Re: [users@httpd] httpd session timeout
Forgot to mention... I am using httpd as a reverse proxy. But the downstream server has no notion of a user or sessions. On Wed, Aug 24, 2016 at 8:53 AM, Roger Paanini wrote: > Chris, I am testing it by logging into the website using basic > authentication and then waiting for the time out duration and try to access > the page again. I am expecting to be challenged for credentials again when > I tried to access the page after the timeout. But I am never challenged > after the timeout - ever after several hours beyond the timeout value. > > But I see the following messages in my log file... I suspect my session > modules are not configured correctly? > > [Wed Aug 24 08:41:46.851228 2016] [session:warn] [pid 61410:tid > 140098663421696] [client x.x.x.x:5675] AH01815: session is enabled but no > session modules have been configured, session not loaded: > > I have the following in my httpd.conf: > > LoadModule session_module modules/mod_session.so > LoadModule session_cookie_module modules/mod_session_cookie.so > #LoadModule session_dbd_module modules/mod_session_dbd.so > *** > > Session on > SessionMaxAge 1 > AuthType Basic > AuthLDAPBindDN "x" > AuthLDAPBindPassword "" > AuthBasicProvider ldap > AuthName "LDAP - login" > AuthLDAPURL "x" > Require valid-user > Require ldap-group "" > AuthLDAPRemoteUserAttribute uid > > > Any thoughts on what I am missing? > > Thanks! > > > > On Tue, Aug 23, 2016 at 3:29 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Roger, >> >> On 8/23/16 4:26 PM, Roger Paanini wrote: >> > Folks, I have tried to configure httpd with session timeout but it >> > does not seem to work. My httpd.conf has the following: >> > >> > Session on SessionMaxAge 1 AuthType Basic *** >> > >> > I was trying to put a timeout value of 1 sec just to test. This is >> > not working. Am I missing something? >> > >> > Thanks for any pointers on this. >> >> How are you testing it? What did you expect? What happened if it >> wasn't what you expected? >> >> - -chris >> -BEGIN PGP SIGNATURE- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI >> 3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu >> v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8 >> DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y >> /St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV >> 1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z >> eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB >> 0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq >> OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S >> b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj >> 1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV >> TLNlGhmIB+eqb5dW9LnK >> =9Yn+ >> -END PGP SIGNATURE- >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >
Re: [users@httpd] httpd session timeout
Chris, I am testing it by logging into the website using basic authentication and then waiting for the time out duration and try to access the page again. I am expecting to be challenged for credentials again when I tried to access the page after the timeout. But I am never challenged after the timeout - ever after several hours beyond the timeout value. But I see the following messages in my log file... I suspect my session modules are not configured correctly? [Wed Aug 24 08:41:46.851228 2016] [session:warn] [pid 61410:tid 140098663421696] [client x.x.x.x:5675] AH01815: session is enabled but no session modules have been configured, session not loaded: I have the following in my httpd.conf: LoadModule session_module modules/mod_session.so LoadModule session_cookie_module modules/mod_session_cookie.so #LoadModule session_dbd_module modules/mod_session_dbd.so *** Session on SessionMaxAge 1 AuthType Basic AuthLDAPBindDN "x" AuthLDAPBindPassword "" AuthBasicProvider ldap AuthName "LDAP - login" AuthLDAPURL "x" Require valid-user Require ldap-group "" AuthLDAPRemoteUserAttribute uid Any thoughts on what I am missing? Thanks! On Tue, Aug 23, 2016 at 3:29 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Roger, > > On 8/23/16 4:26 PM, Roger Paanini wrote: > > Folks, I have tried to configure httpd with session timeout but it > > does not seem to work. My httpd.conf has the following: > > > > Session on SessionMaxAge 1 AuthType Basic *** > > > > I was trying to put a timeout value of 1 sec just to test. This is > > not working. Am I missing something? > > > > Thanks for any pointers on this. > > How are you testing it? What did you expect? What happened if it > wasn't what you expected? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI > 3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu > v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8 > DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y > /St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV > 1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z > eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB > 0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq > OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S > b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj > 1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV > TLNlGhmIB+eqb5dW9LnK > =9Yn+ > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[users@httpd] httpd session timeout
Folks, I have tried to configure httpd with session timeout but it does not seem to work. My httpd.conf has the following: Session on SessionMaxAge 1 AuthType Basic *** I was trying to put a timeout value of 1 sec just to test. This is not working. Am I missing something? Thanks for any pointers on this.
