Apache Active Directory mod_authnz_ldap 不工作
Apache Active Directory mod_authnz_ldap not working
过去几天我一直在尝试在虚拟主机页面上获取 AD 身份验证,但无济于事。帮助...
CentOS 7
阿帕奇 2.4.6
mod_ldap 和 mod_authnz_ldap 已安装并正在加载
<VirtualHost *:80>
DocumentRoot /var/www/wwwtest/public
ServerName wwwtest.example.com
ErrorLog logs/wwwtest.example.com-error_log
CustomLog logs/wwwtest.example.com-access_log common
<Directory /var/www/wwwtest/public>
Allow from all
Order Allow,Deny
Options Indexes MultiViews FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "login"
AuthBasicProvider ldap
AuthLDAPBindDN ldapuser@EXAMPLE.COM
AuthLDAPBindPassword ldappassword
AuthLDAPURL "ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindAuthoritative off
Require valid-user
</Directory>
</VirtualHost>
我在 /etc/httpd/conf/httpd.conf
中启用了 trace8
这就是我在 /var/log/httpd/wwwtest.example.com-error.log
中看到的内容
[Wed Oct 21 12:12:56.213178 2015] [http:trace4] [pid 20648] http_request.c(301): [client 172.16.250.250:49559] Headers received from client:
[Wed Oct 21 12:12:56.213263 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Host: wwwtest.example.com
[Wed Oct 21 12:12:56.213278 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
[Wed Oct 21 12:12:56.213284 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Oct 21 12:12:56.213289 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Language: en-US,en;q=0.5
[Wed Oct 21 12:12:56.213293 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Encoding: gzip, deflate
[Wed Oct 21 12:12:56.213297 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] DNT: 1
[Wed Oct 21 12:12:56.213301 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Connection: keep-alive
[Wed Oct 21 12:12:56.213305 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Cache-Control: max-age=0
[Wed Oct 21 12:12:56.213309 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Authorization: Basic RTAxMDEwMTAxOkNvbmNvcmRpYTIwMTU=
[Wed Oct 21 12:12:56.213530 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213556 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213644 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(501): [client 172.16.250.250:49559] AH01691: auth_ldap authenticate: using URL ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=edu?sAMAccountName?sub?(objectClass=user)
[Wed Oct 21 12:12:56.213705 2015] [authnz_ldap:trace1] [pid 20648] mod_authnz_ldap.c(522): [client 172.16.250.250:49559] auth_ldap authenticate: final authn filter is (&(objectClass=user)(sAMAccountName=TESTUSER))
[Wed Oct 21 12:12:56.215123 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.216479 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 1)
[Wed Oct 21 12:12:56.217336 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 2)
[Wed Oct 21 12:12:56.217358 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.217398 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.218332 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 3)
[Wed Oct 21 12:12:56.219355 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 4)
[Wed Oct 21 12:12:56.219392 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.219430 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.219444 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(539): [client 172.16.250.250:49559] AH01694: auth_ldap authenticate: user TESTUSER authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)
[Wed Oct 21 12:12:56.219454 2015] [auth_basic:error] [pid 20648] [client 172.16.250.250:49559] AH01618: user TESTUSER not found: /
[Wed Oct 21 12:12:56.219469 2015] [core:trace3] [pid 20648] request.c(119): [client 172.16.250.250:49559] auth phase 'check user' gave status 401: /
[Wed Oct 21 12:12:56.219530 2015] [http:trace3] [pid 20648] http_filters.c(992): [client 172.16.250.250:49559] Response sent with status 401, headers:
[Wed Oct 21 12:12:56.219532 2015] [http:trace5] [pid 20648] http_filters.c(999): [client 172.16.250.250:49559] Date: Wed, 21 Oct 2015 19:12:56 GMT
[Wed Oct 21 12:12:56.219534 2015] [http:trace5] [pid 20648] http_filters.c(1002): [client 172.16.250.250:49559] Server: Apache/2.4.6 (CentOS)
[Wed Oct 21 12:12:56.219536 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] WWW-Authenticate: Basic realm=\”login\”
[Wed Oct 21 12:12:56.219538 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Length: 381
[Wed Oct 21 12:12:56.219540 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Keep-Alive: timeout=5, max=100
[Wed Oct 21 12:12:56.219541 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Connection: Keep-Alive
[Wed Oct 21 12:12:56.219542 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Type: text/html; charset=iso-8859-1
我可以使用这些凭据进行 ldapsearch,它 returns 来自我们 DC 的用户对象,因此凭据是正确的。我在DC上运行 Wireshark。它从未看到来自该 Web 服务器的任何 LDAP 数据包。我 运行 在 Web 服务器上进行 tcpdump,当我尝试授权时它从未发送任何 LDAP 数据包...
