Apache 2 and Ldap Auth

jrc

@thwr said in Apache 2 and Ldap Auth:

Just two things coming to mind:

• Two-hop issue
• Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive

I am pretty sure that It's not a TCP connection issue. But I am not sure what you mean by two hop issue.

thwr

@jrc said in Apache 2 and Ldap Auth:

@thwr said in Apache 2 and Ldap Auth:

Just two things coming to mind:

• Two-hop issue
• Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive

I am pretty sure that It's not a TCP connection issue. But I am not sure what you mean by two hop issue.

The problem with the connection is not about the connection itself, but how NTLM - for example - works. NTLM authenticates a single connection, which is basically the opposite of how HTTP works. I'm mentioning NTLM here because I don't know which mechanism in in use when you auth against your AD from the Apache module.

About the double-hop-issue (sorry, two-hop was the wrong term): https://blogs.msdn.microsoft.com/besidethepoint/2010/05/08/double-hop-authentication-why-ntlm-fails-and-kerberos-works/

But again, I'm just guessing here.

jrc

@thwr

Ahh, I think I follow. That does not sound right though. The log seems to indicate that it makes the connection fine, and the only error in there is one that clearly means credentials are the problem (the res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580>, res_matched: <> line, 52e = invalid credentials). But here;s the thing, I have no idea if this is the credentials for the binding account or the end user account. But regardless I am definitely using the right username and passwords there.

momurda

Try adding this on a line between AuthBasicProvider and AuthLDAPBindDN
AuthzLDAPAuthoritative off

jrc

@momurda said in Apache 2 and Ldap Auth:

Try adding this on a line between AuthBasicProvider and Auth LDAPBindDN
AuthzLDAPAuthoritative off

As I understand it that command has been deprecated in the latest version of apache. When I add it the config test fails with:

Invalid command 'AuthzLDAPAuthoritative', perhaps misspelled or defined by a module not included in the server configuration

I had this in there originally, but removed it because of this and the fact that the documentations says it's been removed since 2.4

momurda

Ah yes I see that now in the docs.
I noticed you've not included an OU in your url, is this user inside an OU, you might want to specify it.
I see what thwr mentioned too about the user name. If adding the OU doesn't/wont work, then you can try changing the user munki@tld to ad_test and its password to test as long as ad_test exists in your AD.

momurda

You also could try domain\user rather than user@domain

jrc

@momurda said in Apache 2 and Ldap Auth:

Ah yes I see that now in the docs.
I noticed you've not included an OU in your url, is this user inside an OU, you might want to specify it.
I see what thwr mentioned too about the user name. If adding the OU doesn't/wont work, then you can try changing the user munki@tld to ad_test and its password to test as long as ad_test exists in your AD.

I originally had the user specced in the cn=munki,cn=admin,dc=domain,dc=tld format, and changed to this format from some web research. Neither worked. The munki account exists and works, it is used for AD looks up elsewhere and functions just fine.

jrc

I took the quote out and now it works....

    <Directory "/var/www/html/ad_test">
            AllowOverride all
            order allow,deny
            allow from all

            AuthType Basic
            AuthName "Please enter your AD credentials"
            AuthBasicProvider ldap
            #AuthzLDAPAuthoritative off
            AuthLDAPBindDN [email protected]
                    #Account used to bind to AD
            AuthLDAPBindPassword xxxxxxxx  <---- no quotes
                    #Account Password
            AuthLDAPURL ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*) <---- no quotes
                    #Server Address for the bind
            Require valid-user

    </Directory>

thwr

@jrc said in Apache 2 and Ldap Auth:

I took the quote out and now it works....

    <Directory "/var/www/html/ad_test">
            AllowOverride all
            order allow,deny
            allow from all

            AuthType Basic
            AuthName "Please enter your AD credentials"
            AuthBasicProvider ldap
            #AuthzLDAPAuthoritative off
            AuthLDAPBindDN [email protected]
                    #Account used to bind to AD
            AuthLDAPBindPassword xxxxxxxx  <---- no quotes
                    #Account Password
            AuthLDAPURL ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*) <---- no quotes
                    #Server Address for the bind
            Require valid-user

    </Directory>

Awesome, glad you found a solution. Please be aware that auth basic is plaintext, just base64-encoded. Better use at least SSL to protect at the transport layer.

https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side

jrc

@thwr said in Apache 2 and Ldap Auth:

Awesome, glad you found a solution. Please be aware that auth basic is plaintext, just base64-encoded. Better use at least SSL to protect at the transport layer.

https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side

Yes, I know. First thing I did when I setup this server was to add a cert, setup the SSL and create a rewrite rule to force all access over SSL (HTTPS). This auth stuff is also only in the default-ssl.config file.