[users@httpd] AuthLDAPBindPassword encryption
Hello Everyone, I am trying to usr an encrypted password for LDAP. After much research I chanced upon the link: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapbindpassword But when I try the following entry in httpd.conf, it does not seem to work: AuthLDAPBindPassword "exec:myprogram" "myprogram" simply prints the password to the std out. How do I debug this? Has anyone had success with this new feature? Any hints and insights are appreciated. Thanks!
[users@httpd] Issue with LDAPVerifyServerCert: On
Hi Folks, I am having a problem connecting with LDAP when I turn on LDAPVerifyServerCert. With this parameter turned off everything is working fine. I took tcpdump for both the scenarios. The only difference is in the list of Distinquished Names that my LDAP server sends as part of the "Certificate Request". With LDAPVerifyServerCertificate turned on, I get a bunch of DNs in Certificate Request. With it turned off, I get none. In either case, the client (httpd) is getting the server certificate and validating it. Does anyone have any explanation for this behavior? I do not see any downside to LDAPVerifyServerCert being turned off. Any insights and comments? Thanks!
Re: [users@httpd]Login difficulty after integration of httpd with LDAP
Eric, I just found the problem: there is a typo in ldap URL: sAMAccountName has an i at the end. After I removed it, it is working fine. AuthLDAPURL "ldaps://my.com:636/DC=my,DC=com?sAMAccountName*i*?sub?( objectclass=user) <http://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?(objectclass=user)>" Your suggestion to do ldapsearch made me look through these values and that is how I found it. Thanks for the help! On Tue, Jul 5, 2016 at 1:41 PM, Eric Covener wrote: > On Tue, Jul 5, 2016 at 2:32 PM, Roger Paanini > wrote: > > I have redacted the response to protect confidential info. Do you need > the > > full response? > > > I don't think so. Could you capture both searches in wireshark and see > how they differ at a low level? Something might stand out > side-by-side. > > -- > Eric Covener > cove...@gmail.com > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd]Login difficulty after integration of httpd with LDAP
Eric, this command works perfectly fine: ldapsearch -x -h my.com -D "CN=ldap,OU=acct,DC=my,DC=com" -w * -b "dc=my,dc=com" -s sub "(&(sAMAccountName=testuser)(objectClass=user))" I have redacted the response to protect confidential info. Do you need the full response? Thanks! On Tue, Jul 5, 2016 at 11:03 AM, Eric Covener wrote: > On Tue, Jul 5, 2016 at 11:56 AM, Mike Rumph wrote: > > [Tue Jul 05 09:23:50.587187 2016] [authnz_ldap:info] [pid 35839:tid > > 139644016523008] [client 10.204.1.1:51637] AH01695: auth_ldap > authenticate: > > user testuser authentication failed; URI /ui [User not found][No such > > object] > > > Can you show a command-line ldapsearch that shows > sAMAccountNameI=testuser when searching your LDAP with a base of the > DC=... in the AuthLDAPURL? If not, show any ldapsearch that finds > that user? > > -- > Eric Covener > cove...@gmail.com > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[users@httpd]
Hi Folks, I am trying to integrate httpd with LDAP (Active Directory) but I am running into some trouble: Every time I try to login, here is what I see: Tue Jul 05 09:23:50.471191 2016] [ssl:info] [pid 35839:tid 139644016523008] [client 10.204.1.1:51637] AH01964: Connection to child 66 established (server apachehost.my.com:443) [Tue Jul 05 09:23:50.471383 2016] [ssl:debug] [pid 35839:tid 139644016523008] ssl_engine_kernel.c(2101): [client 10.204.1.1:51637] AH02043: SSL virtual host for servername apachehost.my.com found [Tue Jul 05 09:23:50.487945 2016] [ssl:debug] [pid 35839:tid 139644016523008] ssl_engine_kernel.c(2028): [client 