openldap and root password - ldap

I recently changed my root password, but when I restart Ldap (openldap-2.2.13) I couldn't log in with Ldap users to any application that is on this server.
in /var/log/httpd/ssl_error_log I can find a lot of error like:
[Tue Jun 01 02:27:24 2010] [warn] [client 89.138.98.214] [26762] auth_ldap authenticate: user foo authentication failed; URI /svn-clients/clients/myclient/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
I guess there is a linkage between user root and the Ldap configuration, I also changed the
rootpw entry in slapd.conf, but this doesn't seem to make things better.

The server is not running. I would restart on the commandline and immediately check for error messages in /var/log/daemon.log

Related

'Could not MERGE resource' 500 Error with 'Can't set position pointer in file' and 'Access is denied'

Users get this error when they try to commit to the repo with a pre-commit hook in place. The pre-commit hook checks if the user should be able to commit and if the commit message is formatted correctly using svnlook.exe and --transaction. The logs show the following:
[Mon Dec 05 08:35:06.073768 2016] [dav:error] [pid 4780:tid 816] [client xx.x.xxx.xxx:xxxxx]
Could not MERGE resource "/svn/SOME_REPO/!svn/txn/499-ei" into "/svn/SOME_REPO/trunk/ RESTRICTED/SomeFolder/AnotherFolder". [500, #0]
[Mon Dec 05 08:35:06.074768 2016] [dav:error] [pid 4780:tid 816] [client xx.x.xxx.xxx:xxxxx]
An error occurred while committing the transaction. [500, #720005]
[Mon Dec 05 08:35:06.074768 2016] [dav:error] [pid 4780:tid 816] [client xx.x.xxx.xxx:xxxxx] Can't set position pointer in file
'\\\\zzzvnxnas01.zzz.com\\zzz\\Projects\\ZZZZ1SVSUBVML1\\CSVN\\Repositories\\SOME_REPO\\db\\txn-protorevs\\499-ei.rev': Access is denied. [500, #720005]
I currently don't have access to the server so I need to diagnose it from the bits and pieces I do have. Subversion is ~1.8 running on Apache ~2.4 on CollabNet SubversionEdge.
My guess is that svnlook is causing problems from the service not having enough permission because when the pre-commit hook is removed, users report no errors. Also, is it possible for that service to get overloaded?
The only problem with my theory is that there are no issues on the dev server... :D
Otherwise, I think it may have to do with generally corrupted users' files that require svn cleanup, incompatible program versions interacting amongst themselves, anti-virus sticking its nose in, user load on the production server, or some network permissions issue.
Anyone have any experience in this?
Thanks.
It does not seem that svnlook has anything do with that.
The error says "Access is denied":
Can't set position pointer in file
'\\\\zzzvnxnas01.zzz.com\\zzz\\Projects\\ZZZZ1SVSUBVML1\\CSVN\\Repositories\\SOME_REPO\\db\\txn-protorevs\\499-ei.rev': Access is denied.
The account that runs your server does not have enough permissions to the repositories. An antivirus could also be the root cause as it could block the write operation.

password protect website with .htaccess and .htpasswd - error - "Could not open password file:"

