Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache 2.4: Users autenthication in Active Directory |
|
| Author |
|
iam
Joined: 21 May 2018
Posts: 1
|
 Posted: Mon 21 May '18 13:55 Post subject: Apache 2.4: Users autenthication in Active Directory |
 |
|
Hi!
Thanks in advance!
I need help with Apache configuration to enable login through Active directory.
I want allow login if a user is member of a group contained in other group.
Now I have this:
| Code: |
Alias /nagios /opt/nagios/share
<Directory "/opt/nagios/share">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Acceso restringido"
AuthBasicProvider ldap
AuthLDAPURL "ldap://server/DC=domain,DC=red?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN user@domain.red
AuthLDAPBindPassword "xxxxxx"
Require ldap-group CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red
</Directory> |
And Canīt login. If I put: require valid-user itīs go well.
| Code: | [Mon May 21 13:36:05.060787 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": failed [Comparison complete][34 - Invalid DN syntax], checking sub-groups
[Mon May 21 13:36:05.062229 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap authorise: require group (sub-group) "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN failed group verification. [member][34 - Invalid DN syntax]
[Mon May 21 13:36:05.062250 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": failed [DN failed group verification.][34 - Invalid DN syntax], checking sub-groups
[Mon May 21 13:36:05.063471 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap authorise: require group (sub-group) "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN failed group verification. [uniqueMember][34 - Invalid DN syntax]
[Mon May 21 13:36:05.063481 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(996): [client 10.10.10.10:51069] AH01720: auth_ldap authorize group: authorization denied for user ext-agumarjo to /nagios/
[Mon May 21 13:36:05.063486 2018] [authz_core:debug] [pid 9315] mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626: authorization result of Require ldap-group CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red: denied
[Mon May 21 13:36:05.063489 2018] [authz_core:debug] [pid 9315] mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626: authorization result of <RequireAny>: denied
[Mon May 21 13:36:05.063492 2018] [authz_core:error] [pid 9315] [client 10.10.10.10:51069] AH01631: user ext-agumarjo: authorization failure for "/nagios/":
|
What is I doing bad?
THANKS! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 27 Mar '19 16:53 Post subject: |
|
|
You mix old and new config
Order allow,deny
Allow from all
is 2.2 while Require ldap-group is 2.4
Please do not use both! use only 2.4 and remove mod_access_compat from your config! |
|
| Back to top |
|
rajeev_guleria
Joined: 28 May 2020
Posts: 1
Location: USA
|
| Posted: Thu 28 May '20 13:08 Post subject: |
|
|
I do not have
Order allow,deny
Allow from all
But iam facing exactly same issue with the LDAP AD group auth, what was the fix applied at your end for below listed issue, precipitate your response |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 05 Jun '20 15:06 Post subject: |
|
|
You might try mod_authn_ntlm
With that you can do
| Code: |
<RequireAny>
require sspi-group "DOMAIN\GROUP2" "DOMAIN\GROUP1"
</RequireAny>
|
|
|
| Back to top |
|
|
|
|
|
|
