I have a restricted section of a website that I want to restrict to two LDAP groups. Here are the pertinent lines from httpd.conf:
<AuthnProviderAlias ldap our-ldap>
AuthLDAPBindDN CN=example,OU=example,OU=example,DC=example,DC=com
AuthLDAPBindPassword LamePassword
AuthLDAPURL ldaps://dc4.example.com:636/dc=example,dc=com?sAMAccountName?sub
AuthLDAPGroupAttributeIsDN on
</AuthnProviderAlias>
<Directory /var/www/html/restricted>
Order deny,allow
Allow from all
AuthBasicProvider our-ldap
AuthType Basic
AuthName "Restricted Files"
Require ldap-group CN=group1,OU=example,OU=example,DC=example,DC=com
Require ldap-group CN=group2,OU=example,OU=example,DC=example,DC=com
</Directory>
If I comment out those two "Require ldap-group" lines, it works flawlessly, but with any LDAP user, which I don't want. When I add those lines back in, despite the fact that I'm a member of one of those groups, I can't get in, and ssl_error_log gives me this:
[Sat Jun 28 21:34:53 2014] [error] [client 198.51.100.156] access to /restricted/restricted.html failed, reason: require directives present and no Authoritative handler.
My LDAP server is an Active Directory domain controller, so usernames are sAMAccountName, DNs are distinguishedName, and group member attributes are member, using DNs.
Here's what I'm running:
Server version: Apache/2.2.15 (Unix)
Server built: Mar 20 2014 06:21:02
Any thoughts?
You're requiring the user to be a member of both groups. You need a Satisfy Any.
Related
I have implemented LDAP Authentication in Apache 2.4 (RHEL 8.5) with Active Directory Backend. The setup works perfectly with a basic "Require valid-user" directive. Now I need to restrict authentication to a specific group of Active Directory users with "Require ldap-group" directive but authentication is now denied when trying to authenticate with a user member of the authorized group.
Using a basic "Require valid-user" authentication works like a charm, but when using "Require ldap-group" id doesn't. Also I tried "Require ldap-filer" without success.
Active Directory group: my_group
(CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
Active Directory user: my_user, member of "my_group"
Apache Log (DEBUG)
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authnz_ldap:debug] [pid 90767:tid 13975006511XXXX] mod_authnz_ldap.c(620): [client XX.XX.XX.XX:40388] AH01697: auth_ldap authenticate: accepting my_user
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of <RequireAny>: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:error] [pid 90767:tid 13975006511XXXX] [client XX.XX.XX.XX:40388] AH01631: user my_user: authorization failure for "/app/":
Apache configuration file "ad.conf":
<AuthnProviderAlias ldap mydc01>
AuthLDAPBindDN bind#domain.tld
AuthLDAPBindPassword XXXXXXXXXXXXXX
AuthLDAPURL ldaps://mydc01.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>
<AuthnProviderAlias ldap mydc02>
AuthLDAPBindDN bind#domain.tld
AuthLDAPBindPassword XXXXXXXXXXXXXX
AuthLDAPURL ldaps://mydc02.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>
<Directory /var/www/app>
AuthName "AD authentication"
AuthBasicProvider mydc01 mydc02
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
# OK
# Require valid-user
# Not working
Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld
# Not working
# Require ldap-filter (memberOf=CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
# Not working
# Require ldap-atttibute memberOf="CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld"
</Directory>
This is my first time posting so sorry in advance if I do things incorrectly. I will substitute ip's and usernames.
I have a windows Active Directory setup and I am trying to use this for authentication to a webpage I have on a separate Ubuntu 18.04 server. I am attempting to use apache2 (2.4.18) in order to set this up. Documentation online seems fairly straight forward but I have not been successful. First, I cannot use the <Location "/auth"> tags as it seems to simply not work at all. I have to use the <Directory /auth> tag.
