Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Having trouble getting Apache to work w/ ldap authentication |
|
Author |
|
soared4truth
Joined: 28 Apr 2015 Posts: 2 Location: United States, San Antonio
|
Posted: Tue 28 Apr '15 22:04 Post subject: Having trouble getting Apache to work w/ ldap authentication |
|
|
I have a class project that we are working on where we have to configure and implement an Apache server with ssl using ldap for authentication. I have documentation of literally everything I have done in the configuration. Everything seems to be fine with the config that I can tell. The client gets a prompt for username and password when they access the server ip address. However, once the correct username and password are entered, then the client receives a 500 internal server error message instead of the webpage: "Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log."
I checked the error_log, and I don't see anything about it:
[bkost@student ~]$ sudo cat /var/log/httpd/error_log
[Mon Apr 27 03:47:05.810972 2015] [auth_digest:notice] [pid 1366] AH01757: generating secret for digest authentication ...
[Mon Apr 27 03:47:05.857782 2015] [lbmethod_heartbeat:notice] [pid 1366] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 27 03:47:05.947008 2015] [mpm_prefork:notice] [pid 1366] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1k-fips configured -- resuming normal operations
[Mon Apr 27 03:47:05.947015 2015] [core:notice] [pid 1366] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 27 17:49:56.909072 2015] [mpm_prefork:notice] [pid 1366] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Apr 27 17:49:58.049278 2015] [core:notice] [pid 4270] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 27 17:49:58.049972 2015] [suexec:notice] [pid 4270] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 27 17:49:58.065634 2015] [so:warn] [pid 4270] AH01574: module ldap_module is already loaded, skipping
[Mon Apr 27 17:49:58.065661 2015] [so:warn] [pid 4270] AH01574: module access_compat_module is already loaded, skipping
[Mon Apr 27 17:49:58.068618 2015] [auth_digest:notice] [pid 4270] AH01757: generating secret for digest authentication ...
[Mon Apr 27 17:49:58.069279 2015] [lbmethod_heartbeat:notice] [pid 4270] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 27 17:49:58.071988 2015] [mpm_prefork:notice] [pid 4270] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1k-fips configured -- resuming normal operations
[Mon Apr 27 17:49:58.072008 2015] [core:notice] [pid 4270] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 27 17:52:02.083219 2015] [mpm_prefork:notice] [pid 4270] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Apr 27 17:52:03.145221 2015] [core:notice] [pid 4473] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 27 17:52:03.145834 2015] [suexec:notice] [pid 4473] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 27 17:52:03.163615 2015] [auth_digest:notice] [pid 4473] AH01757: generating secret for digest authentication ...
[Mon Apr 27 17:52:03.164254 2015] [lbmethod_heartbeat:notice] [pid 4473] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 27 17:52:03.167354 2015] [mpm_prefork:notice] [pid 4473] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1k-fips configured -- resuming normal operations
[Mon Apr 27 17:52:03.167384 2015] [core:notice] [pid 4473] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 27 18:01:12.471750 2015] [mpm_prefork:notice] [pid 4473] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Apr 27 18:01:13.531071 2015] [core:notice] [pid 4947] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 27 18:01:13.531707 2015] [suexec:notice] [pid 4947] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 27 18:01:13.549023 2015] [auth_digest:notice] [pid 4947] AH01757: generating secret for digest authentication ...
[Mon Apr 27 18:01:13.549689 2015] [lbmethod_heartbeat:notice] [pid 4947] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 27 18:01:13.552593 2015] [mpm_prefork:notice] [pid 4947] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1k-fips configured -- resuming normal operations
[Mon Apr 27 18:01:13.552617 2015] [core:notice] [pid 4947] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 27 23:55:49.539191 2015] [mpm_prefork:notice] [pid 4947] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Apr 27 23:55:51.133719 2015] [core:notice] [pid 5636] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 27 23:55:51.140111 2015] [suexec:notice] [pid 5636] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 27 23:55:51.185825 2015] [auth_digest:notice] [pid 5636] AH01757: generating secret for digest authentication ...
