I have a CentOS server running a Drupal, and its using the ldap module to provide SSO in to a domain, so users do not have to login.
I did not setup this and I had never used Kerberos, so I am really struggling here, even after reading how to set it up from scratch. I have no idea why it just stopped working. I did no changes to the setup, and the people managing the authentication controller/server claim they did no changes on their side.
Funny thing, we have other almost identical server which is still working properly. (They each have their own keytabs).
The vhosts.conf file for apache is like this:
AuthType Kerberos
AuthName "Intranet Login"
KrbServiceName HTTP/intranet#INTRANET.DDL.COM
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbAuthRealms INTRANET.DDL.COM
KrbLocalUserMapping on
Krb5Keytab /etc/httpd/conf/intranet.keytab
require valid-user
ErrorDocument 401 /path/login-simple.php
When people try to access this site, they get prompted for user name and password, (Not drupal's, but apparently kerberos?) If they cancel, then they get sent to the ErrorDocument, where they are redirected to drupal and can login manually.
They didnt used to get this prompt.
The server where the keytab was originally produced, was shut down about 3 months ago, and just yesterday I started getting this issue. I am not even sure how it was still working. As far as I understand, it was just a domain controller, and they moved it to other server which provides the same service.
Yet...the other Drupal site, which has almost the exact same setup as this one, and also used to work with the old domain controller...IS working.
In the /etc/krb5.conf I changed the kdc, master_kdc, and admin_server to point to the new server that replaced the old domain controller. (But again, this was not needed in the other drupal site/server, and it is working, somehow)
Running klist on the keytab I get something like:
KVNO Timestamp Principal
____ ___________________ ___________________________
3 01/01/70 10:00:00 HTTP/intranet#INTRANET.DDL.COM
3 01/01/70 10:00:00 HTTP/intranet#INTRANET.DDL.COM
3 01/01/70 10:00:00 HTTP/intranet#INTRANET.DDL.COM
3 01/01/70 10:00:00 HTTP/intranet#INTRANET.DDL.COM
3 01/01/70 10:00:00 HTTP/intranet#INTRANET.DDL.COM
And running kvno HTTP/intranet#INTRANET.DDL.COM gets me
HTTP/intranet#INTRANET.DDL.COM: kvno = 3
Any help would be most appreciated. I just have no idea how to even debug this after working on it for a while.
The issue was that the client's clock had drifted off for more than the 5 minutes tolerance for server-server authentication.
This was because the NTP server used by the client was decommissioned a few months ago, so the clock was no longer syncing.
Related
After hours of searching the web and trying dozens of unsuccessful solutions - here is my question.
I'm currently configuring a webserver on RHEL 6.4 and httpd 2.2.15 behind another RHEL 6.4 server using squid 3.1.10 and HTTPS only. I'm also using mod_rpaf to simplify logging and identification of visitors behind the proxy.
My problem is to configure a simple password protected folder. When I try to access the folder, the password dialog pops up with the configured AuthName. So I know that the .htaccess is being parsed. But the dialog does not accept the correct credentials and gives me an error 401.
I messed around with:
different permissions for .htaccess, .htpasswd and parent folders
different absolute locations for the .htpasswd
all activated Apache modules that are available on my system
different encryption algorithms for .htpasswd (crypt, md5, sha, salted sha...)
AllowOverride All on the protected and parent folder
But what I really do not understand that even if I put a wrong location for AuthUserFile there is no error message in Apaches error_log like the well known Permission denied: Could not open password file. Even on LogLevel debug Therefore I think that something is wrong with that Directive AuthUserFile.
I hope there is someone out there knowing better methods to identify the problem.
This is my simple .htaccess I'm using for testing:
AuthType Basic
AuthName "Test123"
#AuthUserFile /var/www/test/.htpasswd
AuthUserFile /notexisting
Require valid-user
Finally I got it to work!
I tracked the error down to the squid reverse proxy by using lynx on my webserver and successfully accessing the protected folder from there.
