Apache 2 and Ldap Auth



  • So after many hours today I have gotten Apache installed and configured and asking for passwords. But I am now pulling out my hair with this as it simply won't seem to authenticate with AD. I am 10000% sure that I am using the right username and password for both my test account (ad_test) and my binding account.

    Here is what I have in my site-enabled conf file:

        <Directory "/var/www/html/ad_test">
                AllowOverride all
                order allow,deny
                allow from all
    
                AuthType Basic
                AuthName "Please enter your AD credentials"
                AuthBasicProvider ldap
                AuthLDAPBindDN “[email protected]”
                        #Account used to bind to AD
                AuthLDAPBindPassword " "  <--- removed for this post.
                        #Account Password
                AuthLDAPURL "ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*)"
                        #Server Address for the bind
                Require valid-user
    
        </Directory>
    

    And here is the error output in the apache error log:


    ldap_create
    ldap_simple_bind
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_new_connection 1 1 0
    ldap_int_open_connection
    ldap_connect_to_host: TCP dc.domain.tld:3268
    ldap_new_socket: 17
    ldap_prepare_socket: 17
    ldap_connect_to_host: Trying <correctserverIP>:3268
    ldap_pvt_connect: fd: 17 tm: 10 async: 0
    ldap_ndelay_on: 17
    ldap_int_poll: fd: 17 tm: 10
    ldap_is_sock_ready: 17
    ldap_ndelay_off: 17
    ldap_pvt_connect: 0
    ldap_open_defconn: successful
    ldap_send_server_request
    ldap_result ld 0x7f833c0016f0 msgid 1
    wait4msg ld 0x7f833c0016f0 msgid 1 (timeout 60000000 usec)
    wait4msg continue ld 0x7f833c0016f0 msgid 1 all 0
    ** ld 0x7f833c0016f0 Connections:

    • host: dc.domain.tld port: 3268 (default)
      refcnt: 2 status: Connected
      last used: Thu Sep 8 22:07:47 2016

    ** ld 0x7f833c0016f0 Outstanding Requests:

    • msgid 1, origid 1, status InProgress
      outstanding referrals 0, parent count 0
      ld 0x7f833c0016f0 request count 1 (abandoned 0)
      ** ld 0x7f833c0016f0 Response Queue:
      Empty
      ld 0x7f833c0016f0 response count 0
      ldap_chkResponseList ld 0x7f833c0016f0 msgid 1 all 0
      ldap_chkResponseList returns ld 0x7f833c0016f0 NULL
      ldap_int_select
      read1msg: ld 0x7f833c0016f0 msgid 1 all 0
      read1msg: ld 0x7f833c0016f0 msgid 1 message type bind
      read1msg: ld 0x7f833c0016f0 0 new referrals
      read1msg: mark request completed, ld 0x7f833c0016f0 msgid 1
      request done: ld 0x7f833c0016f0 msgid 1
      res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580>, res_matched: <>
      ldap_free_request (origid 1, msgid 1)
      ldap_parse_result
      ldap_msgfree
      ldap_free_connection 1 1
      ldap_send_unbind
      ldap_free_connection: actually freed
      [Thu Sep 08 22:07:47.926638 2016] [auth_basic:error] [pid 7370:tid 140202051028736] [client <IP>:58310] AH01617: user ad_test: authentication failure for "/ad_test/": Password Mismatch

    So what am I doing wrong here? It looks like the the LDAP bind is working, but for some reason it is not correctly checking the password of the user.



  • I'm by no means an expert here, but fought a very similar fight yesterday: NTLM -> nginx -> Sharepoint with SSL termination in between. Still not solved and a few more gray strains of hair.

    Just two things coming to mind:

    • Two-hop issue
    • Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive


  • said in Apache 2 and Ldap Auth:

    AH01617: user ad_test: authentication failure for "/ad_test/": Password Mismatch

    Just noticed your last two lines. Are you sure your binding users credentials are correct?



  • @thwr said in Apache 2 and Ldap Auth:

    Just two things coming to mind:

    • Two-hop issue
    • Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive

    I am pretty sure that It's not a TCP connection issue. But I am not sure what you mean by two hop issue.



  • @jrc said in Apache 2 and Ldap Auth:

    @thwr said in Apache 2 and Ldap Auth:

    Just two things coming to mind:

    • Two-hop issue
    • Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive

    I am pretty sure that It's not a TCP connection issue. But I am not sure what you mean by two hop issue.