[Mon Apr 27 23:55:51.186531 2015] [lbmethod_heartbeat:notice] [pid 5636] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 27 23:55:51.217769 2015] [mpm_prefork:notice] [pid 5636] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1k-fips configured -- resuming normal operations
[Mon Apr 27 23:55:51.217799 2015] [core:notice] [pid 5636] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Apr 28 00:08:39.758574 2015] [mpm_prefork:notice] [pid 5636] AH00170: caught SIGWINCH, shutting down gracefully
[Tue Apr 28 00:09:53.845084 2015] [core:notice] [pid 1415] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Apr 28 00:09:54.105714 2015] [suexec:notice] [pid 1415] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Apr 28 00:09:54.145357 2015] [auth_digest:notice] [pid 1415] AH01757: generating secret for digest authentication ...
[Tue Apr 28 00:09:54.146130 2015] [lbmethod_heartbeat:notice] [pid 1415] AH02282: No slotmem from mod_heartmonitor
[Tue Apr 28 00:09:54.183553 2015] [mpm_prefork:notice] [pid 1415] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1k-fips configured -- resuming normal operations
[Tue Apr 28 00:09:54.183578 2015] [core:notice] [pid 1415] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Apr 28 00:11:09.225672 2015] [mpm_prefork:notice] [pid 1415] AH00170: caught SIGWINCH, shutting down gracefully
[Tue Apr 28 00:12:12.858701 2015] [core:notice] [pid 1426] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Apr 28 00:12:13.343224 2015] [suexec:notice] [pid 1426] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Apr 28 00:12:13.393081 2015] [auth_digest:notice] [pid 1426] AH01757: generating secret for digest authentication ...
[Tue Apr 28 00:12:13.393765 2015] [lbmethod_heartbeat:notice] [pid 1426] AH02282: No slotmem from mod_heartmonitor
[Tue Apr 28 00:12:13.432176 2015] [mpm_prefork:notice] [pid 1426] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1k-fips configured -- resuming normal operations
[Tue Apr 28 00:12:13.432194 2015] [core:notice] [pid 1426] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Apr 28 00:13:05.782072 2015] [mpm_prefork:notice] [pid 1426] AH00170: caught SIGWINCH, shutting down gracefully
[Tue Apr 28 00:14:09.636004 2015] [core:notice] [pid 1419] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Apr 28 00:14:09.711218 2015] [suexec:notice] [pid 1419] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Apr 28 00:14:09.749654 2015] [auth_digest:notice] [pid 1419] AH01757: generating secret for digest authentication ...
[Tue Apr 28 00:14:09.750334 2015] [lbmethod_heartbeat:notice] [pid 1419] AH02282: No slotmem from mod_heartmonitor
[Tue Apr 28 00:14:09.800709 2015] [mpm_prefork:notice] [pid 1419] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1k-fips configured -- resuming normal operations
I actually tried again, right before making this post, so if it were posting to the error_log, then it should have one for Apr 28 14:37 approximately. As you can tell, there is no such error logged at that time.
Here is the configuration for my ldap authentication:
<Directory /var/www/html>
AuthType Basic
AuthName "Group2 Web Site: Login with user id"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPURL ldap://ldap.thisdomain.local:389/o=ldapusers?uid?sub
AuthLDAPBindDN "thisdomain.local"
AuthLDAPBindPassword ********
require ldap-user ldapuser01 ldapuser02
</Directory>
When I remove that configuration, the server works fine with SSL, but obviously it does not require authentication. When I put it back, the authentication works, but then I get the server error instead of the website. Strangely, when I clear the cache in the browser and try again, it goes directly to the server error message without trying the authentication again. Only a restart of the computer fixes that and allows it to attempt authentication again (which then leads to a server error yet again).
Does anyone have any idea what is wrong with this configuration? I have VERY detailed documentation of everything I did (including all the stdin, stdout, and stderr up until this point for apache, SSL, ldap, autofs, etc but I don't want to junk up the post with all that. If any of that is needed to help me, then let me know which you need and I will post it.
Also, I am running Fedora 21 on both my server (running Apache 2.4) and also on my client.
Thank you! |
|
Back to top |
|
soared4truth
Joined: 28 Apr 2015 Posts: 2 Location: United States, San Antonio
|
Posted: Wed 29 Apr '15 22:41 Post subject: New Configuration that I think is correct: |
|
|
This is where I am now, I have stripped it down to this:
AuthType Basic
AuthName "Group2 Web Site: Login with user id"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative off
AuthLDAPURL "ldaps://ldap.thisdomain.local:636/ou=People,dc=thisdomain,dc=local?uid?sub?(objectClass=*)"
Require valid-user
Note that I changed ldap: to ldaps: and the TCP port number for ldaps. I am not sure if this was the right thing to do or not. I am using ssl with apache, does that mean that I am using it with ldap also? It still doesn't work with the above configuration. Now, I enter the username and password correctly, and it just does some thinking, then finally asks for the username and password again. If I click X, then it says unauthorized.