With my new focus on squid I started googling again. Already the first link took me to the correct answer: squid did not allow the apache to handle user authentication.
Resulution:
Add login=PASS to the cache_peer command in your squid.conf
OS: Linux OpenSUSE
Version control - Mercurial
Apache2
I run http ://my.os.name/ it gives me a page - thus apache is running.
I run http ://my.os.name:/hg - It shows me Mercurial page, thus mercurial is
showing up on http Internet Explorer page.
I'm able to create repositories/or do normal work in Mercurial.
What I need.
1. When I open the above Hg link
then, instead of showing me the Mercurial(Hg) repository page home page, it should first check whether I belong to my company or not i.e. it should authenticate using Windows Active Directory or LDAP server.
If I'm making any changes to a file or create a directory / repository in Hg, then it should make sure / authenticate/verify whether I have valid access to do that operation or not.
HOW can I do this, I need step by step help as I'm new in Apache/Mercurial authentication setup.
I have almost read all the Online help in setting this up and so far I'm able to get to a point whether when I open Hg link, I get a popup for username/password prompt, but its not taking it / not working.
I also dont want to create .htpasswd/ .htaccess or digest files. What I'm wondering is that if in Windows Active Directory, if I have a Security group created for ex: Company/Project1_readers, Company/Project1_Contributors, Company/Project1_Repository1_Readers, Company/Project1_Repository2_Contributors... and in those AD security group ids, if I have all the developers added, then using these groups in AD, I want to grant access to developers instead of adding those users in .hg/hgrc file.
(This is what usually we do in TFS (Team foundation Server) to grant/revoke access) instead of messing with files (adding/removing users) in every repository etc.
How can I do the above?
Kindly advise if the best way is only creating .htpasswd/.htaccess/.htdigest etc files...if I'm wrong in achieving the above scenario.
My httpd.conf file Includes another .conf file (which contains)
=========================================
<Directory /srv/www/hg>
Order deny,allow
Deny from All
AuthType Basic
# #AuthName "Apache Web Site: Login with your AD(Active Directory) credentials"
AuthName "Mercurial Repositories"
#
#
# AuthBasicProvider ldap
# AuthzLDAPAuthoritative off
# #AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
# AuthLDAPURL "ldap://10.211.16.1:389/?samAccountName?sub?(objectClass=user)"
## #ldap://ldap.your-domain.com:389/o=stooges?uid?sub
# AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
# #"cn=StoogeAdmin,o=stooges"
# AuthLDAPBindPassword secret1
require valid-user
# require ldap-user
Satisfy any
</Directory>
When I'm using the abvoe LDAP URL in Jenkins, Jenkins is successfully authenticating a user while logging in, then why the same is not working when it's in this server's .conf file. Note, in apache2, the above doesn't have to be in httpd.conf file. Include concept is letting me include the file.conf and file.conf contains the above code. This is as per Apache2 directions as mentioned in httpd.conf file.
Rest of the mercurial files hgwebdir.cgi, hgweb.cgi, hgweb.config are all good (as per online blogs I have read).
I have all the required modules loaded (as they are visible in /etc/apache2/sysconfig.d/loadmodule.conf file (modules which are required for LDAP auth i.e. mod_ldap, mod_authz_ldap etc etc related to ldap and apache).
OK, Prompt part which was not taking my Windows Ldap credentials is now working.
What did I put wrong.
- See line: for AuthLDAPURL and AuthLDAPBindPassword, those were the culprits in my post shown above.
- Cause was, I was new to Windows AD/LDAP concept, so couldn't get a hold of anyone from Systems team in my company. So tried my own hands. The first line for AuthLDAPURL, I got from the GLOBAL configuration file (config.xml) of one of our Jenkins instance.
Jenkins GUI for showing config doesn't show passwords (as they are masked) so there you'll see Manager's DN password as "* * * * * *".
