This is my first time posting so sorry in advance if I do things incorrectly. I will substitute ip's and usernames.
I have a windows Active Directory setup and I am trying to use this for authentication to a webpage I have on a separate Ubuntu 18.04 server. I am attempting to use apache2 (2.4.18) in order to set this up. Documentation online seems fairly straight forward but I have not been successful. First, I cannot use the <Location "/auth"> tags as it seems to simply not work at all. I have to use the <Directory /auth> tag.
The AD server uses a self signed certificate and I have had trouble getting it to trust it with LDAPTrustedGlobalCert. I was getting [Can't contact LDAP server] but LDAPVerifyServerCert Off seems to let me get past that hurdle for now.
The biggest issue that I have is I do not think the bind is working. When just loading the webpage I see this show up in the error log:
[authz_core:debug] [pid 2397] mod_authz_core.c(809): [client <myclientIP>:56969] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] [pid 2397] mod_authz_core.c(809): [client <myclientIP>:56969] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
From there I enter credentials to try and authenticate and I get:
[Thu Aug 27 08:36:22.831527 2020] [authnz_ldap:debug] [pid 2396] mod_authnz_ldap.c(520): [client <myClientIP>:56887] AH01691: auth_ldap authenticate: using URL ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?uid
[Thu Aug 27 08:36:22.888784 2020] [authnz_ldap:info] [pid 2396] [client <myClientIP>:56887] AH01695: auth_ldap authenticate: user <myUser> authentication failed; URI /auth/ [LDAP: ldap_simple_bind() failed][Invalid credentials]
[Thu Aug 27 08:36:22.888825 2020] [auth_basic:error] [pid 2396] [client <myClientIP>:56887] AH01617: user <myUser>: authentication failure for "/auth/": Password Mismatch
This is my configuration for apache. I left commented lines in so you can see a couple of the many variations that I have tried:
LDAPVerifyServerCert Off
<Directory "/var/www/html/auth">
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider ldap
AuthLDAPURL ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?uid
#AuthLDAPURL ldaps://<myLDAPIP>:636/cn=Users,dc=my,dc=example,dc=com
AuthLDAPBindDN <myUser>
#AuthLDAPBindDN cn=<myUser>,dc=my,dc=example,dc=com
AuthLDAPBindPassword <myPassword>
Require valid-user
#require ldap-group cn=Users,dc=my,dc=example,dc=com
#require ldap-group cn=Users
LogLevel debug
</Directory>
I have searched all over and tried many configurations but I do not see why it does not work with this one. I have at least three other programs that use LDAPS with this Active Directory server. The difference is they all had built in support for it and I did not have to do anything with apache.
Any help would be appreciated!
Thanks in advance
I actually continued trying multiple configurations and finally found one that worked. Below Is the functioning code:
<Directory "/var/www/html/auth">
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?sAMAccountName"
AuthLDAPBindDN "myUser#my.example.com"
AuthLDAPBindPassword "<Password>"
Require valid-user
LogLevel debug
</Directory>
*If your certificate is not trusted you can add LDAPVerifyServerCert Off which should be outside of the virtualhost block
Related
I have implemented LDAP Authentication in Apache 2.4 (RHEL 8.5) with Active Directory Backend. The setup works perfectly with a basic "Require valid-user" directive. Now I need to restrict authentication to a specific group of Active Directory users with "Require ldap-group" directive but authentication is now denied when trying to authenticate with a user member of the authorized group.
Using a basic "Require valid-user" authentication works like a charm, but when using "Require ldap-group" id doesn't. Also I tried "Require ldap-filer" without success.
Active Directory group: my_group
(CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
Active Directory user: my_user, member of "my_group"
Apache Log (DEBUG)
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authnz_ldap:debug] [pid 90767:tid 13975006511XXXX] mod_authnz_ldap.c(620): [client XX.XX.XX.XX:40388] AH01697: auth_ldap authenticate: accepting my_user
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of <RequireAny>: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:error] [pid 90767:tid 13975006511XXXX] [client XX.XX.XX.XX:40388] AH01631: user my_user: authorization failure for "/app/":
Apache configuration file "ad.conf":
<AuthnProviderAlias ldap mydc01>
AuthLDAPBindDN bind#domain.tld
AuthLDAPBindPassword XXXXXXXXXXXXXX
AuthLDAPURL ldaps://mydc01.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>
<AuthnProviderAlias ldap mydc02>
AuthLDAPBindDN bind#domain.tld
AuthLDAPBindPassword XXXXXXXXXXXXXX
AuthLDAPURL ldaps://mydc02.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>
<Directory /var/www/app>
AuthName "AD authentication"
AuthBasicProvider mydc01 mydc02
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
# OK
# Require valid-user
# Not working
Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld
# Not working
# Require ldap-filter (memberOf=CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
# Not working
# Require ldap-atttibute memberOf="CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld"
</Directory>
I have made a setup of Apache2.4 + FastCgi, PHP-FPM, SuExec which works correctly without Suexec. But when i enable Suexec its giving me File does not exist error (404 Not Found Error in browser when i access php script).
