Hello all,
I'm doing SSO using auth_kerb_module with Active Directory and
authnz_ldap_module as fallback (Apache 2.4, FreeBSD 11.1, Windows Server
2012R2):
PassEnv MACHINE_DNSNAME
PassEnv MACHINE_DOMAINNAME_UPPER
<IfModule auth_kerb_module>
LoadFile /usr/lib/libgssapi_krb5.so.10
LoadFile /usr/lib/libgssapi_spnego.so.10
AuthType Kerberos
AuthBasicAuthoritative off
KrbAuthRealm ${MACHINE_DOMAINNAME_UPPER}
KrbServiceName HTTP/${MACHINE_DNSNAME}@${MACHINE_DOMAINNAME_UPPER}
Krb5Keytab /var/www/passwords/auth_kerb.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbSaveCredentials On
KrbAuthoritative On
KrbLocalUserMapping On
</IfModule>
<IfModule authnz_ldap_module>
<IfModule !auth_kerb_module>
AuthType Basic
AuthBasicAuthoritative off
<IfVersion < 2.3>
AuthzLDAPAuthoritative on
</IfVersion>
AuthBasicProvider ldap
</IfModule>
<IfModule auth_kerb_module>
KrbAuthoritative Off
KrbMethodK5Passwd On
</IfModule>
AuthLDAPURL
ldaps://charlieroot.de/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN "someuser"
AuthLDAPBindPassword "somepass"
<IfVersion < 2.3>
AuthzLDAPAuthoritative on
</IfVersion>
AuthLDAPRemoteUserIsDN off
</IfModule>
On a non-domain member this works fine initially but after a certain time I
get an error that the LDAP server cannot be contacted anymore (it is
definitely available):
[helmut@BSDHelmut ~]$ sudo tail -100f /var/www/logs/error_log | grep ldap
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid
34685344768] mod_authz_core.c(806): [client 192.168.124.200:58889] AH01626:
authorization result of Require ldap-group
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no
authenticated user yet), referer: https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685344768] mod_authnz_ldap.c(518): [client 192.168.124.200:58889] AH01691:
auth_ldap authenticate: using URL
ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*),
referer: https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685344768] mod_authnz_ldap.c(615): [client 192.168.124.200:58889] AH01697:
auth_ldap authenticate: accepting helmut, referer:
https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685344768] mod_authnz_ldap.c(915): [client 192.168.124.200:58889] AH01713:
auth_ldap authorize: require group: testing for group membership in
"CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de", referer:
https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685344768] mod_authnz_ldap.c(922): [client 192.168.124.200:58889] AH01714:
auth_ldap authorize: require group: testing for member: CN=Helmut
Ritter,OU=User,OU=mydomain,OU=Organisations,DC=mydomain,DC=de
(CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de), referer:
https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685344768] mod_authnz_ldap.c(931): [client 192.168.124.200:58889] AH01715:
auth_ldap authorize: require group: authorization successful (attribute
member) [Comparison true (adding to cache)][6 - Compare True], referer:
https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid
34685344768] mod_authz_core.c(806): [client 192.168.124.200:58889] AH01626:
authorization result of Require ldap-group
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: granted, referer:
https://nagios.mydomain.local/side.php
[...]
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid
34685034752] mod_authz_core.c(806): [client 192.168.124.200:59135] AH01626:
authorization result of Require ldap-group
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no
authenticated user yet)
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685034752] mod_authnz_ldap.c(518): [client 192.168.124.200:59135] AH01691:
auth_ldap authenticate: using URL
ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*)
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685034752] mod_authnz_ldap.c(615): [client 192.168.124.200:59135] AH01697:
auth_ldap authenticate: accepting helmut
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685034752] mod_authnz_ldap.c(915): [client 192.168.124.200:59135] AH01713:
auth_ldap authorize: require group: testing for group membership in
"CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de"
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685034752] mod_authnz_ldap.c(922): [client 192.168.124.200:59135] AH01714:
auth_ldap authorize: require group: testing for member: CN=Helmut
Ritter,OU=User,OU=mydomain,OU=Organisations,DC=mydomain,DC=de
(CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de)
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685034752] mod_authnz_ldap.c(931): [client 192.168.124.200:59135] AH01715:
auth_ldap authorize: require group: authorization successful (attribute
member) [Comparison true (cached)][6 - Compare True]
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid
34685034752] mod_authz_core.c(806): [client 192.168.124.200:59135] AH01626:
authorization result of Require ldap-group
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: granted
Jan 23 15:38:21 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid
34685027072] mod_authz_core.c(806): [client 192.168.124.200:59146] AH01626:
authorization result of Require ldap-group
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no
authenticated user yet)
Jan 23 15:38:21 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid
34685027072] mod_authnz_ldap.c(518): [client 192.168.124.200:59146] AH01691:
auth_ldap authenticate: using URL
ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*)
Jan 23 15:38:21 BSDHelmut httpd[9091]: [authnz_ldap:info] [pid 9091:tid
34685027072] [client 192.168.124.200:59146] AH01695: auth_ldap authenticate:
user helmut authentication failed; URI /nagios/cgi-bin/status.cgi [LDAP:
ldap_simple_bind() failed][Can't contact LDAP server]
^C
[helmut@BSDHelmut ~]$
Restarting Apache or waiting an hour or so fixes this.
Any ideas?
Thank you!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org