So, I thought I should open the config.xml file of Jenkins instance and got the password "secret1" from there. Actually "secret1" is just an example, in reality it was some crazy value over there like "VVX12##!5GH".
So basically I used that earlier which didn't work as for LDAP authentication to work correctly, you have to talk to someone in SYSTEMS team or the person WHO actually did the setup in Jenkins instance for LDAP authentication there.
Finally I got the password, and it worked.
Resolution: See below what I changed.
One important thing to notice is that, in Jenkins, AUTHURL for LDAP was:
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
but,
from a Unix/Linux/in my case, SUSE machine, we have to change this line a little bit to
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
For more on this (Apache2.2 on connecting to Windows AD(Active Directory) authentication):
PS: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
and then
- I put the correct password for cn=xyzserver (Manager DN user id) in the file and all was good then.
Snapshot of apache config file or the file which you have created separately and included in your httpd.file or through /etc/sysconfig/apache2 filer (variable APACHE_INCLUDE...) now looks like:
<Directory /srv/www/htdocs/hg>
Order deny,allow
Deny from All
AuthType Basic
AuthName "LDAP Access - Mercurial"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName?sub
#AuthLDAPURL "ldap://10.211.16.1:389/OU=TSH,DC=Mason,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
AuthLDAPBindPassword CorrectPassword!
# require ldap-user c149807
# AuthUserFile "/dev/null"
require valid-user
Satisfy any
</Directory>
I'll work on getting the user access part now on the actual repository as Auth part is done from IE(Internet Explorer) to Hg(Mercurial) from Linux/Unix/OpenSUSE machine.
if prompted multiple times for user credentials in mercurial. Setup Mercurial_Keyring and then
this question comes which nobody explained in an easy way.
??? how to make the [auth] xx.prefix = servername/hg_or_something work for all repositories under servername/hg location either if I use servername, servername's IP or servername's FQDN ?
ANSWER: Arun • 2 minutes ago
−
OK, I put this in ~/.hgrc (Linux/Unix -home directory's .hgrc hidden file) or Windows users %UserProfile%/mercurial.ini or %HOME%/mercurial.ini file.
[auth]
default1.schemes = http https
default1.prefix = hg_merc_server/hg
default1.username = c123456
default2.schemes = http https
default2.prefix = hg_merc_server.company.com/hg
default2.username = c123456
default3.schemes = http https
default3.prefix = 10.211.222.321/hg
default3.username = c123456
Now, I can checkout using either Server/IP/Server's FQDN.
Apache asks the password for each subdomain with htpasswd.
I want that he would ask the password at the first input and remembered me for all subdomains
I use the following code:
AuthType Basic
AuthName "Projects"
AuthUserFile /blablabla/baz.htpasswd
Require valid-user
Actually Apache httpd asks for your user credentials on every request on every subdomain. It's your web browser, which caches your credentials (per hostname) and sends them on every subsequent request on the same hostname.
You can't really circumvent that behaviour without full control over your clients' software if you want to keep the different subdomains.
I'm trying to use LDAP authentication for a Subversion repository, accessed via Apache HTTP Server.
Whatever I try, Apache generates the following error message:
authentication failed; URI /repos/branches/my-branch [ldap_search_ext_s() for user failed][Operations Error]
I've used the AD explorer from Sysinternals to connect to my AD server, and can see data in there, so I presume it's a problem with my LDAP URL search string. I've tried several variations, but always get the above error. Here's what I have in my httpd.conf. Any suggestions or ideas to diagnose this would be appreciated.
<Location /repos>
DAV svn
SVNPath C:\repos
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthName "IT Subversion repository"
AuthLDAPURL "ldap://x.y.z.com:389/DC=y,DC=z,DC=com?sAMAccountName?sub?(objectClass=user)" NONE
Require valid-user
</Location>
My problem was sold by changing port from 389 to 3268. Port 389 looks only for Local Direcotry but 3268 looks for Global Directory. Confusing is that in LDAP browser (JXplorer for example) works both ports properly.