We have Plesk site builder through our webhosting with Charter. Using it to create a simple development website.
I am trying to password protect the site using .htaccess / .htpasswd.
I keep getting this error no matter what I do:
[Wed Apr 06 09:02:57 2016] [error] [client 66.169.84.65] (2)No such file or directory: Could not open password file: /.htpasswd
[Wed Apr 06 09:02:57 2016] [error] [client 66.169.84.65] access to / failed, reason: verification of user id 'heather' not configured
[Wed Apr 06 09:03:52 2016] [error] [client 66.169.84.65] (2)No such file or directory: Could not open password file: /etc/httpd/.htpasswd
[Wed Apr 06 09:03:52 2016] [error] [client 66.169.84.65] access to / failed, reason: verification of user id 'admin' not configured
[Wed Apr 06 09:03:56 2016] [error] [client 66.169.84.65] (2)No such file or directory: Could not open password file: /etc/httpd/.htpasswd
[Wed Apr 06 09:03:56 2016] [error] [client 66.169.84.65] access to / failed, reason: verification of user id 'heather' not configured
[Wed Apr 06 09:05:11 2016] [error] [client 66.169.84.65] (2)No such file or directory: Could not open password file: /etc/httpd/HTTP/.htpasswd
[Wed Apr 06 09:05:11 2016] [error] [client 66.169.84.65] access to / failed, reason: verification of user id 'admin' not configured
[Wed Apr 06 09:05:15 2016] [error] [client 66.169.84.65] (2)No such file or directory: Could not open password file: /etc/httpd/HTTP/.htpasswd
[Wed Apr 06 09:05:15 2016] [error] [client 66.169.84.65] access to / failed, reason: verification of user id 'heather' not configured
I'm not very familiar with Parallels Plesk - and getting a hold of their support is like pulling teeth.
I've checked and double checked the path to the .htpasswd file; seems right.
I've moved it and the .htaccess file to see if I just
don't have it in the right place
I'm not sure what the problem is. I get the authentication box (I notice it doesn't have my "Please Login" message though...
here is the code for the .htaccess file:
#
# AUTHENTICATION
#
### BASIC PASSWORD PROTECTION
AuthUserFile /etc/httpd/HTTP/.htpasswd
AuthName "Please Login"
AuthType basic
<Limit GET POST>
Require valid-user
</Limit>
ANY Help is greatly appreciated or leads in the right direction. THANKS IN ADVANCE!!
Just generate /etc/httpd/HTTP/.htpasswd file by command:
# htpasswd /etc/httpd/HTTP/.htpasswd UserNameYouWant
it asks you for password and generate password file with user UserNameYouWant
Are you sure the file .htpasswd is there in /etc/httpd/HTTP/ directory. otherwise create 1 with the below command
sudo htpasswd -c /etc/apache2/.htpasswd heather
Here you go for step by step configuration:
If you're using CentOS, then probably SELinux is blocking access to that file if the file is outside the webserver root directory. (that's what happened to me).
Solution
Move the file to your web server root directory then restore the file SELinux context using these commands :
mv /path/to/.httpasswd /var/www/html/
restorecon -v /var/www/html/.htpasswd
It's probably a permissions issue if you think the file is in the right place.
Check the file ownership and permissions with:
ls -la /path/to/file
Make sure the file/group that your apache process runs as is able to read the file.
You can check the owner of the process by running:
ps -ef | grep apache
You should see the owner of the process in the leftmost column.
If file ownership is the issue, then use chown to change ownership:
sudo chown username: /path/to/file
You need to do this as root/sudo as non-root users don't have the right to change the ownership normally.
The : after the username changes the group over to the same as the username
I ran into the same problem. For me, .htpasswd was stored under the /home/username/.htpasswds directory. I solved the error by recursively making sure the directory is executable:
chmod +x -R /home/username/.htpasswds
I had the same problem on a Rackspeed server. It was because the file passwd was missing in /home/company/.htpasswds/project/

WAMP LDAP Error

I'm setting up WAMP server for LDAP validation.
I can start the apache server and phpinfo() shows LDAP is active.
But when I submit the user name and password, it shows 500 error.
The error description in apache log is:
[Fri Mar 21 13:33:19.255265 2014] [ldap:error] [pid 8032:tid 1544]
(70023)This function has not been implemented on this platform:
AH01277: LDAP: Unable to add rebind cross reference entry. Out of
memory?
Can anyone help for this? Thanks a lot.
James Blond's replay in this thread https://www.apachelounge.com/viewtopic.php?t=4851&view=next works for me.

