Ldap Authentication issues - ldap

I have install thruk 3.0 and naemon. I following the instrutions on
https://www.thruk.org/documentation/install-webserver.html
I am using ldap not active directory.
from my truck log
login failed for jprouty on /thruk/ from 10.17.74.37
my apache error logs shows
user jprouty not found: /thruk/cgi-bin/restricted.cgi
<Location /thruk/>
Options ExecCGI FollowSymLinks
AuthName "Thruk Monitoring"
AuthType Basic
#leagacy file authentication first, then ldap
AuthBasicProvider file ldap
AuthUserFile /etc/thruk/htpasswd
#ldap
AuthLDAPURL "ldap://ipa.domain.com/cn=users,cn=accounts,dc=domain,dc=com?uid?sub?(memberOf=cn=monitoring,cn=groups,cn=accounts,dc=domain,dc=com)"
AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=domain,dc=com"
AuthLDAPBindPassword "XXXXXXXX"
AuthLDAPRemoteUserAttribute uid
Require valid-user
I have tested with ldapsearch and able to connect with user/password
did a tcpdump and see the ldap sending

Related

Apache 24 with openldap fail to prompt user login

freeBSD 11.3, apache 24 with mod_ldap, mod_authz_ldap loaded in http.conf
here is the configuration for ldap in http.conf
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedGlobalCert CA_BASE64 /usr/local/etc/CA.pem
LDAPTrustedMode SSL
< Directory />
AuthLDAPURL ldaps://ldap.jackyu.org/dc=jackyu,dc=org?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPBindDN cn=pamclient,ou=SystemAdmin,dc=jackyu,dc=org
AuthLDAPBindPassword xyz
AuthType basic
AuthName "Secure Access"
AuthBasicProvider ldap
require ldap-group cn=family,ou=group,dc=jackyu,dc=org
AllowOverride None
Order deny,allow
Deny from all
# AuthzLDAPAuthoritative on (this is removed in apache 24)
< /Directory>
For apapche 22, this configuration works fine, but for apache 24, when user tries to access the site, it shows forbidden (403 error), without prompting user the login popup. User has no chance to login.
This apache 24 server can connect to ldap server in the shell for user authentication. The problem is apache 24 doesn't prompt user login when user tries to access the site.
here are the configuration works for apache 24
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedGlobalCert CA_BASE64 /usr/local/etc/CA.pem
LDAPTrustedMode SSL
< Directory />
AuthLDAPURL ldaps://ldap.jackyu.org/dc=jackyu,dc=org?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPBindDN cn=pamclient,ou=SystemAdmin,dc=jackyu,dc=org
AuthLDAPBindPassword xyz
AuthType basic
AuthName "Secure Access"
AuthBasicProvider ldap
Require ldap-group cn=family,ou=group,dc=jackyu,dc=org
AllowOverride None
# Order deny,allow (this is removed in apache 24)
# Deny from all (this is removed in apache 24)
# AuthzLDAPAuthoritative on (this is removed in apache 24)
< /Directory>

Apache Kerberos Auth file fallback

I've set up a Kerberos Authentication on my Apache Server (Ubuntu 16.04 LTS) with mod_auth_kerb.
The configuration is as follows :
AuthType Kerberos
AuthName "Authentication Required"
KrbAuthRealm MY.DOMAIN
Krb5KeyTab "/path/to/keytab"
KrbMethodK5Passwd On
Require valid-user
It works fine as it is.
But I want to add an authentication fallback to an .htpasswd file, in case of a Kerberos failure.
I tried the following :
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider kerberos file
KrbAuthRealm MY.DOMAIN
Krb5KeyTab "/path/to/keytab"
KrbMethodK5Passwd On
KrbAuthoritative Off
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
But I have an error when restarting :
apache2[7455]: Unknown Authn provider: kerberos
I've set my Apache LogLevel to debug but I've nothing in the log file ...
My mod_auth_kerb version is 5.4-2.2.
Any ideas ?
Thanks :)

Integrate apache subversion with the active directory in windows server

Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.

first login to enter website with username and passwort

I have to trying always for Perl, .htaccess and httppd.conf with different Username and Password from LDAP Search. But it it out of all recognition for username and password. Maybe I am wrong for programmer or what?
Perl:
Package:
use Net::LDAP;
use Net::LDAP::Extension::SetPassword;
Function:
my $ldapserver="ldap.server.com";
my $dn="CN=Company IT,OU=Standard Users,OU=Users,OU=Company IT AG,OU=Prod,DC=server,DC=server,DC=com";
my $ldap = Net::LDAP->new( $ldapserver, debug =>0 ) or die $#;
my $result = $ldap->bind( $dn, password => password );
#$result->SetPassword('user');
$result = $ldap->search(
base => "OU=Standard Users,OU=Users,OU=Company IT AG,OU=Prod,DC=server,DC=server,DC=com",
filter => "(mailNickname="*")"
httpd:
<Directory "/opt/csw/apache2/share/cgi-bin">
SetEnv LD_LIBRARY_PATH "/opt/csw/apache2/lib:/opt/oracle/product/11.2.0.4/instantclient_11g"
AddHandler cgi-script .cgi .pl .py
AllowOverride Options
Options +ExecCGI
Order allow,deny
Allow from all
AuthName "Enter Your Network Username/Password"
AuthType Basic
AuthBasicProvider ldap
AuthBasicAuthoritative off
AuthLDAPURL ldap://ldap.server.com
AuthLDAPBindDN "CN=Company IT,OU=Standard Users,OU=Users,OU=Company IT AG,OU=Prod,DC=server,DC=server,DC=com"
AuthLDAPBindPassword password
AuthLDAPRemoteUserAttribute mailNickname
require valid-user
</Directory>
htaccess:
AuthName "Enter Your Network Username/Password"
AuthType Basic
Options +ExecCGI
AuthBasicProvider ldap
AuthBasicAuthoritative off
AuthLDAPURL ldap://ldap.server.com
AuthLDAPBindDN "CN=Company IT,OU=Standard Users,OU=Users,OU=compant IT AG,OU=Prod,DC=server,DC=server,DC=com"
AuthLDAPBindPassword password
AuthLDAPRemoteUserAttribute mailNickname
require valid-user
AuthLDAPBindDN must be the user to consult the ldap, AuthLDAPURL must be not only the ldap server but the entire LDAP patch Active Directory. Like
AuthLDAPBindDN "userldap#domain"
AuthLDAPURL "ldap://ldap.server.com/OU=Standard Users,OU=Users,OU=compant IT AG,OU=Prod,DC=server,DC=server,DC=com?sAMAccountName?sub?(objectClass=*)"

LDAP authentication apache 2.2 error 500

This is my LDAP configuration in Apache2.2.x
Order deny,allow
AuthType Basic
AuthName "Test"
AuthBasicProvider ldap
AuthLDAPURL "ldap://dc1.domain.com:389/DC=domain,DC=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=Administrator,CN=Users,DC=domain,DC=com"
AuthLDAPBindPassword "secret"
authzldapauthoritative Off
require valid-user
When i load the page i get the pop up for password en username.
But when i fill them in i get an internal server error.
If i look in the error log of apache is see no new errors.
If i change my BindPassword to something wrong i get errors in my /var/log/apache2/error.log
Pulling my hair out!
Try to set "REFERRALS off" in /etc/ldap/ldap.conf.