It appears that you're using Active Directory, which does not allow anonymous binding. Try adding the following:
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account.
AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword some_secret_password
I had something simular, although stranger. At first it when testing, but after some Apache restarts and configuration fine-tuning it stopped working.
After a long search on the internet, it appears I had to change the port from 389 to 3268. This solved my "[ldap_search_ext_s() for user failed][Operations Error]" errors for some reason. I still don't understand why, or why it worked at first, but it did for me.
Had the same problem, you need to specify in /etc/ldap/ldap.conf:
REFERRALS off
Solved my problem.
I had this problem recently you need to add 3 additional parameters
AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"
AuthLDAPBindPassword some_secret_password
Like jgnagy suggested, also it also helped me when i added
Satisfy Any
LDAPReferrals just plain didn't exist in earlier versions, so there's nothing to turn off, really...
I guess if you managed to match a newer LDAP/Apache which has LDAP Referral as an option, and were trying to use and older AD, you'd have to turn it off.
For anybody else finding this, you should try these in order:
telnet YOUR_AD_SERVER 389
Either you get a Connect and something like Escape character is ~, or you've got the wrong name/IP for your AD, or your firewalls are blocking access from your computer to AD on port 389.
Next, install the openldap command line tools, openldap-clients, and see if you can use ldapsearch (read the man page) to perform a search directly to your AD server, without Apache in the middle.
I have a domain that will be accessed by a small, private group of people. So I want to control access via authentication.
The domain has a collection of applications installed that each have their own sub-domain. Eg: domain.com, app1.domain.com, app2.domain.com, app3.domain.com
I'd love to have a single sign-on solution so they don't have to authenticate themselves for each application. Also, the applications are written in different languages (PHP, Python and Perl) so authenticating users through an Apache module is ideal.
I am new to digest authentication, but it seems like a good solution. I have used htdigest to create my users. I have configured my domain and sub-domains (See below).
If I go to the domain or any of the sub-domains it will prompt for a username and password. If I enter a correct username and password, it will authenticate me and the page will load. However, if I go to another sub-domain, it will ask for me to enter a username and password again. If I enter the same username and password, it will work.
So the password file is OK, and authentication is OK, but the problem seems to lie in the configuration of the AuthDigestDomain.
I have searched all over the net to find an example of using Digest authentication on multiple domains, but I cannot find a specific example that solves my problem.
I am hoping someone here can assist. Do I put the same authentication information in every Directory? Should I be using Directory or Location or Files? Have I missed something all-together?
Thanks in advance!
Below is an example of my Apache config for domain.com:
<Directory /var/www>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
And here is an example of app1.domain.com:
<Directory /var/lib/app1>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
To baffle things even further, this works when using IE6, but not Firefox or Chrome. Is it the clients not sending the authentication properly, or is is the server not sending the correct credentials?
I have also been reading up on RFC 2617 and written the authentication headers using PHP to ensure that the request/response challenge is correct. This hasn't helped at all!
Most browsers do not respect the Digest "domain" directive and will not resend credentials for other URIs. As far as I know, Opera is the only browser that honors it.
For Opera, the server(s) must respond with the same "realm" string for each URI in the domain list. In other words, if domain="/test /example", the server needs to send "Test Realm - example.com" in the WWW-Authenticate header for both of those URIs. I assume Opera does this because it stores H(A1) instead of the actual password for security. Read into RFC2617 for more on this.
Here's my cross-browser solution to this problem: http://travisce.com/arest/
I have no experience with something like this myself. But I just took a look at the Apache documentation and found this:
The AuthDigestNonceLifetime directive
controls how long the server nonce is
valid. [...] If seconds is less than 0
then the nonce never expires.
So it seems to me that 0 seconds (the value you are using) is either illegal or really tells Apache to expire the nonce after 0 seconds which would exactly explain the behavior you are geting.
Could a wildcard on the AuthDigestDomain help?
*.domain.com