How can I prevent mod_authz_ldap from using login credentials to bind to LDAP

I am trying to use mod_authz_ldap for user authentication. Have a strange LDAP setup where, we have to bind to the LDAP directory as
uid=user,o=organisation
then query
cn=xxx,o=organisation
to get the credentials of the user. The following configuration actually works, except that it attempts to use the credentials of the user logging in to bind to the LDAP directory, which needless to say fails.
To validate this, I tried to authenticate to the application as our LDAP bind user and the authentication succeeds.
<Location />
AuthType Basic
AuthName "My LDAP authenticated app"
AuthzLDAPLogLevel debug
AuthBasicProvider ldap
AuthBasicAuthoritative off
AuthzLDAPAuthoritative off
AuthzLDAPBindPassword bindpass
AuthzLDAPBindDN "uid=binduser,o=my.edu.au"
AuthzLDAPMethod ldap
AuthzLDAPServer ldapdevel.my.edu.au
AuthzLDAPUserBase o=my.edu.au
AuthzLDAPUserKey cn
AuthzLDAPUserScope base
AuthLDAPRemoteUserAttribute cn
Require valid-user
</Location>
Apache error log to demonstrate that mod_authz_ldap is attempting to bind as the user attempt to authenticate agains the app:
[Fri Sep 07 14:14:27 2012] [error] [client xxx.xxx.xxx.xxx] [15628] bind as cn=devraj,l=X,ou=Students,o=my.edu.au failed: 49
[Fri Sep 07 14:14:27 2012] [error] [client xxx.xxx.xxx.xxx] [15628] basic LDAP authentication of user 'devraj' failed
[Fri Sep 07 14:14:27 2012] [error] [client xxx.xxx.xxx.xxx] access to / failed, reason: verification of user id 'devraj' not configured
Also if I provide incorrect bind credentials mod_authz_ldap complains about not being able to bind as the bind user. This suggests that it tries to bind as the bind user, but also binds as the authenticating user.
My Question, what am I doing wrong that's causing mod_auz_ldap to use the users credentials to bind to the LDAP directory?
Thanks for your time.
Why is AuthzLDAPBindDN "uid=binduser,o=my.edu.au"?
Then you show AuthzLDAPUserKey cn.
The "uid=binduser,o=my.edu.au" should typically, be a valid user from LDAP and usually a service account.
Then the AuthzLDAPUserKey cn would represent the RDN (Relative Distinguished Name) attribute of users in LDAP. It would be non-typical for you to have a user uid=binduser and other users to be like: cn=devraj.
Does uid=binduser,o=my.edu.au exist?
Does the user cn=devraj,l=X,ou=Students,o=my.edu.au exist?
(or is it: uid=devraj,l=X,ou=Students,o=my.edu.au)
-jim
it attempts to use the credentials of the user logging in to bind to the LDAP directory, which needless to say fails
Why 'needless to say'? And why does it fail at all? This is exactly what it is supposed to do. Normally you should be searching the directory for the user, possibly using a system account to do so, then binding as the found user with his credentials. If that succeeds, authentication is complete. If your LDAP isn't set up to support that, it is set up wrongly.

gss_acquire_cred returning Key table entry not found error

I have been trying to follow the guidelines in this Microsoft article to authenticate
against Apache with Kerberos and AD. I have successfully tested the communication between the apache server and the AD server with kinit. However when I attempt to access a restricted page on the server with IE I get an Internal server error and the following appears in the apache error log.
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1483): [client 172.31.37.38] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1174): [client 172.31.37.38] Acquiring creds for HTTP/srvnfssol1.dev.local#DEV.LOCAL
[Wed Sep 24 14:18:15 2008] [error] [client 172.31.37.38] gss_acquire_cred() failed: Miscellaneous failure (see text) (Key table entry not found)
I have run a truss on the apache process and confirmed that it is in fact loading up the keytab file ok. I am wondering if there is something wrong with the format of the keytab file...
HTTP/srvnfssol1.dev.local#DEV.LOCAL
I am not sure what I am missing though. Or what other things to check.
Any suggestions?
Thanks
Peter
Ok. Keytabs are supposed to contain the Service principal name, in this case "HTTP/srvnfssol1.dev.local#DEV.LOCAL" and the encryption key. I see where the MS docs say just to echo that to a file, but I don't think that's right.
You'll need to use the ktpass utility to create the keytab. The MS docs are here.
In particular, you'll need to specify KRB5_NT_SRV_HST, and most of the rest of the options can be default.
Sample of it on my machine:
C:\>ktpass /out test.keytab /princ HTTP/srvnfssol1.dev.local#DEV.LOCAL
/ptype KRB5_NT_SRV_HST /pass *
Type the password for HTTP/srvnfssol1.dev.local:
Key created.
Output keytab to test.keytab:
Keytab version: 0x502
keysize 62 HTTP/srvnfssol1.dev.local#DEV.LOCAL
ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x1 (DES-CBC-CRC)
keylength 8 (0xa7f1fb38041c199e)
If the active directory server is the KDC, you'll need to use the /map <name> argument, where <name> is the computer account in active directory representing the server.
Some details on how all this works. When you browse to the website it should respond with a WWW-Authenticate: Negotiate header, and your browser will send a request to the KDC (active directory server) to get a kerberos ticket for the service. The AD server will look up the encryption key for the ticket using the service principal name, and send an encrypted service ticket back to the browser. Once the browser has the service ticket, it'll reissue the HTTP request with an authenticate header containing the ticket. The apache server will look up its key in the keytab, decrypt the ticket, and grant access.
The "key table entry not found" error happens because apache isn't finding itself in the keytab. Can also happen if the name resolution/realms aren't set up right.
You should be able to see all the kerberos requests AP-REQ/AP-REP/TGS-REQ/TGS-REP using wireshark on the client, tcp or udp port 88.