Apache Active Directory mod_authnz_ldap无效

时间:2015-10-21 19:50:24

标签: apache active-directory ldap httpd.conf

我一直试图在过去几天的虚拟主机页面上获取AD身份验证,但无济于事。帮助...

CentOS 7

Apache 2.4.6

mod_ldap和mod_authnz_ldap已安装并加载

<VirtualHost *:80> 
    DocumentRoot /var/www/wwwtest/public
    ServerName wwwtest.example.com
    ErrorLog logs/wwwtest.example.com-error_log
    CustomLog logs/wwwtest.example.com-access_log common
    <Directory /var/www/wwwtest/public>
        Allow from all
        Order Allow,Deny
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        AuthType Basic
        AuthName "login"
        AuthBasicProvider ldap
        AuthLDAPBindDN ldapuser@EXAMPLE.COM
        AuthLDAPBindPassword ldappassword
        AuthLDAPURL "ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=com?sAMAccountName?sub?(objectClass=user)"
        AuthLDAPBindAuthoritative off
        Require valid-user
    </Directory>
</VirtualHost>

我在/etc/httpd/conf/httpd.conf中启用了trace8

这就是我在/var/log/httpd/wwwtest.example.com-error.log中看到的内容

[Wed Oct 21 12:12:56.213178 2015] [http:trace4] [pid 20648] http_request.c(301): [client 172.16.250.250:49559] Headers received from client:
[Wed Oct 21 12:12:56.213263 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   Host: wwwtest.example.com
[Wed Oct 21 12:12:56.213278 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
[Wed Oct 21 12:12:56.213284 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Oct 21 12:12:56.213289 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   Accept-Language: en-US,en;q=0.5
[Wed Oct 21 12:12:56.213293 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   Accept-Encoding: gzip, deflate
[Wed Oct 21 12:12:56.213297 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   DNT: 1
[Wed Oct 21 12:12:56.213301 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   Connection: keep-alive
[Wed Oct 21 12:12:56.213305 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   Cache-Control: max-age=0
[Wed Oct 21 12:12:56.213309 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559]   Authorization: Basic RTAxMDEwMTAxOkNvbmNvcmRpYTIwMTU=
[Wed Oct 21 12:12:56.213530 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213556 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213644 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(501): [client 172.16.250.250:49559] AH01691: auth_ldap authenticate: using URL ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=edu?sAMAccountName?sub?(objectClass=user)
[Wed Oct 21 12:12:56.213705 2015] [authnz_ldap:trace1] [pid 20648] mod_authnz_ldap.c(522): [client 172.16.250.250:49559] auth_ldap authenticate: final authn filter is (&(objectClass=user)(sAMAccountName=TESTUSER))
[Wed Oct 21 12:12:56.215123 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.216479 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 1)
[Wed Oct 21 12:12:56.217336 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 2)
[Wed Oct 21 12:12:56.217358 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.217398 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.218332 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 3)
[Wed Oct 21 12:12:56.219355 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 4)
[Wed Oct 21 12:12:56.219392 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.219430 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.219444 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(539): [client 172.16.250.250:49559] AH01694: auth_ldap authenticate: user TESTUSER authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)
[Wed Oct 21 12:12:56.219454 2015] [auth_basic:error] [pid 20648] [client 172.16.250.250:49559] AH01618: user TESTUSER not found: /
[Wed Oct 21 12:12:56.219469 2015] [core:trace3] [pid 20648] request.c(119): [client 172.16.250.250:49559] auth phase 'check user' gave status 401: /
[Wed Oct 21 12:12:56.219530 2015] [http:trace3] [pid 20648] http_filters.c(992): [client 172.16.250.250:49559] Response sent with status 401, headers:
[Wed Oct 21 12:12:56.219532 2015] [http:trace5] [pid 20648] http_filters.c(999): [client 172.16.250.250:49559]   Date: Wed, 21 Oct 2015 19:12:56 GMT
[Wed Oct 21 12:12:56.219534 2015] [http:trace5] [pid 20648] http_filters.c(1002): [client 172.16.250.250:49559]   Server: Apache/2.4.6 (CentOS)
[Wed Oct 21 12:12:56.219536 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559]   WWW-Authenticate: Basic realm=\\”login\\”
[Wed Oct 21 12:12:56.219538 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559]   Content-Length: 381
[Wed Oct 21 12:12:56.219540 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559]   Keep-Alive: timeout=5, max=100
[Wed Oct 21 12:12:56.219541 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559]   Connection: Keep-Alive
[Wed Oct 21 12:12:56.219542 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559]   Content-Type: text/html; charset=iso-8859-1

我可以使用这些凭据执行ldapsearch,并从DC返回用户对象,因此凭据是正确的。我在DC上运行了Wireshark。它从未看到来自此Web服务器的任何LDAP数据包。我在Web服务器上运行tcpdump,当我尝试验证时它从未发送过任何LDAP数据包...

我们通过PHP在10分钟内完成了AD身份验证,但我以前一直在研究这几天...所以肯定,它现在可以运行了,但我想知道为什么mod_ldap和mod_authnz_ldap不是这样的工作...或......什么不工作。

另外,我对Apache有点新意,所以这个问题很可能是我误解的问题。

提前致谢。

更新:显然它在Debian中运行得很好。 (Apache 2.2.22,静止不动) 叹息

1 个答案:

答案 0 :(得分:5)

已解决:显然我在Linux上也是新手。

当然,SELinux存在问题。即使我将它从Enforcing设置为Permissive(然后最终设置为Disabled),我也不知道进行更改的唯一方法显然是重启(或setenforce 0)。重新启动,一切正常,因为SELinux现已禁用。然后我发现SELinux日志位于/var/log/audit/audit.log。在那里,有一堆:

type=AVC msg=audit(1445466425.176:1849): avc:  denied  { name_connect } for  pid=21184 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

所以为了让httpd能够访问ldap,我跟着this post说了一遍:

# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> off

# setsebool httpd_can_connect_ldap 1

# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> on

之后,auth与Firewalld启用和SELinux Enforcing完美配合。这也解释了为什么tcpdump没有显示ldap绑定尝试。

所以是的,希望这能帮助其他可能被卡住的人。

结论:了解有关SELinux的更多信息。

相关问题
最新问题