The AD server uses a self signed certificate and I have had trouble getting it to trust it with LDAPTrustedGlobalCert. I was getting [Can't contact LDAP server] but LDAPVerifyServerCert Off seems to let me get past that hurdle for now.
The biggest issue that I have is I do not think the bind is working. When just loading the webpage I see this show up in the error log:
[authz_core:debug] [pid 2397] mod_authz_core.c(809): [client <myclientIP>:56969] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] [pid 2397] mod_authz_core.c(809): [client <myclientIP>:56969] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
From there I enter credentials to try and authenticate and I get:
[Thu Aug 27 08:36:22.831527 2020] [authnz_ldap:debug] [pid 2396] mod_authnz_ldap.c(520): [client <myClientIP>:56887] AH01691: auth_ldap authenticate: using URL ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?uid
[Thu Aug 27 08:36:22.888784 2020] [authnz_ldap:info] [pid 2396] [client <myClientIP>:56887] AH01695: auth_ldap authenticate: user <myUser> authentication failed; URI /auth/ [LDAP: ldap_simple_bind() failed][Invalid credentials]
[Thu Aug 27 08:36:22.888825 2020] [auth_basic:error] [pid 2396] [client <myClientIP>:56887] AH01617: user <myUser>: authentication failure for "/auth/": Password Mismatch
This is my configuration for apache. I left commented lines in so you can see a couple of the many variations that I have tried:
LDAPVerifyServerCert Off
<Directory "/var/www/html/auth">
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider ldap
AuthLDAPURL ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?uid
#AuthLDAPURL ldaps://<myLDAPIP>:636/cn=Users,dc=my,dc=example,dc=com
AuthLDAPBindDN <myUser>
#AuthLDAPBindDN cn=<myUser>,dc=my,dc=example,dc=com
AuthLDAPBindPassword <myPassword>
Require valid-user
#require ldap-group cn=Users,dc=my,dc=example,dc=com
#require ldap-group cn=Users
LogLevel debug
</Directory>
I have searched all over and tried many configurations but I do not see why it does not work with this one. I have at least three other programs that use LDAPS with this Active Directory server. The difference is they all had built in support for it and I did not have to do anything with apache.
Any help would be appreciated!
Thanks in advance
I actually continued trying multiple configurations and finally found one that worked. Below Is the functioning code:
<Directory "/var/www/html/auth">
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?sAMAccountName"
AuthLDAPBindDN "myUser#my.example.com"
AuthLDAPBindPassword "<Password>"
Require valid-user
LogLevel debug
</Directory>
*If your certificate is not trusted you can add LDAPVerifyServerCert Off which should be outside of the virtualhost block
Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.
I am trying to implement apache authentication, but getting following error when giving correct password
access to /webalizer/ failed, reason: require directives present and no Authoritative handler.
If i give incorrect password it shows me
user testusr: authentication failure for "/webalizer/": Password Mismatc
Following is my apache configs
<Directory /var/www/html/webalizer>
Order allow,deny
AuthName "Authorized Users Only."
AuthType Basic
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
Satisfy Any
</Directory>
apache is running with apache user, following is file permissions of htpasswd
-rw-r--r-- 1 apache apache 46 Nov 2 14:46 /etc/httpd/conf/.htpasswd
What do i missing?
OS is AWS linux instance.
I'm trying to implement pass directory authentication using:
Auth Name "Restricted Area"
AuthType Basic
AuthUserFile /home/.htpasswd
AuthGroupFile /dev/null
require valid-user
It's 100% correct.
Seems like issue lies in apache modules?
I'm using Apache2 and Ubuntu 13.04
Gives me error:
[Wed Sep 11 22:40:07 2013] [alert] [client xxx.xx.xxx.xx] /home/somebody/public_html/somewebsite/.htaccess: Invalid command 'Auth', perhaps misspelled or defined by a module not included in the server configuration
How can it be fixed?
It should be AuthName instead Auth Name.
Apache documentation for AuthName Directive.