System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

HTTP does not as for userID and password

 
SOLVED
Go to solution
KathyK
Regular Advisor

HTTP does not as for userID and password

Hi All,

I'm trying to configure http to authenticate using our LDAP server. I need it to ask for user id and password. Here is my conf for http:



#AuthLDAPEnabled on

AuthName "MIS Subversion Repositories"
AuthType Basic
AuthzLDAPAuthoritative on
#require dn
AuthLDAPURL ldap://sadc1.stec-inc.ad:3268
AuthzLDAPBindDN "CN=ldapuser,OU=-Service accts,DC=STEC-INC,DC=AD"
AuthzLDAPBindPassword "xxxxxx"
require valid-user
AuthzLDAPServer :3268
AuthzLDAPMethod ldap
AuthzLDAPUserKey sAMAccountName
AuthzLDAPUserBase "DC=STEC-INC,DC=AD"
AuthzLDAPUserScope subtree
AuthzLDAPAllowPassword on

Require user clarson dcohen rmalmirian dsunarta dsanchez seyed vlam ddang ajabbari glenn rcarabeo pnoosha sthimmappa jsweval pmanyika svnadmin kkhagani fppan svnadmin




The OS is: Red Hat Enterprise Linux ES release 4 (Nahant Update 8)

Right now when I access the server using the following. it dumps me right to the index file without asking for passwd:


http://172.17.60.120/test/



Any suggestion is much appreciated.

Best Regards,
Kathy
15 REPLIES
Steven E. Protter
Exalted Contributor

Re: HTTP does not as for userID and password

Shalom Kathy,

I will provide you some possible install documents. Since you don't say which one you are using, there may be overlap here.

Anything in the log files access_log and error_log ?

http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html

http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html

http://simonjday.wordpress.com/2009/06/15/apache-ldap-authentication-how-to/

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
KathyK
Regular Advisor

Re: HTTP does not as for userID and password

Hi Steven,

Thank you for your fast reply. Here is what I have on my linux box:
httpd-2.0.52-41.ent.4
openldap-2.2.13-12.el4_8.2

I could supply the rest of software versions if you needed.

my error-log files are:

[root@Ldapnew logs]# cat access_log
172.17.49.38 - - [04/Aug/2009:09:08:05 -0700] "GET /test HTTP/1.1" 301 314 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
172.17.49.38 - - [04/Aug/2009:09:08:05 -0700] "GET /test/ HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
172.17.49.38 - - [04/Aug/2009:10:09:11 -0700] "GET /favicon.ico HTTP/1.1" 404 289 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)"
172.17.49.38 - - [04/Aug/2009:10:09:14 -0700] "GET /favicon.ico HTTP/1.1" 404 289 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)"


[root@Ldapnew httpd]# cat error_log
[Sun Aug 02 04:03:26 2009] [notice] Digest: generating secret for digest authentication ...
[Sun Aug 02 04:03:26 2009] [notice] Digest: done
[Sun Aug 02 04:03:26 2009] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Aug 02 04:03:26 2009] [notice] LDAP: SSL support unavailable
[Sun Aug 02 04:03:26 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Sun Aug 02 04:03:26 2009] [notice] Apache/2.0.52 (Red Hat) configured -- resuming normal operations
[Tue Aug 04 10:09:11 2009] [error] [client 172.17.49.38] File does not exist: /var/www/html/favicon.ico
[Tue Aug 04 10:09:14 2009] [error] [client 172.17.49.38] File does not exist: /var/www/html/favicon.ico


If you like I could also post my ldap.conf

Thank you again

Kathy

Ivan Ferreira
Honored Contributor

Re: HTTP does not as for userID and password

I would suggest the usage of groups instead of users.

This is a sample of a working configuration:

Alias /admin "/intranet/admin"

Options Indexes SymLinksIfOwnerMatch
AllowOverride None
Order allow,deny
Allow from localhost 127.0.0.1 redhat.com.py 192.168.0
AuthType basic
AuthName Administracion
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPURL ldaps://fds1.redhat.com.py/ou=People,dc=redhat,dc=com,dc=py?uid?sub
require ldap-group cn=admin,ou=Groups,dc=redhat,dc=com,dc=py
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
KathyK
Regular Advisor

Re: HTTP does not as for userID and password

Thanks Ivan, I have apache 2.0.5x installed (comes on RedHat 4) and AuthBasicProvider ldap
comes with apache 2.2x
However, i used the group and still same thing. it's so strange. I'm sure there is a little detail that I'm missing, otherwise all the documentations say it should work the way I have it.

Regards,
Kathy
Ivan Ferreira
Honored Contributor
Solution

Re: HTTP does not as for userID and password

What do you get if you run:

ldapsearch -D "CN=ldapuser,OU=-Service accts,DC=STEC-INC,DC=AD" -W -H ldap://sadc1.stec-inc.ad:3268 -b "DC=STEC-INC,DC=AD" -s sub objectclass=*

And:

ldapsearch -D "CN=ldapuser,OU=-Service accts,DC=STEC-INC,DC=AD" -W -H ldap://sadc1.stec-inc.ad:3268 -b "DC=STEC-INC,DC=AD" -s base objectclass=*

I'm curious about your LDAP port and your DN "-Service"
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor

Re: HTTP does not as for userID and password

I think that the problem is the Location directive. It should be

"The directive provides for access control by URL."

" sections are processed in the order they appear in the configuration file, after the sections and .htaccess files are read, and after the sections."

