在 WAMP 中使用 LDAP 的反向代理身份验证失败
Reverse proxy authentication using LDAP in WAMP is failing
使用反向代理,我已将托管在 WAMP 中的 PHP 应用程序重定向到 Grafana。现在我正在尝试使用 LDAP 对反向代理用户进行身份验证。它给我一个错误 auth_ldap authenticate: user yajana authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax] 和 denied (no authenticated user yet).
如何解决这个错误?
这是我的 httpd.conf 文件:
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule xml2enc_module modules/mod_xml2enc.so
<Directory />
AllowOverride none
Require all denied
</Directory>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<VirtualHost *:80>
ServerName localhost
RewriteEngine on
ErrorLog "logs/authproxy-error_log"
CustomLog "logs/authproxy-access_log" common
<Location "/grafana/">
LDAPReferrals off
AuthType Basic
AuthName GrafanaAuthProxy
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com"
AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
AuthLDAPBindPassword "secret"
AuthLDAPGroupAttributeIsDN off
Require ldap-filter ldapsettingshere
AuthLDAPMaxSubGroupDepth 1
RequestHeader unset Authorization
allow from all
Require valid-user
</Location>
<Proxy *>
# Require valid-user
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass /grafana/ http://localhost:3000/
ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>
Include "${INSTALL_DIR}/alias/*"
错误日志是
authorization result of Require ldap-filter ldapsettingshere: denied (no authenticated user yet)
authorization result of Require valid-user : denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
authorization result of Require ldap-filter ldapsettingshere: denied (no authenticated user yet)
authorization result of Require valid-user : denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
auth_ldap authenticate: using URL ldap://localhost:389/dc=maxcrc,dc=com
auth_ldap authenticate: user yajana rao authentication failed; URI /grafana/ [User not found][No Such Object]
user yajana rao not found: /grafana/
apache 版本:2.4.23
更新:
根据答案更新bind_dn
AuthLDAPBindDN "Manager@maxcrc.com"
简单绑定请求中的绑定 DN 必须是完整 DN。因此 AuthLDAPBindDN must contain a DN string like defined in RFC 4514。 “Manager@maxcrc.com”之类的值仅适用于 MS AD,不适用于任何其他 LDAP 服务器。
AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com"
此外,在检查用户密码之前,必须将用户名映射到完整的绑定 DN。 mod_authnz_ldap 将默认假定 uid 是要在搜索中使用的 LDAP 属性。但是您可以通过在 AuthLDAPUrl 中设置 attribute 来为您的 LDAP 服务器调整它。如果您使用的是 MS AD,则为 sAMAccountName.
我已经能够通过将 AuthLDAPURL 编辑为
来解决问题
AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"
使用反向代理,我已将托管在 WAMP 中的 PHP 应用程序重定向到 Grafana。现在我正在尝试使用 LDAP 对反向代理用户进行身份验证。它给我一个错误 auth_ldap authenticate: user yajana authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax] 和 denied (no authenticated user yet).
如何解决这个错误?
这是我的 httpd.conf 文件:
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule xml2enc_module modules/mod_xml2enc.so
<Directory />
AllowOverride none
Require all denied
</Directory>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<VirtualHost *:80>
ServerName localhost
RewriteEngine on
ErrorLog "logs/authproxy-error_log"
CustomLog "logs/authproxy-access_log" common
<Location "/grafana/">
LDAPReferrals off
AuthType Basic
AuthName GrafanaAuthProxy
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com"
AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
AuthLDAPBindPassword "secret"
AuthLDAPGroupAttributeIsDN off
Require ldap-filter ldapsettingshere
AuthLDAPMaxSubGroupDepth 1
RequestHeader unset Authorization
allow from all
Require valid-user
</Location>
<Proxy *>
# Require valid-user
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass /grafana/ http://localhost:3000/
ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>
Include "${INSTALL_DIR}/alias/*"
错误日志是
authorization result of Require ldap-filter ldapsettingshere: denied (no authenticated user yet)
authorization result of Require valid-user : denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
authorization result of Require ldap-filter ldapsettingshere: denied (no authenticated user yet)
authorization result of Require valid-user : denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
auth_ldap authenticate: using URL ldap://localhost:389/dc=maxcrc,dc=com
auth_ldap authenticate: user yajana rao authentication failed; URI /grafana/ [User not found][No Such Object]
user yajana rao not found: /grafana/
apache 版本:2.4.23
更新: 根据答案更新bind_dn
AuthLDAPBindDN "Manager@maxcrc.com"
简单绑定请求中的绑定 DN 必须是完整 DN。因此 AuthLDAPBindDN must contain a DN string like defined in RFC 4514。 “Manager@maxcrc.com”之类的值仅适用于 MS AD,不适用于任何其他 LDAP 服务器。
AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com"
此外,在检查用户密码之前,必须将用户名映射到完整的绑定 DN。 mod_authnz_ldap 将默认假定 uid 是要在搜索中使用的 LDAP 属性。但是您可以通过在 AuthLDAPUrl 中设置 attribute 来为您的 LDAP 服务器调整它。如果您使用的是 MS AD,则为 sAMAccountName.
我已经能够通过将 AuthLDAPURL 编辑为
来解决问题AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"