logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: Issues with Apache 2.4.x and mod_ldap & mod_authnz_ldap
Author
glenc2004@comcast.net



Joined: 28 May 2013
Posts: 2
Location: California

PostPosted: Wed 29 May '13 0:05    Post subject: Issues with Apache 2.4.x and mod_ldap & mod_authnz_ldap Reply with quote

I'm having some issues trying to authenticate against my corporate AD server. I am using the most recent version of Apache 2 with the modules mod_ldap.so & mod_authnz_ldap.so. I am running CentOS 6.4 as my OS. I have been successfully been able to use LDAPSEARCH on the same system without issue so I know my creds are correct. But when it involves the apache modules it fails with the following in my logs:

Code:
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:54 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:54 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:54 2013] [info] [client xx.xx.xx.251] [14602] auth_ldap authenticate: user xxxxxx authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]


I don't know what or why it's showing multiple lines connecting and then the failure of cannot connect. If someone could explain why this is being seen that would be great so I understand what's happening. I know I keep reading this is a client cert issue but as you'll see below I do have client certs configured below.

Here is my ldap.conf file:

Code:
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

BASE    dc=corp,dc=xxx,dc=com
URI     ldaps://xxx.corp.xxx.com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_REQCERT never
TLS_CACERTDIR   /etc/httpd/certs
TLS_CACERT      /etc/httpd/certs/cert.pem


Here is a snip of my httpd.conf:

Code:
LDAPTrustedGlobalCert CERT_BASE64 /etc/httpd/certs/xxx.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/httpd/certs/xxxx.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/httpd/certs/xxxx.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/httpd/certs/xxxxx.pem
#LDAPVerifyServerCert off
LDAPTrustedMode ssl
LDAPSharedCacheSize 200000
LDAPCacheEntries 2024
LDAPCacheTTL 3600
LDAPOpCacheEntries 2024
LDAPOpCacheTTL 600
LDAPConnectionTimeout 60

AuthType Basic
AuthName "Login with userid"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxx,OU=XX Xxxxx,dc=corp,dc=xxx,dc=com?sAMAccountName"
AuthLDAPBindDN "CN=binduser,OU=Xxxx Xxxxx,OU=Service Accounts,OU=XX Xxxxxxxxx,DC=corp,DC=xxx,DC=com"
AuthLDAPBindPassword Password
require valid-user


I have multiple global certs because I'm not sure which one is which. I did pull the cert from the AD server and that's the first in the list but still no go. I have no access what-so-ever to the AD server so making any changes are getting anyone to help would be way too much to do.

Modules loaded in apache:

Code:
[root@xxxxxxxxxx ~]# httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbm_module (shared)
 authn_default_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 authz_owner_module (shared)
 authz_groupfile_module (shared)
 authz_dbm_module (shared)
 authz_default_module (shared)
 ldap_module (shared)
 authnz_ldap_module (shared)
 include_module (shared)
 log_config_module (shared)
 logio_module (shared)
 env_module (shared)
 ext_filter_module (shared)
 mime_magic_module (shared)
 expires_module (shared)
 deflate_module (shared)
 headers_module (shared)
 usertrack_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 dav_module (shared)
 status_module (shared)
 autoindex_module (shared)
 info_module (shared)
 dav_fs_module (shared)
 vhost_alias_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 actions_module (shared)
 speling_module (shared)
 userdir_module (shared)
 alias_module (shared)
 substitute_module (shared)
 rewrite_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_ajp_module (shared)
 proxy_connect_module (shared)
 cache_module (shared)
 suexec_module (shared)
 disk_cache_module (shared)
 cgi_module (shared)
 version_module (shared)
 mysql_auth_module (shared)
 authz_ldap_module (shared)
 dnssd_module (shared)
 perl_module (shared)
 php5_module (shared)
 ssl_module (shared)
Syntax OK


As I said above, ldapsearch works just fine. But within apache it gets the no connect error after many tries. Which I assume might be the search of the LDAP server for the SAMACCOUNTNAME?

I'm lost and making things more confusing the deeper I get into this. Any way to get more log info? I have debug in both httpd.conf and ssl.conf.

What am I missing????

Thanks for any help!
Back to top
covener



Joined: 23 Nov 2008
Posts: 59

PostPosted: Wed 29 May '13 17:37    Post subject: Reply with quote

2.4 has

http://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldaplibrarydebug

which can sometimes get some log messages directly from the LDAP client into the main error log.
Back to top
glenc2004@comcast.net



Joined: 28 May 2013
Posts: 2
Location: California

PostPosted: Wed 29 May '13 18:38    Post subject: Thanks Reply with quote

Hi, Thanks for the post. Unfortunately I'm not using the module which has been compiled with the LDAP SDK which enables the debugging routines. I'm using the module directly from the repo.

Any other way to do this? I hate having to dive too deep into this. But I may end up having too at this point.
Back to top


Reply to topic   Topic: Issues with Apache 2.4.x and mod_ldap & mod_authnz_ldap View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules