Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Issues with Apache 2.4.x and mod_ldap & mod_authnz_ldap |
|
| Author |
|
glenc2004@comcast.net
Joined: 28 May 2013
Posts: 2
Location: California
|
 Posted: Wed 29 May '13 0:05 Post subject: Issues with Apache 2.4.x and mod_ldap & mod_authnz_ldap |
 |
|
I'm having some issues trying to authenticate against my corporate AD server. I am using the most recent version of Apache 2 with the modules mod_ldap.so & mod_authnz_ldap.so. I am running CentOS 6.4 as my OS. I have been successfully been able to use LDAPSEARCH on the same system without issue so I know my creds are correct. But when it involves the apache modules it fails with the following in my logs:
| Code: | [Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:53 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:54 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:54 2013] [debug] mod_authnz_ldap.c(432): [client xx.xx.xx.251] [14602] auth_ldap authenticate: using URL ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxxx,OU=US Users,dc=corp,dc=xxx,dc=com?sAMAccountName
[Mon May 27 14:51:54 2013] [info] [client xx.xx.xx.251] [14602] auth_ldap authenticate: user xxxxxx authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] |
I don't know what or why it's showing multiple lines connecting and then the failure of cannot connect. If someone could explain why this is being seen that would be great so I understand what's happening. I know I keep reading this is a client cert issue but as you'll see below I do have client certs configured below.
Here is my ldap.conf file:
| Code: | #
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE dc=corp,dc=xxx,dc=com
URI ldaps://xxx.corp.xxx.com
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_REQCERT never
TLS_CACERTDIR /etc/httpd/certs
TLS_CACERT /etc/httpd/certs/cert.pem |
Here is a snip of my httpd.conf:
| Code: | LDAPTrustedGlobalCert CERT_BASE64 /etc/httpd/certs/xxx.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/httpd/certs/xxxx.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/httpd/certs/xxxx.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/httpd/certs/xxxxx.pem
#LDAPVerifyServerCert off
LDAPTrustedMode ssl
LDAPSharedCacheSize 200000
LDAPCacheEntries 2024
LDAPCacheTTL 3600
LDAPOpCacheEntries 2024
LDAPOpCacheTTL 600
LDAPConnectionTimeout 60
AuthType Basic
AuthName "Login with userid"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldaps://xxxxxx.corp.xxx.com/OU=CA Xxxxxxxxx,OU=XX Xxxxx,dc=corp,dc=xxx,dc=com?sAMAccountName"
AuthLDAPBindDN "CN=binduser,OU=Xxxx Xxxxx,OU=Service Accounts,OU=XX Xxxxxxxxx,DC=corp,DC=xxx,DC=com"
AuthLDAPBindPassword Password
require valid-user |
I have multiple global certs because I'm not sure which one is which. I did pull the cert from the AD server and that's the first in the list but still no go. I have no access what-so-ever to the AD server so making any changes are getting anyone to help would be way too much to do.
Modules loaded in apache:
| Code: | [root@xxxxxxxxxx ~]# httpd -M
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
auth_basic_module (shared)
auth_digest_module (shared)
authn_file_module (shared)
authn_alias_module (shared)
authn_anon_module (shared)
authn_dbm_module (shared)
authn_default_module (shared)
authz_host_module (shared)
authz_user_module (shared)
authz_owner_module (shared)
authz_groupfile_module (shared)
authz_dbm_module (shared)
authz_default_module (shared)
ldap_module (shared)
authnz_ldap_module (shared)
include_module (shared)
log_config_module (shared)
logio_module (shared)
env_module (shared)
ext_filter_module (shared)
mime_magic_module (shared)
expires_module (shared)
deflate_module (shared)
headers_module (shared)
usertrack_module (shared)
setenvif_module (shared)
mime_module (shared)
dav_module (shared)
status_module (shared)
autoindex_module (shared)
info_module (shared)
dav_fs_module (shared)
vhost_alias_module (shared)
negotiation_module (shared)
dir_module (shared)
actions_module (shared)
speling_module (shared)
userdir_module (shared)
alias_module (shared)
substitute_module (shared)
rewrite_module (shared)
proxy_module (shared)
proxy_balancer_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
proxy_ajp_module (shared)
proxy_connect_module (shared)
cache_module (shared)
suexec_module (shared)
disk_cache_module (shared)
cgi_module (shared)
version_module (shared)
mysql_auth_module (shared)
authz_ldap_module (shared)
dnssd_module (shared)
perl_module (shared)
php5_module (shared)
ssl_module (shared)
Syntax OK |
As I said above, ldapsearch works just fine. But within apache it gets the no connect error after many tries. Which I assume might be the search of the LDAP server for the SAMACCOUNTNAME?
I'm lost and making things more confusing the deeper I get into this. Any way to get more log info? I have debug in both httpd.conf and ssl.conf.
What am I missing????
Thanks for any help! |
|
| Back to top |
|
covener
Joined: 23 Nov 2008
Posts: 59
|
|
| Back to top |
|
glenc2004@comcast.net
Joined: 28 May 2013
Posts: 2
Location: California
|
| Posted: Wed 29 May '13 18:38 Post subject: Thanks |
|
|
Hi, Thanks for the post. Unfortunately I'm not using the module which has been compiled with the LDAP SDK which enables the debugging routines. I'm using the module directly from the repo.
Any other way to do this? I hate having to dive too deep into this. But I may end up having too at this point. |
|
| Back to top |
|
|
|
|
|
|