我们通过 PHP 在大约 10 分钟内完成了 AD 身份验证,但我之前已经为此工作了好几天......当然,它现在可以进行身份验证,但我想知道为什么 mod_ldap 和 mod_authnz_ldap 不工作...或者...什么不工作。
另外,我对 Apache 有点陌生...所以问题很可能是我误解了。
提前致谢。
更新:显然它在 Debian 中工作得很好。 (Apache 2.2.22,但仍然如此)叹息
已解决:显然我在 Linux 也是新手。
当然是 SELinux 的问题。尽管我已经将它从 Enforcing 设置为 Permissive(然后最终设置为 Disabled),但我不知道进行该更改的唯一方法显然是通过重新启动(或 setenforce 0)。重新启动,一切正常,因为 SELinux 现在已禁用。然后我发现 SELinux 日志位于 /var/log/audit/audit.log。那里有一堆:
type=AVC msg=audit(1445466425.176:1849): avc: denied { name_connect } for pid=21184 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
所以为了允许 httpd 访问 ldap,我按照 this post 说:
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> off
# setsebool httpd_can_connect_ldap 1
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> on
在那之后,auth 在启用 Firewalld 和 SELinux Enforcing 的情况下完美运行。这也解释了为什么 tcpdump 没有显示 ldap 绑定尝试。
是的,希望这能帮助其他可能被卡住的人。
底线:了解有关 SE 的更多信息Linux。
过去几天我一直在尝试在虚拟主机页面上获取 AD 身份验证,但无济于事。帮助...
CentOS 7
阿帕奇 2.4.6
mod_ldap 和 mod_authnz_ldap 已安装并正在加载
<VirtualHost *:80>
DocumentRoot /var/www/wwwtest/public
ServerName wwwtest.example.com
ErrorLog logs/wwwtest.example.com-error_log
CustomLog logs/wwwtest.example.com-access_log common
<Directory /var/www/wwwtest/public>
Allow from all
Order Allow,Deny
Options Indexes MultiViews FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "login"
AuthBasicProvider ldap
AuthLDAPBindDN ldapuser@EXAMPLE.COM
AuthLDAPBindPassword ldappassword
AuthLDAPURL "ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindAuthoritative off
Require valid-user
</Directory>
</VirtualHost>
我在 /etc/httpd/conf/httpd.conf
中启用了 trace8这就是我在 /var/log/httpd/wwwtest.example.com-error.log
中看到的内容[Wed Oct 21 12:12:56.213178 2015] [http:trace4] [pid 20648] http_request.c(301): [client 172.16.250.250:49559] Headers received from client:
[Wed Oct 21 12:12:56.213263 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Host: wwwtest.example.com
[Wed Oct 21 12:12:56.213278 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
[Wed Oct 21 12:12:56.213284 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Oct 21 12:12:56.213289 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Language: en-US,en;q=0.5
[Wed Oct 21 12:12:56.213293 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Encoding: gzip, deflate
[Wed Oct 21 12:12:56.213297 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] DNT: 1
[Wed Oct 21 12:12:56.213301 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Connection: keep-alive
[Wed Oct 21 12:12:56.213305 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Cache-Control: max-age=0
[Wed Oct 21 12:12:56.213309 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Authorization: Basic RTAxMDEwMTAxOkNvbmNvcmRpYTIwMTU=
[Wed Oct 21 12:12:56.213530 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213556 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213644 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(501): [client 172.16.250.250:49559] AH01691: auth_ldap authenticate: using URL ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=edu?sAMAccountName?sub?(objectClass=user)
[Wed Oct 21 12:12:56.213705 2015] [authnz_ldap:trace1] [pid 20648] mod_authnz_ldap.c(522): [client 172.16.250.250:49559] auth_ldap authenticate: final authn filter is (&(objectClass=user)(sAMAccountName=TESTUSER))