So, please change your configuration to match my sample posted.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
KathyK
Regular Advisor

Re: HTTP does not as for userID and password

Hi Ivan,

the result for both is:

Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)


Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)


but if i do:
ldapsearch -x -b "dc=stec-inc,dc=ad" -D "cn=ldapuser,ou=-service accts,dc=stec-inc,dc=ad" -h sadc1 -W -p 3268

I get the result, with ending as so:

distinguishedName: CN=uid,CN=Schema,CN=Configuration,DC=STEC-INC,DC=AD
instanceType: 4
whenCreated: 20021023015021.0Z
whenChanged: 20070614205802.0Z
uSNCreated: 5093
attributeSyntax: 2.5.5.12
uSNChanged: 5093
adminDisplayName: uid
oMSyntax: 64
lDAPDisplayName: uid
name: uid
objectGUID:: mSA1XGfygEqiUe7LbdqnUw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=STEC-INC,DC=
AD
dSCorePropagationData: 20070619145639.0Z
dSCorePropagationData: 16010101000001.0Z

# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 1001
# numEntries: 1000


thanks again
Kathy



Ivan Ferreira
Honored Contributor

Re: HTTP does not as for userID and password

Yes, in my ldapsearch command the "-x" was missing. Now, ¿why you don't have any users on that OU based on the output of your ldapsearch command?
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
KathyK
Regular Advisor

Re: HTTP does not as for userID and password

Hi Ivan,

Here is what my config file looks like (copied yours with some changes):

Alias /test "/var/www/html/test"

Options Indexes SymLinksIfOwnerMatch
AllowOverride None
Order allow,deny
Allow from localhost 172.17.60.120 ldapnew.stec-inc.com
AuthType basic
AuthName Administracion
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPURL ldap://sadc1.stec-inc.ad/ou=-"Service accts",dc=STEC-INC,dc=AD?uid?sub
require ldap-group cn=ldapuser,ou=-"Service accts",dc=STEC-INC,dc=AD



and here is the error I get:

[root@Ldapnew conf.d]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 23 of /etc/httpd/conf.d/subversion.conf:
Invalid command 'AuthBasicProvider', perhaps mis-spelled or defined by a module not included in the server configuration
[FAILED]


so I cnaged the AuthBasicProvider to:
AuthzLDAPMethod ldap

which is supported on my version of apache.
[root@Ldapnew conf.d]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: Syntax error on line 32 of /etc/httpd/conf.d/subversion.conf:
AuthLDAPURL takes one argument, URL to define LDAP connection. This should be an RFC 2255 complaint\nURL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n
    \n
  • Host is the name of the LDAP server. Use a space separated list of hosts \nto specify redundant servers.\n
  • Port is optional, and specifies the port to connect to.\n
  • basedn specifies the base DN to start searches from\n
  • Attrib specifies what attribute to search for in the directory. If not provided, it defaults to uid.\n
  • Scope is the scope of the search, and can be either sub or one. If not provided, the default is sub.\n
  • Filter is a filter to use in the search. If not provided, defaults to (objectClass=*).\n
\nSearches are performed using the attribute and the filter combined. For example, assume that the\nLDAP URL is ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*). Searches will\nbe done using the filter (&((posixid=*))(uid=username)), where username\nis the user name passed by the HTTP client. The search will be a subtree search on the branch ou=People, o=Airius.
[FAILED]


the above error is referring to my "OU" in the ldap URL. any idea how to fix that.

I appreciate all your help.

Kathy
Ivan Ferreira
Honored Contributor

Re: HTTP does not as for userID and password

I tested with:

AuthLDAPURL "ldap://sadc1.stec-inc.ad/ou=-Service Accts,dc=STEC-INC,dc=AD?uid?sub"

And it works. You can edit your file and just run:

httpd -t

To verify the syntax.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
KathyK
Regular Advisor

Re: HTTP does not as for userID and password

Ivan, that did it. the double quotes around ldap. but i still go right to my index page:

http://ip address/test/

does not ask for username or password.

Ivan Ferreira
Honored Contributor

Re: HTTP does not as for userID and password

Another error in your configuration:


Alias /test "/var/www/html/test"


Should be:


Alias /test "/var/www/html/test"
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
KathyK
Regular Advisor

Re: HTTP does not as for userID and password

I think i'm getting closer now. here is my config:

[root@Ldapnew conf.d]# httpd -t
Syntax OK
[root@Ldapnew conf.d]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@Ldapnew conf.d]# cat subversion.conf

Alias /test "/var/www/html/test"

AuthType basic
AuthName "MIS Subversion Repositories"
AuthzLDAPMethod ldap
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPURL "ldap://sadc1.stec-inc.ad:3268/ou=-Service accts,dc=STEC-INC,dc=AD?sAMAccountName?sub?(objectClass=*)"
require ldap-group cn=ldapuser,ou=-Service accts,OU=-All Groups,dc=STEC-INC,dc=AD




now I get the login request but do not get authenticated:

Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


--------------------------------------------------------------------------------

Apache/2.0.52 (Red Hat) Server at port 80

my error_log says:

[Wed Aug 05 15:43:32 2009] [warn] [client xx.xxx.xxx.xx] [3416] auth_ldap authenticate: user kkhagani authentication failed; URI /test [ldap_search_ext_s() for user failed][Operations error]

Thanks again for all your help
Kathy





a
KathyK
Regular Advisor

Re: HTTP does not as for userID and password

Thank you all for helping. solved the problem.

I didn't have authzldapuserbase fully configured.


AuthzLDAPUserBase "OU=-MIS,OU=HQ,OU=-STEC Users,DC=STEC-INC,DC=AD"

compared it with the result of my ldapsearch.
Kathy
KathyK
Regular Advisor

Re: HTTP does not as for userID and password

closed!!!