    The problem with the connection is not about the connection itself, but how NTLM - for example - works. NTLM authenticates a single connection, which is basically the opposite of how HTTP works. I'm mentioning NTLM here because I don't know which mechanism in in use when you auth against your AD from the Apache module.

    About the double-hop-issue (sorry, two-hop was the wrong term): https://blogs.msdn.microsoft.com/besidethepoint/2010/05/08/double-hop-authentication-why-ntlm-fails-and-kerberos-works/

    But again, I'm just guessing here.



  • @thwr

    Ahh, I think I follow. That does not sound right though. The log seems to indicate that it makes the connection fine, and the only error in there is one that clearly means credentials are the problem (the res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580>, res_matched: <> line, 52e = invalid credentials). But here;s the thing, I have no idea if this is the credentials for the binding account or the end user account. But regardless I am definitely using the right username and passwords there.



  • Try adding this on a line between AuthBasicProvider and AuthLDAPBindDN
    AuthzLDAPAuthoritative off



  • @momurda said in Apache 2 and Ldap Auth:

    Try adding this on a line between AuthBasicProvider and Auth LDAPBindDN
    AuthzLDAPAuthoritative off

    As I understand it that command has been deprecated in the latest version of apache. When I add it the config test fails with:

    Invalid command 'AuthzLDAPAuthoritative', perhaps misspelled or defined by a module not included in the server configuration

    I had this in there originally, but removed it because of this and the fact that the documentations says it's been removed since 2.4



  • Ah yes I see that now in the docs.
    I noticed you've not included an OU in your url, is this user inside an OU, you might want to specify it.
    I see what thwr mentioned too about the user name. If adding the OU doesn't/wont work, then you can try changing the user [email protected] to ad_test and its password to test as long as ad_test exists in your AD.



  • You also could try domain\user rather than [email protected]



  • @momurda said in Apache 2 and Ldap Auth:

    Ah yes I see that now in the docs.
    I noticed you've not included an OU in your url, is this user inside an OU, you might want to specify it.
    I see what thwr mentioned too about the user name. If adding the OU doesn't/wont work, then you can try changing the user [email protected] to ad_test and its password to test as long as ad_test exists in your AD.

    I originally had the user specced in the cn=munki,cn=admin,dc=domain,dc=tld format, and changed to this format from some web research. Neither worked. The munki account exists and works, it is used for AD looks up elsewhere and functions just fine.



  • I took the quote out and now it works....

        <Directory "/var/www/html/ad_test">
                AllowOverride all
                order allow,deny
                allow from all
    
                AuthType Basic
                AuthName "Please enter your AD credentials"
                AuthBasicProvider ldap
                #AuthzLDAPAuthoritative off
                AuthLDAPBindDN [email protected]
                        #Account used to bind to AD
                AuthLDAPBindPassword xxxxxxxx  <---- no quotes
                        #Account Password
                AuthLDAPURL ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*) <---- no quotes
                        #Server Address for the bind
                Require valid-user
    
        </Directory>


  • @jrc said in Apache 2 and Ldap Auth:

    I took the quote out and now it works....

        <Directory "/var/www/html/ad_test">
                AllowOverride all
                order allow,deny
                allow from all
    
                AuthType Basic
                AuthName "Please enter your AD credentials"
                AuthBasicProvider ldap
                #AuthzLDAPAuthoritative off
                AuthLDAPBindDN [email protected]
                        #Account used to bind to AD
                AuthLDAPBindPassword xxxxxxxx  <---- no quotes
                        #Account Password
                AuthLDAPURL ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*) <---- no quotes
                        #Server Address for the bind
                Require valid-user
    
        </Directory>
    

    Awesome, glad you found a solution. Please be aware that auth basic is plaintext, just base64-encoded. Better use at least SSL to protect at the transport layer.

    https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side



  • @thwr said in Apache 2 and Ldap Auth:

    Awesome, glad you found a solution. Please be aware that auth basic is plaintext, just base64-encoded. Better use at least SSL to protect at the transport layer.

    https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side

    Yes, I know. First thing I did when I setup this server was to add a cert, setup the SSL and create a rewrite rule to force all access over SSL (HTTPS). This auth stuff is also only in the default-ssl.config file.


Log in to reply