[Wed Oct 21 12:12:56.215123 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.216479 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 1)
[Wed Oct 21 12:12:56.217336 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 2)
[Wed Oct 21 12:12:56.217358 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.217398 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.218332 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 3)
[Wed Oct 21 12:12:56.219355 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 4)
[Wed Oct 21 12:12:56.219392 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.219430 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.219444 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(539): [client 172.16.250.250:49559] AH01694: auth_ldap authenticate: user TESTUSER authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)
[Wed Oct 21 12:12:56.219454 2015] [auth_basic:error] [pid 20648] [client 172.16.250.250:49559] AH01618: user TESTUSER not found: /
[Wed Oct 21 12:12:56.219469 2015] [core:trace3] [pid 20648] request.c(119): [client 172.16.250.250:49559] auth phase 'check user' gave status 401: /
[Wed Oct 21 12:12:56.219530 2015] [http:trace3] [pid 20648] http_filters.c(992): [client 172.16.250.250:49559] Response sent with status 401, headers:
[Wed Oct 21 12:12:56.219532 2015] [http:trace5] [pid 20648] http_filters.c(999): [client 172.16.250.250:49559] Date: Wed, 21 Oct 2015 19:12:56 GMT
[Wed Oct 21 12:12:56.219534 2015] [http:trace5] [pid 20648] http_filters.c(1002): [client 172.16.250.250:49559] Server: Apache/2.4.6 (CentOS)
[Wed Oct 21 12:12:56.219536 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] WWW-Authenticate: Basic realm=\”login\”
[Wed Oct 21 12:12:56.219538 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Length: 381
[Wed Oct 21 12:12:56.219540 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Keep-Alive: timeout=5, max=100
[Wed Oct 21 12:12:56.219541 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Connection: Keep-Alive
[Wed Oct 21 12:12:56.219542 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Type: text/html; charset=iso-8859-1
我可以使用这些凭据进行 ldapsearch,它 returns 来自我们 DC 的用户对象,因此凭据是正确的。我在DC上运行 Wireshark。它从未看到来自该 Web 服务器的任何 LDAP 数据包。我 运行 在 Web 服务器上进行 tcpdump,当我尝试授权时它从未发送任何 LDAP 数据包...
我们通过 PHP 在大约 10 分钟内完成了 AD 身份验证,但我之前已经为此工作了好几天......当然,它现在可以进行身份验证,但我想知道为什么 mod_ldap 和 mod_authnz_ldap 不工作...或者...什么不工作。
另外,我对 Apache 有点陌生...所以问题很可能是我误解了。
提前致谢。
更新:显然它在 Debian 中工作得很好。 (Apache 2.2.22,但仍然如此)叹息
已解决:显然我在 Linux 也是新手。
当然是 SELinux 的问题。尽管我已经将它从 Enforcing 设置为 Permissive(然后最终设置为 Disabled),但我不知道进行该更改的唯一方法显然是通过重新启动(或 setenforce 0)。重新启动,一切正常,因为 SELinux 现在已禁用。然后我发现 SELinux 日志位于 /var/log/audit/audit.log。那里有一堆:
type=AVC msg=audit(1445466425.176:1849): avc: denied { name_connect } for pid=21184 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
所以为了允许 httpd 访问 ldap,我按照 this post 说:
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> off
# setsebool httpd_can_connect_ldap 1
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> on
在那之后,auth 在启用 Firewalld 和 SELinux Enforcing 的情况下完美运行。这也解释了为什么 tcpdump 没有显示 ldap 绑定尝试。
是的,希望这能帮助其他可能被卡住的人。
底线:了解有关 SE 的更多信息Linux。