Apache Kerberos Auth file fallback - apache

I've set up a Kerberos Authentication on my Apache Server (Ubuntu 16.04 LTS) with mod_auth_kerb.
The configuration is as follows :
AuthType Kerberos
AuthName "Authentication Required"
KrbAuthRealm MY.DOMAIN
Krb5KeyTab "/path/to/keytab"
KrbMethodK5Passwd On
Require valid-user
It works fine as it is.
But I want to add an authentication fallback to an .htpasswd file, in case of a Kerberos failure.
I tried the following :
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider kerberos file
KrbAuthRealm MY.DOMAIN
Krb5KeyTab "/path/to/keytab"
KrbMethodK5Passwd On
KrbAuthoritative Off
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
But I have an error when restarting :
apache2[7455]: Unknown Authn provider: kerberos
I've set my Apache LogLevel to debug but I've nothing in the log file ...
My mod_auth_kerb version is 5.4-2.2.
Any ideas ?
Thanks :)

Related

Ldap Authentication issues

I have install thruk 3.0 and naemon. I following the instrutions on
https://www.thruk.org/documentation/install-webserver.html
I am using ldap not active directory.
from my truck log
login failed for jprouty on /thruk/ from 10.17.74.37
my apache error logs shows
user jprouty not found: /thruk/cgi-bin/restricted.cgi
<Location /thruk/>
Options ExecCGI FollowSymLinks
AuthName "Thruk Monitoring"
AuthType Basic
#leagacy file authentication first, then ldap
AuthBasicProvider file ldap
AuthUserFile /etc/thruk/htpasswd
#ldap
AuthLDAPURL "ldap://ipa.domain.com/cn=users,cn=accounts,dc=domain,dc=com?uid?sub?(memberOf=cn=monitoring,cn=groups,cn=accounts,dc=domain,dc=com)"
AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=domain,dc=com"
AuthLDAPBindPassword "XXXXXXXX"
AuthLDAPRemoteUserAttribute uid
Require valid-user
I have tested with ldapsearch and able to connect with user/password
did a tcpdump and see the ldap sending

Integrate apache subversion with the active directory in windows server

Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.

Is it possible to use LDAP authentification via `.htaccess` with MAMP?

Is it possible to use LDAP authentification via .htaccess with MAMP?
I think I need to include/enable the Apache-Module but I'm not sure how to do it?
Thanks for your help!
Enalble it
a2enmod authnz_ldap
a2enmod ldap
/etc/init.d/apache2 restart
In htaccess you use
AuthType Basic
AuthName "secured site"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://server/ou=People,dc=example,dc=local"
AuthLDAPBindDN "cn=reader,dc=example,dc=local"
AuthLDAPBindPassword the_secret_one
AuthzLDAPAuthoritative Off
Require valid-user

.htaccess bind Apache server to ldap causes Internal server error 500

Using wamp server with apache 2.4.4
I have a directory that I want to protect with .htaccess file:
AuthBasicProvider ldap
AuthType Basic
AuthName "Authentication required "
AuthLDAPUrl "ldap://myldap:389/ou=p1,dc=dt,dc=mycompany,dc=local?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=admin,dc=dt,dc=mycompany,dc=local"
AuthLDAPBindPassword "password"
Require valid-user
I have AllowOverride all set in httpd.conf.
I have all LoadModule directives uncommented in httpd.conf
I can successfully create connection to the ldap using Apache Directory Studio using these BindDN and password.
I can also successfully query ldap://myldap:389/ou=p1,dc=dt,dc=mycompany,dc=local?uid?sub?(objectClass=*) using Windows Explorer
EDIT:
I get the authentication window as it should be but whatever creditentials I enter I get Internal Server Error 500.
Any suggestions?

LDAP authentication apache 2.2 error 500

This is my LDAP configuration in Apache2.2.x
Order deny,allow
AuthType Basic
AuthName "Test"
AuthBasicProvider ldap
AuthLDAPURL "ldap://dc1.domain.com:389/DC=domain,DC=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=Administrator,CN=Users,DC=domain,DC=com"
AuthLDAPBindPassword "secret"
authzldapauthoritative Off
require valid-user
When i load the page i get the pop up for password en username.
But when i fill them in i get an internal server error.
If i look in the error log of apache is see no new errors.
If i change my BindPassword to something wrong i get errors in my /var/log/apache2/error.log
Pulling my hair out!
Try to set "REFERRALS off" in /etc/ldap/ldap.conf.