But regardless I am definitely using the right username and passwords there.
-
Try adding this on a line between AuthBasicProvider and AuthLDAPBindDN
AuthzLDAPAuthoritative off
-
@momurda said in Apache 2 and Ldap Auth:
Try adding this on a line between AuthBasicProvider and Auth LDAPBindDN
AuthzLDAPAuthoritative off
As I understand it that command has been deprecated in the latest version of apache. When I add it the config test fails with:
Invalid command 'AuthzLDAPAuthoritative', perhaps misspelled or defined by a module not included in the server configuration
I had this in there originally, but removed it because of this and the fact that the documentations says it's been removed since 2.4
-
Ah yes I see that now in the docs.
I noticed you've not included an OU in your url, is this user inside an OU, you might want to specify it.
I see what thwr mentioned too about the user name. If adding the OU doesn't/wont work, then you can try changing the user munki@tld to ad_test and its password to test as long as ad_test exists in your AD. -
You also could try domain\user rather than user@domain
-
@momurda said in Apache 2 and Ldap Auth:
Ah yes I see that now in the docs.
I noticed you've not included an OU in your url, is this user inside an OU, you might want to specify it.
I see what thwr mentioned too about the user name. If adding the OU doesn't/wont work, then you can try changing the user munki@tld to ad_test and its password to test as long as ad_test exists in your AD.I originally had the user specced in the cn=munki,cn=admin,dc=domain,dc=tld format, and changed to this format from some web research. Neither worked. The munki account exists and works, it is used for AD looks up elsewhere and functions just fine.
-
I took the quote out and now it works....
<Directory "/var/www/html/ad_test"> AllowOverride all order allow,deny allow from all AuthType Basic AuthName "Please enter your AD credentials" AuthBasicProvider ldap #AuthzLDAPAuthoritative off AuthLDAPBindDN [email protected] #Account used to bind to AD AuthLDAPBindPassword xxxxxxxx <---- no quotes #Account Password AuthLDAPURL ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*) <---- no quotes #Server Address for the bind Require valid-user </Directory>
-
@jrc said in Apache 2 and Ldap Auth:
I took the quote out and now it works....
<Directory "/var/www/html/ad_test"> AllowOverride all order allow,deny allow from all AuthType Basic AuthName "Please enter your AD credentials" AuthBasicProvider ldap #AuthzLDAPAuthoritative off AuthLDAPBindDN [email protected] #Account used to bind to AD AuthLDAPBindPassword xxxxxxxx <---- no quotes #Account Password AuthLDAPURL ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*) <---- no quotes #Server Address for the bind Require valid-user </Directory>
Awesome, glad you found a solution. Please be aware that auth basic is plaintext, just base64-encoded. Better use at least SSL to protect at the transport layer.
https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side
-
@thwr said in Apache 2 and Ldap Auth:
Awesome, glad you found a solution. Please be aware that auth basic is plaintext, just base64-encoded. Better use at least SSL to protect at the transport layer.
https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side
Yes, I know. First thing I did when I setup this server was to add a cert, setup the SSL and create a rewrite rule to force all access over SSL (HTTPS). This auth stuff is also only in the default-ssl.config file.