Apache Active Directory mod_authnz_ldap 不工作
Posted
技术标签:
【中文标题】Apache Active Directory mod_authnz_ldap 不工作【英文标题】:Apache Active Directory mod_authnz_ldap not working 【发布时间】:2016-01-20 23:08:04 【问题描述】:过去几天我一直在尝试在虚拟主机页面上进行 AD 身份验证,但无济于事。帮助...
CentOS 7
Apache 2.4.6
mod_ldap 和 mod_authnz_ldap 安装和加载
<VirtualHost *:80>
DocumentRoot /var/www/wwwtest/public
ServerName wwwtest.example.com
ErrorLog logs/wwwtest.example.com-error_log
CustomLog logs/wwwtest.example.com-access_log common
<Directory /var/www/wwwtest/public>
Allow from all
Order Allow,Deny
Options Indexes MultiViews FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "login"
AuthBasicProvider ldap
AuthLDAPBindDN ldapuser@EXAMPLE.COM
AuthLDAPBindPassword ldappassword
AuthLDAPURL "ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindAuthoritative off
Require valid-user
</Directory>
</VirtualHost>
我在 /etc/httpd/conf/httpd.conf 中启用了 trace8
这就是我在 /var/log/httpd/wwwtest.example.com-error.log 中看到的
[Wed Oct 21 12:12:56.213178 2015] [http:trace4] [pid 20648] http_request.c(301): [client 172.16.250.250:49559] Headers received from client:
[Wed Oct 21 12:12:56.213263 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Host: wwwtest.example.com
[Wed Oct 21 12:12:56.213278 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
[Wed Oct 21 12:12:56.213284 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Oct 21 12:12:56.213289 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Language: en-US,en;q=0.5
[Wed Oct 21 12:12:56.213293 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Encoding: gzip, deflate
[Wed Oct 21 12:12:56.213297 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] DNT: 1
[Wed Oct 21 12:12:56.213301 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Connection: keep-alive
[Wed Oct 21 12:12:56.213305 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Cache-Control: max-age=0
[Wed Oct 21 12:12:56.213309 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Authorization: Basic RTAxMDEwMTAxOkNvbmNvcmRpYTIwMTU=
[Wed Oct 21 12:12:56.213530 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213556 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213644 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(501): [client 172.16.250.250:49559] AH01691: auth_ldap authenticate: using URL ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=edu?sAMAccountName?sub?(objectClass=user)
[Wed Oct 21 12:12:56.213705 2015] [authnz_ldap:trace1] [pid 20648] mod_authnz_ldap.c(522): [client 172.16.250.250:49559] auth_ldap authenticate: final authn filter is (&(objectClass=user)(sAMAccountName=TESTUSER))
[Wed Oct 21 12:12:56.215123 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.216479 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 1)
[Wed Oct 21 12:12:56.217336 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 2)
[Wed Oct 21 12:12:56.217358 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.217398 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.218332 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 3)
[Wed Oct 21 12:12:56.219355 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 4)
[Wed Oct 21 12:12:56.219392 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.219430 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.219444 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(539): [client 172.16.250.250:49559] AH01694: auth_ldap authenticate: user TESTUSER authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)
[Wed Oct 21 12:12:56.219454 2015] [auth_basic:error] [pid 20648] [client 172.16.250.250:49559] AH01618: user TESTUSER not found: /
[Wed Oct 21 12:12:56.219469 2015] [core:trace3] [pid 20648] request.c(119): [client 172.16.250.250:49559] auth phase 'check user' gave status 401: /
[Wed Oct 21 12:12:56.219530 2015] [http:trace3] [pid 20648] http_filters.c(992): [client 172.16.250.250:49559] Response sent with status 401, headers:
[Wed Oct 21 12:12:56.219532 2015] [http:trace5] [pid 20648] http_filters.c(999): [client 172.16.250.250:49559] Date: Wed, 21 Oct 2015 19:12:56 GMT
[Wed Oct 21 12:12:56.219534 2015] [http:trace5] [pid 20648] http_filters.c(1002): [client 172.16.250.250:49559] Server: Apache/2.4.6 (CentOS)
[Wed Oct 21 12:12:56.219536 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] WWW-Authenticate: Basic realm=\\”login\\”
[Wed Oct 21 12:12:56.219538 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Length: 381
[Wed Oct 21 12:12:56.219540 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Keep-Alive: timeout=5, max=100
[Wed Oct 21 12:12:56.219541 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Connection: Keep-Alive
[Wed Oct 21 12:12:56.219542 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Type: text/html; charset=iso-8859-1
我可以使用这些凭据进行 ldapsearch,它会从我们的 DC 返回用户对象,因此凭据是正确的。我在 DC 上运行了 Wireshark。它从未看到来自此 Web 服务器的任何 LDAP 数据包。我在 Web 服务器上运行了 tcpdump,当我尝试进行身份验证时它从未发送任何 LDAP 数据包...
我们在 10 分钟内通过 php 获得了 AD auth,但我之前已经为此工作了好几天......所以当然,它现在可以正常工作,但我想知道为什么 mod_ldap 和 mod_authnz_ldap 不起作用。 ..或...什么不起作用。
另外,我对 Apache 有点陌生......所以问题很可能是我误解了。
提前致谢。
更新:显然它在 Debian 中运行良好。 (Apache 2.2.22,还在)sigh
【问题讨论】:
@Jongware 完成。对此感到抱歉。 【参考方案1】:已解决:显然我还是 Linux 新手。
当然,这是 SELinux 的问题。即使我已将其从 Enforcing 设置为 Permissive(然后最终设置为 Disabled),但我不知道进行该更改的唯一方法显然是重新启动(或 setenforce 0)。重新启动,一切正常,因为 SELinux 现在已被禁用。然后我发现 SELinux 日志位于 /var/log/audit/audit.log。那里,有一堆:
type=AVC msg=audit(1445466425.176:1849): avc: denied name_connect for pid=21184 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
所以为了允许 httpd 访问 ldap,我关注了this post,上面写着:
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> off
# setsebool httpd_can_connect_ldap 1
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> on
之后,auth 在启用 Firewalld 和 SELinux Enforcing 的情况下完美运行。这也解释了为什么 tcpdump 没有显示 ldap 绑定尝试。
是的,希望这可以帮助其他可能被卡住的人。
底线:了解有关 SELinux 的更多信息。
【讨论】:
以上是关于Apache Active Directory mod_authnz_ldap 不工作的主要内容,如果未能解决你的问题,请参考以下文章
Apache Shiro/Active Directory 集成以支持 Grails Web 应用程序中的 SSO
如何从 Active Directory 填充 Apache 服务器中的 REMOTE_USER(与 SSO 相关)
是否可以使用Active Directory过滤SolR结果?