Apache 2 and Ldap Auth
-
So after many hours today I have gotten Apache installed and configured and asking for passwords. But I am now pulling out my hair with this as it simply won't seem to authenticate with AD. I am 10000% sure that I am using the right username and password for both my test account (ad_test) and my binding account.
Here is what I have in my site-enabled conf file:
<Directory "/var/www/html/ad_test"> AllowOverride all order allow,deny allow from all AuthType Basic AuthName "Please enter your AD credentials" AuthBasicProvider ldap AuthLDAPBindDN “[email protected]” #Account used to bind to AD AuthLDAPBindPassword " " <--- removed for this post. #Account Password AuthLDAPURL "ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*)" #Server Address for the bind Require valid-user </Directory>And here is the error output in the apache error log:
ldap_create
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc.domain.tld:3268
ldap_new_socket: 17
ldap_prepare_socket: 17
ldap_connect_to_host: Trying <correctserverIP>:3268
ldap_pvt_connect: fd: 17 tm: 10 async: 0
ldap_ndelay_on: 17
ldap_int_poll: fd: 17 tm: 10
ldap_is_sock_ready: 17
ldap_ndelay_off: 17
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7f833c0016f0 msgid 1
wait4msg ld 0x7f833c0016f0 msgid 1 (timeout 60000000 usec)
wait4msg continue ld 0x7f833c0016f0 msgid 1 all 0
** ld 0x7f833c0016f0 Connections:- host: dc.domain.tld port: 3268 (default)
refcnt: 2 status: Connected
last used: Thu Sep 8 22:07:47 2016
** ld 0x7f833c0016f0 Outstanding Requests:
- msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f833c0016f0 request count 1 (abandoned 0)
** ld 0x7f833c0016f0 Response Queue:
Empty
ld 0x7f833c0016f0 response count 0
ldap_chkResponseList ld 0x7f833c0016f0 msgid 1 all 0
ldap_chkResponseList returns ld 0x7f833c0016f0 NULL
ldap_int_select
read1msg: ld 0x7f833c0016f0 msgid 1 all 0
read1msg: ld 0x7f833c0016f0 msgid 1 message type bind
read1msg: ld 0x7f833c0016f0 0 new referrals
read1msg: mark request completed, ld 0x7f833c0016f0 msgid 1
request done: ld 0x7f833c0016f0 msgid 1
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
[Thu Sep 08 22:07:47.926638 2016] [auth_basic:error] [pid 7370:tid 140202051028736] [client <IP>:58310] AH01617: user ad_test: authentication failure for "/ad_test/": Password Mismatch
So what am I doing wrong here? It looks like the the LDAP bind is working, but for some reason it is not correctly checking the password of the user.
- host: dc.domain.tld port: 3268 (default)
-
I'm by no means an expert here, but fought a very similar fight yesterday: NTLM -> nginx -> Sharepoint with SSL termination in between. Still not solved and a few more gray strains of hair.
Just two things coming to mind:
- Two-hop issue
- Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive
-
said in Apache 2 and Ldap Auth:
AH01617: user ad_test: authentication failure for "/ad_test/": Password Mismatch
Just noticed your last two lines. Are you sure your binding users credentials are correct?
-
@thwr said in Apache 2 and Ldap Auth:
Just two things coming to mind:
- Two-hop issue
- Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive
I am pretty sure that It's not a TCP connection issue. But I am not sure what you mean by two hop issue.
-
@jrc said in Apache 2 and Ldap Auth:
@thwr said in Apache 2 and Ldap Auth:
Just two things coming to mind:
- Two-hop issue
- Are you possibly affected by terminated TCP connections? E.g. Connection pinning/ keepalive
I am pretty sure that It's not a TCP connection issue. But I am not sure what you mean by two hop issue.
The problem with the connection is not about the connection itself, but how NTLM - for example - works. NTLM authenticates a single connection, which is basically the opposite of how HTTP works. I'm mentioning NTLM here because I don't know which mechanism in in use when you auth against your AD from the Apache module.
About the double-hop-issue (sorry, two-hop was the wrong term): https://blogs.msdn.microsoft.com/besidethepoint/2010/05/08/double-hop-authentication-why-ntlm-fails-and-kerberos-works/
But again, I'm just guessing here.
-
Ahh, I think I follow. That does not sound right though. The log seems to indicate that it makes the connection fine, and the only error in there is one that clearly means credentials are the problem (the res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580>, res_matched: <> line, 52e = invalid credentials). But here;s the thing, I have no idea if this is the credentials for the binding account or the end user account. But regardless I am definitely using the right username and passwords there.
-
Try adding this on a line between AuthBasicProvider and AuthLDAPBindDN
AuthzLDAPAuthoritative off -
@momurda said in Apache 2 and Ldap Auth:
Try adding this on a line between AuthBasicProvider and Auth LDAPBindDN
AuthzLDAPAuthoritative offAs I understand it that command has been deprecated in the latest version of apache. When I add it the config test fails with:
Invalid command 'AuthzLDAPAuthoritative', perhaps misspelled or defined by a module not included in the server configuration
I had this in there originally, but removed it because of this and the fact that the documentations says it's been removed since 2.4
-
Ah yes I see that now in the docs.
I noticed you've not included an OU in your url, is this user inside an OU, you might want to specify it.
I see what thwr mentioned too about the user name. If adding the OU doesn't/wont work, then you can try changing the user munki@tld to ad_test and its password to test as long as ad_test exists in your AD. -
You also could try domain\user rather than user@domain
-
@momurda said in Apache 2 and Ldap Auth:
Ah yes I see that now in the docs.
I noticed you've not included an OU in your url, is this user inside an OU, you might want to specify it.
I see what thwr mentioned too about the user name. If adding the OU doesn't/wont work, then you can try changing the user munki@tld to ad_test and its password to test as long as ad_test exists in your AD.I originally had the user specced in the cn=munki,cn=admin,dc=domain,dc=tld format, and changed to this format from some web research. Neither worked. The munki account exists and works, it is used for AD looks up elsewhere and functions just fine.
-
I took the quote out and now it works....
<Directory "/var/www/html/ad_test"> AllowOverride all order allow,deny allow from all AuthType Basic AuthName "Please enter your AD credentials" AuthBasicProvider ldap #AuthzLDAPAuthoritative off AuthLDAPBindDN [email protected] #Account used to bind to AD AuthLDAPBindPassword xxxxxxxx <---- no quotes #Account Password AuthLDAPURL ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*) <---- no quotes #Server Address for the bind Require valid-user </Directory> -
@jrc said in Apache 2 and Ldap Auth:
I took the quote out and now it works....
<Directory "/var/www/html/ad_test"> AllowOverride all order allow,deny allow from all AuthType Basic AuthName "Please enter your AD credentials" AuthBasicProvider ldap #AuthzLDAPAuthoritative off AuthLDAPBindDN [email protected] #Account used to bind to AD AuthLDAPBindPassword xxxxxxxx <---- no quotes #Account Password AuthLDAPURL ldap://dc.domain.tld:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*) <---- no quotes #Server Address for the bind Require valid-user </Directory>Awesome, glad you found a solution. Please be aware that auth basic is plaintext, just base64-encoded. Better use at least SSL to protect at the transport layer.
https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side
-
@thwr said in Apache 2 and Ldap Auth:
Awesome, glad you found a solution. Please be aware that auth basic is plaintext, just base64-encoded. Better use at least SSL to protect at the transport layer.
https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side
Yes, I know. First thing I did when I setup this server was to add a cert, setup the SSL and create a rewrite rule to force all access over SSL (HTTPS). This auth stuff is also only in the default-ssl.config file.
