LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Apache 2.4 multiple LDAP servers (http://www.linuxquestions.org/questions/linux-server-73/apache-2-4-multiple-ldap-servers-4175444618/)

Ramurd 01-08-2013 04:01 AM

Apache 2.4 multiple LDAP servers
 
Hiyas,

Here's something I'm not really getting... When I configure my Apache server to use one LDAP server like this:

Code:

        AuthLDAPURL ldaps://ldapserver1/ou=intern-users,dc=acc,o=myorg?uid?sub
        AuthLDAPBindDN          "cn=apache,ou=people,dc=acc,o=myorg"
        AuthLDAPBindPassword    "mypassword"
        AuthLDAPGroupAttributeIsDN on
        AuthBasicProvider      ldap

I can connect my pages with require ldap-group like this:
Code:

<Location /my/url>
        AuthType                Basic
        AuthName                "my message"

# ldap-intern.conf contains the configuration in the previous code block
        Include /etc/httpd/ldap-intern.conf
        Require ldap-group cn=mygroup,ou=intern-groups,dc=acc,o=myorg

        ProxyPass              balancer://cluster/my/url
        ProxyPassReverse        balancer://cluster/my/url
</Location>

This works fine.

However, if I create a file ldap-aliases.conf like this:
Code:

#LDAP URL for internal users
<AuthnProviderAlias ldap ldapserver1-intern>
        AuthLDAPBindDN          "cn=apache,ou=people,dc=acc,o=myorg"
        AuthLDAPBindPassword    "mypassword"
        AuthLDAPURL ldaps://ldapserver1/ou=intern-users,dc=acc,o=myorg?uid?sub
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldapserver2-intern>
        AuthLDAPBindDN          "cn=apache,ou=people,dc=acc,o=myorg"
        AuthLDAPBindPassword    "mypassword"
        AuthLDAPURL ldaps://ldapserver2/ou=intern-users,dc=acc,o=myorg?uid?sub
</AuthnProviderAlias>

(This ldap-aliases.conf file is included in the global server config)
I change ldap-intern.conf slightly to:
Code:

        AuthLDAPBindDN          "cn=apache,ou=people,dc=acc,o=myorg"
        AuthLDAPBindPassword    "mypassword"
        AuthLDAPGroupAttributeIsDN on
        AuthBasicProvider      ldapserver1-intern ldapserver2-intern

and my location remains:
Code:

<Location /my/url>
        AuthType                Basic
        AuthName                "This area is secured"

# ldap-intern.conf contains the configuration in the previous code block
        Include /etc/httpd/ldap-intern.conf
        Require ldap-group cn=mygroup,ou=intern-groups,dc=acc,o=myorg

        ProxyPass              balancer://cluster/my/url
        ProxyPassReverse        balancer://cluster/my/url
</Location>

Then I am not getting connected... what am I doing wrong?
I do know I have the AutBindDN configured multiple times; It's either or in my ldap-aliases.conf or ldap-intern.conf; If I put it in ldap-intern.conf the error in the log says "Unsufficient Access", if I put it in ldap-aliases.conf I get "No such object" errors.. Mind that we're talking to the same ldap server, same schema, same user etc...

acid_kewpie 01-08-2013 04:57 AM

This looks like your chap...

http://httpd.apache.org/docs/2.2/mod...dauthoritative

Ramurd 01-08-2013 05:58 AM

Thanks for the quick reply.

I added AuthLDAPBindAuthoritative off to ldap-intern.conf in the multi-ldap setup; However, this does not seem to be the solution:

Part of the logging in quote blocks:
Quote:

[Tue Jan 08 11:44:07.330191 2013] [ssl:debug] [pid 8725:tid 140313460946688] ssl_engine_kernel.c(222): [client ::1:43952] AH02034: Subsequent (No.2) HTTPS request received for child 13 (server 127.0.0.1:443)
[Tue Jan 08 11:44:07.330274 2013] [authz_core:debug] [pid 8725:tid 140313460946688] mod_authz_core.c(802): [client ::1:43952] AH01626: authorization result of Require ldap-group cn=mygroup,ou=intern-groups,dc=acc,o=myorg: denied (no authenticated user yet)
[Tue Jan 08 11:44:07.330282 2013] [authz_core:debug] [pid 8725:tid 140313460946688] mod_authz_core.c(802): [client ::1:43952] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jan 08 11:44:07.330311 2013] [authnz_ldap:debug] [pid 8725:tid 140313460946688] mod_authnz_ldap.c(501): [client ::1:43952] AH01691: auth_ldap authenticate: using URL ldaps://ldapserver1/ou=intern-users,dc=acc,o=myorg
[Tue Jan 08 11:44:07.330328 2013] [authnz_ldap:debug] [pid 8725:tid 140313460946688] mod_authnz_ldap.c(593): [client ::1:43952] AH01697: auth_ldap authenticate: accepting test
[Tue Jan 08 11:44:07.330334 2013] [authz_core:debug] [pid 8725:tid 140313460946688] mod_authz_core.c(802): [client ::1:43952] AH01626: authorization result of Require ldap-group cn=mygroup,ou=intern-groups,dc=acc,o=myorg: denied
[Tue Jan 08 11:44:07.330339 2013] [authz_core:debug] [pid 8725:tid 140313460946688] mod_authz_core.c(802): [client ::1:43952] AH01626: authorization result of <RequireAny>: denied
[Tue Jan 08 11:44:07.330343 2013] [authz_core:error] [pid 8725:tid 140313460946688] [client ::1:43952] AH01631: user test: authorization failure for "/my/url":
There is way more logging as I turned LDAP Debugging on; so if that is needed to validate why what happens, I can comply :-)
I have the feeling that somehow the ldapsearch or bind differs when I'm running a single ldap server or try to use the aliases...

acid_kewpie 01-08-2013 09:32 AM

Ahh so this is just redundancy? Not multiple LDAP sources? just put both servers in the single URI then, space separated.

http://httpd.apache.org/docs/2.2/mod...ml#authldapurl

Ramurd 01-08-2013 09:48 AM

That's what I tried first; but then it appeared that since apache 2.4 this method changed and I needed to use AuthnProviderAlias

... but I think I missed this line:
Quote:

Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes; otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." You can of course use search parameters on each of these.
from the 2.4 documentation... http://httpd.apache.org/docs/2.4/mod...ml#authldapurl

I'll give that a shoot tomorrow, and if it works I'll mark it as solved... stupid me not to read the caveat line :-/ *grumbles off* thanks for the heads up!

Ramurd 01-09-2013 07:11 AM

Yup, that was it:

had to specify:

Code:

AuthLDAPUrl "ldaps://ldapserver1 ldapserver2/ou=intern-users,dc=acc,o=myorg"
and it worked like I hoped and expected. Marking thread as solved.


All times are GMT -5. The time now is 04:38 AM.