multiple authentication providers

Alles, was den Apache betrifft, kann hier besprochen werden.

multiple authentication providers

Postby Mordecaine » 06. October 2015 09:03

Hey friends,

I need your help. Maybe I cannot see the failure.
Since Apache 2.2 multiple authentication providers are now supported. I have a monitoring system. This system should have a LDAP authentication and as a fall back (when the service is not available) the normal file authentication.

Now I configured a ldap user and a passwd user.
(ldap user: ldap_user)
(file user: file_user)

Apache version:
Code: Select all
Server version: Apache/2.2.15 (Unix)
Server built:   Aug 24 2015 09:46:04


Now I did a configuration:
Code: Select all
<VirtualHost 1.1.1.1:80>
        ServerName test.example.com
        DocumentRoot "/var/www/"

        <Location /cluster>
                Require valid-user

                AuthType Basic
                AuthName "Blubb"
                AuthBasicProvider ldap file
                #AuthBasicProvider file ldap

                AuthzLDAPAuthoritative Off
                AuthLDAPURL "ldap://localhost/OU=User,OU=1001,OU=Hosting,DC=mydomain,DC=dom?sAMAccountName?sub"
                #AuthLDAPURL "ldap://dc.example.com/OU=User,OU=1001,OU=Hosting,DC=mydomain,DC=dom?sAMAccountName?sub"
                AuthLDAPBindDN "CN=Mr Smith,OU=User,OU=1001,OU=Hosting,DC=mydomain,DC=dom"
                AuthLDAPBindPassword "Pass"
               
                AuthUserFile /home/xymon/server/etc/xymonpasswd
        </Location>
        LogLevel debug
        CustomLog /var/log/httpd/example.com-access.log common
        ErrorLog /var/log/httpd/example.com-error.log
</VirtualHost>


The LDAP authentication and the file authentication works fine, but both together are a problem.
When I try "AuthBasicProvider ldap file" then the ldap authentication works with the ldap user. When I try the passwd user, I get an password missmatch in the log file.
When I try "AuthBasicProvider file ldap" then the passwd user works but not the ldap user.
When I give him a server which not have a ldap service (thats to simulate when the ldap server is down), I get a internal server error and the following messages:
Code: Select all
[Mon Oct 05 16:22:51 2015] [debug] mod_authnz_ldap.c(432): [client 1.1.1.2] [9308] auth_ldap authenticate: using URL ldap://server-without-ldap.example.com/OU=User,OU=1001,OU=Hosting,DC=mydomain,DC=dom?sAMAccountName?sub
[Mon Oct 05 16:22:51 2015] [debug] mod_authnz_ldap.c(432): [client 1.1.1.2] [9308] auth_ldap authenticate: using URL ldap://server-without-ldap.example.com/OU=User,OU=1001,OU=Hosting,DC=mydomain,DC=dom?sAMAccountName?sub
[Mon Oct 05 16:22:51 2015] [debug] mod_authnz_ldap.c(432): [client 1.1.1.2] [9308] auth_ldap authenticate: using URL ldap://server-without-ldap.example.com/OU=User,OU=1001,OU=Hosting,DC=mydomain,DC=dom?sAMAccountName?sub
[Mon Oct 05 16:22:51 2015] [debug] mod_authnz_ldap.c(432): [client 1.1.1.2] [9308] auth_ldap authenticate: using URL ldap://server-without-ldap.example.com/OU=User,OU=1001,OU=Hosting,DC=mydomain,DC=dom?sAMAccountName?sub
[Mon Oct 05 16:22:51 2015] [debug] mod_authnz_ldap.c(432): [client 1.1.1.2] [9308] auth_ldap authenticate: using URL ldap://server-without-ldap.example.com/OU=User,OU=1001,OU=Hosting,DC=mydomain,DC=dom?sAMAccountName?sub
[Mon Oct 05 16:22:51 2015] [info] [client 1.1.1.2] [9308] auth_ldap authenticate: user file_user authentication failed; URI /cluster/82P6_q_netboot.tgz [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]



I hope you can help me.

Thanks,
Mordecaine
Mordecaine
 
Posts: 2
Joined: 05. October 2015 15:56
Operating System: CentOS 6

Re: multiple authentication providers

Postby Mordecaine » 07. October 2015 15:38

I found the failures.
1. This is no fallback construct. When you use multiple authentication providers to ask the LDAP first and the LDAP isnt avaiable, the webserver wont check the passwd file. You will get an internal server error.
2. The second fail was to belive that this construct will check the first provider and after that the second one when you get a password missmatch at the fist provider.
For example:
We have a user bob. bob has a LDAP Account with a password and he is written in the passwd file with another password.
When the first provider send a password missmatch, apache will not check the second provider.
Mordecaine
 
Posts: 2
Joined: 05. October 2015 15:56
Operating System: CentOS 6

Re: multiple authentication providers

Postby Nobbie » 07. October 2015 17:16

Maybe you can solve it by using the new configuration optons "RequireAny" and "RequireAll".

See http://httpd.apache.org/docs/2.4/mod/mo ... _core.html
Nobbie
 
Posts: 8779
Joined: 09. March 2008 13:04

Re: multiple authentication providers

Postby Altrea » 07. October 2015 19:00

Mordecaine wrote:
Code: Select all
Server version: Apache/2.2.15 (Unix)
Server built:   Aug 24 2015 09:46:04


Nobbie wrote:Maybe you can solve it by using the new configuration optons "RequireAny" and "RequireAll".

See http://httpd.apache.org/docs/2.4/mod/mo ... _core.html

Not supported with this Apache version.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8297
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: multiple authentication providers

Postby Nobbie » 07. October 2015 19:17

Needs an upgrade of course.
Nobbie
 
Posts: 8779
Joined: 09. March 2008 13:04


Return to Apache

Who is online

Users browsing this forum: No registered users and 4 guests