Note: PHP Script works through PHP-FPM when i turn OFF "FastCgiWrapper" but when i turn ON its giving me 404 error.
Apache Error Log (Last Line):
[authz_core:debug] [pid 3906:tid 140546979436288] mod_authz_core.c(802): [client 192.168.91.132:58225] AH01626: authorization result of Require all granted: granted
[authz_core:debug] [pid 3906:tid 140546979436288] mod_authz_core.c(802): [client 192.168.91.132:58225] AH01626: authorization result of <RequireAny>: granted
[authz_core:debug] [pid 3906:tid 140546979436288] mod_authz_core.c(802): [client 192.168.91.132:58225] AH01626: authorization result of Require all granted: granted
[authz_core:debug] [pid 3906:tid 140546979436288] mod_authz_core.c(802): [client 192.168.91.132:58225] AH01626: authorization result of <RequireAny>: granted
[core:info] [pid 3906:tid 140546979436288] [client 192.168.91.132:58225] AH00128: File does not exist: /etc/apache2/fcgi-app/info.php
Configuration:
/etc/apache2/mods-available/fastcgi.conf
FastCgiWrapper On
/etc/apache2/suexec/www-data
/var/www/html
/cgi-bin
/etc/apache2/sites-available/example.net.conf
<VirtualHost *:80>
ServerName example.net
ServerAdmin example#example.net
DocumentRoot /var/www/html/example.net/public_html
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
SuexecUserGroup example examplegrp
AddHandler php-fcgi-hand .php
Action php-fcgi-hand /php-fcgi-uri
Alias /php-fcgi-uri fcgi-app
FastCgiExternalServer fcgi-app -socket /var/run/php5-fpm-example.sock -pass-header Authorization -idle-timeout 30000 -flush
<Location /php-fcgi-uri>
Require all granted
</Location>
</VirtualHost>
/etc/php5/fpm/pool.d/example.conf
[example]
user = example
group = examplegrp
listen = /var/run/php5-fpm-example.sock
listen.owner = example
listen.group = examplegrp
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
/var/www/html/example.net/cgi-bin/php.cgi
#!/bin/sh
PHP_FCGI_CHILDREN=5
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=500
export PHP_FCGI_MAX_REQUESTS
exec /var/www/html/example.net/cgi-bin
Folder Structure and Permission
/var/www/html/example.net/cgi-bin/php.cgi
/var/www/html/example.net/public_html/info.php
drwxrwxrwx 13 www-data www-data var
|____drwxr-xr-x 5 www-data www-data www
|____drwxr-xr-x 6 www-data www-data html
|____ drwxr-xr-x 4 example examplegrp example.net
|______ drwxr-xr-x 2 example examplegrp cgi-bin
|_____-r-xr-xr-x 1 example examplegrp php.cgi
|______ drwxr-xr-x 2 example examplegrp public_html
|_____-rwxr-xr-x 1 example examplegrp info.php
I wrote this working configuration long ago and it works on Apache 2.4.x so I'm going to recommend you give it a try https://gist.github.com/diemuzi/3849349. It's too large to post in an answer here. You'll find all the configurations you'll need. You may even see something I have done differently compared to what you have posted here too.
However I will also recommend that you stop thinking about using the FastCgiExternalServer like you are trying and as you will find in my example. But instead look into using the mod_proxy_fcgi. This is a much simpler way of connecting to FPM now and it does support sockets as of recently.
Here is an example of the mod_proxy_fcgi way:
# PHP-FPM via Socket
<IfModule proxy_module>
<IfModule proxy_fcgi_module>
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/usr/local/php/etc/php-fpm/[USERNAME].sock|fcgi://localhost/vhosts/[DOMAIN]/public/
</IfModule>
</IfModule>
Of course you will want to change the unix: path and the path to your root document too. Notice the localhost part, that is not a mistake. It really does not matter what you put for localhost but I figured it looked better. Yes, my domain is accessible via the IP and Domain even though it says localhost so don't let that fool you.