Just to prove that my ldap database works:
[bkost@student ~]$ ldapsearch -x cn=ldapuser01 -b dc=thisdomain,dc=local
# extended LDIF
#
# LDAPv3
# base <dc=thisdomain,dc=local> with scope subtree
# filter: cn=ldapuser01
# requesting: ALL
#
# ldapuser01, People, thisdomain.local
dn: uid=ldapuser01,ou=People,dc=thisdomain,dc=local
uid: ldapuser01
cn: ldapuser01
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHJnT1pWcUFuJE5paTdjNTNjUU5jVklSV2dXRmNBS1RXMWJDb2J
keS9KemdBUDg1c3Ria3NkRGRVM2M3dklWV3RJNWxRYWRoVElzeGpEQ2hZbGFYL3lXN1Z2NGdvaWYv
shadowLastChange: 16548
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1004
homeDirectory: /home/guests/ldapuser01
Here is the extension that I added to the schema for my database:
[bkost@student ~]$ cat /etc/openldap/base.ldif
dn: dc=thisdomain,dc=local
dc: thisdomain
objectClass: top
objectClass: domain
dn: ou=People,dc=thisdomain,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=thisdomain,dc=local
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: dc=thisdomain,dc=local
dc: thisdomain
objectClass: top
objectClass: domain
dn: ou=People,dc=thisdomain,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=thisdomain,dc=local
ou: Group
objectClass: top
objectClass: organizationalUnit
Here are the changes I made to the schema using ldapmodify:
[bkost@student ~]$ cat /etc/openldap/changes.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=thisdomain,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=thisdomain,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: redhat
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/student.thisdomain.local.crt
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/private/student.thisdomain.local.key
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=thisdomain,dc=local" read by * none
Then there are the entries:
[bkost@student ~]$ cat /home/bkost/groups.ldif
dn: uid=ldapuser01,ou=People,dc=thisdomain,dc=local
uid: ldapuser01
cn: ldapuser01
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$rgOZVqAn$Nii7c53cQNcVIRWgWFcAKTW1bCobdy/JzgAP85stbksdDdU3c7vIVWtI5lQadhTIsxjDChYlaX/yW7Vv4goif/
shadowLastChange: 16548
shadowMax: 99999
shadowWarning: 7
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/guests/ldapuser01
dn: uid=ldapuser02,ou=People,dc=thisdomain,dc=local
uid: ldapuser02
cn: ldapuser02
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$Z8Xc0Dy2$dX9AhciRXg9xDLZkCoVkXTsxQLVIarLNQIvmTOJ5xlsHH3EakgdbmG7HzU1RUj07dswYTmvNYyAyhKuYhrPSo.
shadowLastChange: 16548
shadowMax: 99999
shadowWarning: 7
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/guests/ldapuser02
[bkost@student ~]$ cat /home/bkost/users.ldif
dn: uid=ldapuser01,ou=People,dc=thisdomain,dc=local
uid: ldapuser01
cn: ldapuser01
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$rgOZVqAn$Nii7c53cQNcVIRWgWFcAKTW1bCobdy/JzgAP85stbksdDdU3c7vIVWtI5lQadhTIsxjDChYlaX/yW7Vv4goif/
shadowLastChange: 16548
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1004
homeDirectory: /home/guests/ldapuser01
dn: uid=ldapuser02,ou=People,dc=thisdomain,dc=local
uid: ldapuser02
cn: ldapuser02
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$Z8Xc0Dy2$dX9AhciRXg9xDLZkCoVkXTsxQLVIarLNQIvmTOJ5xlsHH3EakgdbmG7HzU1RUj07dswYTmvNYyAyhKuYhrPSo.
shadowLastChange: 16548
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1005
homeDirectory: /home/guests/ldapuser02
[bkost@student ~]$
I added the nis.ldif and cosine.ldif that come standard with ldap. I modified them with changes.ldif, which you can see above. SSL works fine as long as I don't attempt authentication with LDAP
I think that should be enough information to figure out if my authentication configuration is correct. Could somebody PLEASE help me? This project is really hard, and I am a straight A student. We were just thrown to the LDAP wolves and told we could only use our terminal. I could REALLY USE THE HELP!
Thanks,
Ben |
|
Back to top |
|
|
|
|
|
|