10.204.1.1:51637] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) [Tue Jul 05 09:23:50.488842 2016] [ssl:debug] [pid 35839:tid 139644016523008] ssl_engine_kernel.c(366): [client 10.204.1.1:51637] AH02034: Initial (No.1) HTTPS request received for child 66 (server apachehost.my.com:443) [Tue Jul 05 09:23:50.47 2016] [authz_core:debug] [pid 35839:tid 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Tue Jul 05 09:23:50.488899 2016] [authz_core:debug] [pid 35839:tid 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637] AH01626: authorization result of Require ldap-group "CN=Architecture Team,OU=Groups,OU=Core,DC=my,DC=com": denied (no authenticated user yet) [Tue Jul 05 09:23:50.488903 2016] [authz_core:debug] [pid 35839:tid 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637] AH01626: authorization result of : denied (no authenticated user yet) [Tue Jul 05 09:23:50.488925 2016] [authnz_ldap:debug] [pid 35839:tid 139644016523008] mod_authnz_ldap.c(516): [client 10.204.1.1:51637] AH01691: auth_ldap authenticate: using URL ldaps:// my.com:636/DC=my,DC=com?sAMAccountNamei?sub?(objectclass=user) [Tue Jul 05 09:23:50.546246 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1790): AH00925: initializing worker http://appserver.my.com:8500/ shared [Tue Jul 05 09:23:50.546308 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1832): AH00927: initializing worker http://appserver.my.com:8500/ local [Tue Jul 05 09:23:50.546358 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1867): AH00930: initialized pool in child 53629 for (appserver.my.com) min=0 max=25 smax=25 [Tue Jul 05 09:23:50.546381 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1790): AH00925: initializing worker proxy:reverse shared [Tue Jul 05 09:23:50.546384 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1832): AH00927: initializing worker proxy:reverse local [Tue Jul 05 09:23:50.546396 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1867): AH00930: initialized pool in child 53629 for (*) min=0 max=25 smax=25 [Tue Jul 05 09:23:50.546415 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1785): AH00924: worker http://appserver.my.com:8500/ shared already initialized [Tue Jul 05 09:23:50.546425 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1827): AH00926: worker http://appserver.my.com:8500/ local already initialized [Tue Jul 05 09:23:50.546624 2016] [mpm_event:debug] [pid 53629:tid 139644108920576] event.c(2096): AH02471: start_threads: Using epoll [Tue Jul 05 09:23:50.587187 2016] [authnz_ldap:info] [pid 35839:tid 139644016523008] [client 10.204.1.1:51637] AH01695: auth_ldap authenticate: user testuser authentication failed; URI /ui [User not found][No such object] [Tue Jul 05 09:23:50.587224 2016] [auth_basic:error] [pid 35839:tid 139644016523008] [client 10.204.1.1:51637] AH01618: user testuser not found: /ui [Tue Jul 05 09:23:55.577658 2016] [ssl:debug] [pid 35839:tid 139643823490816] ssl_engine_io.c(1033): [remote 10.204.1.1:51637] AH02001: Connection closed to child 66 with standard shutdown (server apachehost.my.com:443) And here is the configuration snippet from httpd.conf: LDAPTrustedGlobalCert CA_BASE64 /usr/local/apache2/conf/certs/ldapCert.pem LDAPVerifyServerCert Off AuthType Basic AuthLDAPBindDN "CN=ldap,OU=acct,DC=my,DC=com" AuthLDAPBindPassword ** AuthBasicProvider ldap AuthName "LDAP - login" AuthLDAPURL "ldaps:// my.com:636/DC=my,DC=com?sAMAccountNamei?sub?(objectclass=user)" Require valid-user Require ldap-group "CN=Architecture Team,OU=Groups,OU=Core,DC=my,DC=com" AuthLDAPRemoteUserAttribute uid #RewriteEngine On #RewriteCond %{LA-U:REMOTE_USER} (.+) #RewriteRule .* - [E=RU:%1] #RequestHeader set REMOTE_USER %{RU}e Any clues on what I am missing or how to go about debugging this issue? Thanks in advance!