If you want to use the TCP way of using mod_proxy_fcgi you can do it this way too:
# PHP-FPM via TCP
<IfModule proxy_module>
<IfModule proxy_fcgi_module>
<Location ~ ^/(.*\.php(/.*)?)$>
ProxyPass fcgi://127.0.0.1:[PORT]/vhosts/[DOMAIN]/public/
</Location>
</IfModule>
</IfModule>
Of course make sure the 127.0.0.1:[PORT] matches what you have inside of your FPM Pool, so change it accordingly. Again, make sure you change the path to the document root too.
The three answers I've given you are all working examples. I even tested just before I posted this answer.
You ask for Apache to run as user example, but you set the configuration file for user www-data . The documentation says that the config file /etc/apache2/suexec/www-data is read when the Apache user is www-data. I never experimented with that, but it might be that you need to set the config file /etc/apache2/suexec/example. One thing that I find a bit confusing is these two stages: the Apache user and then the target user, which is allowed to run the target cgi. Suexec runs checks in these two stages. The custom version of suexec allows a different Apache user to run with a different config file, but this is different from the selection of a target user with the SuexecUserGroup Apache directive. We don't need to change the Apache user, if we only want to change the target user, the one that will run the CGI. For that purpose, the pristine version is sufficient. Anyway, this is my understanding. I hope it helps someone.
I have a restricted section of a website that I want to restrict to two LDAP groups. Here are the pertinent lines from httpd.conf:
<AuthnProviderAlias ldap our-ldap>
AuthLDAPBindDN CN=example,OU=example,OU=example,DC=example,DC=com
AuthLDAPBindPassword LamePassword
AuthLDAPURL ldaps://dc4.example.com:636/dc=example,dc=com?sAMAccountName?sub
AuthLDAPGroupAttributeIsDN on
</AuthnProviderAlias>
<Directory /var/www/html/restricted>
Order deny,allow
Allow from all
AuthBasicProvider our-ldap
AuthType Basic
AuthName "Restricted Files"
Require ldap-group CN=group1,OU=example,OU=example,DC=example,DC=com
Require ldap-group CN=group2,OU=example,OU=example,DC=example,DC=com
</Directory>
If I comment out those two "Require ldap-group" lines, it works flawlessly, but with any LDAP user, which I don't want. When I add those lines back in, despite the fact that I'm a member of one of those groups, I can't get in, and ssl_error_log gives me this:
[Sat Jun 28 21:34:53 2014] [error] [client 198.51.100.156] access to /restricted/restricted.html failed, reason: require directives present and no Authoritative handler.
My LDAP server is an Active Directory domain controller, so usernames are sAMAccountName, DNs are distinguishedName, and group member attributes are member, using DNs.
Here's what I'm running:
Server version: Apache/2.2.15 (Unix)
Server built: Mar 20 2014 06:21:02
Any thoughts?
You're requiring the user to be a member of both groups. You need a Satisfy Any.
I'm trying to implement pass directory authentication using:
Auth Name "Restricted Area"
AuthType Basic
AuthUserFile /home/.htpasswd
AuthGroupFile /dev/null
require valid-user
It's 100% correct.
Seems like issue lies in apache modules?
I'm using Apache2 and Ubuntu 13.04
Gives me error:
[Wed Sep 11 22:40:07 2013] [alert] [client xxx.xx.xxx.xx] /home/somebody/public_html/somewebsite/.htaccess: Invalid command 'Auth', perhaps misspelled or defined by a module not included in the server configuration
How can it be fixed?
It should be AuthName instead Auth Name.
Apache documentation for AuthName Directive.
I've set up Pow and Apache the way they suggest in this tutorial. My httpd-vhosts.conf contains the following entry.
<VirtualHost *:80>
DocumentRoot /Users/michael/Dropbox/Development/test
ServerName test.dev
<Directory "/Users/michael/Dropbox/Development/test">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I'm still getting a 403 Forbidden when I got to http://test.dev/.
Error log says:
[Wed Nov 21 19:24:21 2012] [crit] [client 127.0.0.1] (13)Permission denied: /Users/michael/Dropbox/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
[Wed Nov 21 19:24:43 2012] [error] [client 127.0.0.1] (13)Permission denied: access to / denied
Has anyone else had this problem?
This seems to have nothing to do with Pow. Apache doesn't have the necessary permissions to work within /Users/michael/Dropbox/Development/test.
Please check the permissions of this directory, I think they should be 755. Check them with:
cd /Users/michael/Dropbox/Development/
ls -l
And copy paste the line of the test directory.
The issue was the permissions. It finally worked when I chmod'd the full path to the directory I was working in to 755.
~/, ~/Dropbox, ~/Development...etc.
I'll bet there's a nicer way to do this, but it's working. So, there you go.