On Fri, Apr 6, 2018 at 12:54 PM, Igor Cicimov <icici...@gmail.com> wrote:
> Hi all, > > I have no idea what's going on and why my setup that's been working for > years suddenly stopped working so have to ask here after had done extensive > debugging. > > Maybe something has changed in the ldap and/or > authentication/authorization modules but the effect is same on apache > 2.2.22 and 2.4.18 -> I'm not getting the basic authentication pop-up any > more and the site access is unprotected. > > I have the following config enabled: > > <IfModule mod_ldap.c> > <AuthnProviderAlias ldap ldap1> > AuthBasicAuthoritative off > AuthBasicProvider ldap > AuthLDAPURL ldap://ldap1.domain.com:389/ > ou=Users,dc=domain,dc=com?uid STARTTLS > AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com > AuthLDAPBindPassword password > AuthLDAPGroupAttribute memberUid > AuthLDAPGroupAttributeIsDN on > </AuthnProviderAlias> > > <AuthnProviderAlias ldap ldap2> > AuthBasicAuthoritative off > AuthBasicProvider ldap > AuthLDAPURL ldap://ldap2.domain.com:389/ > ou=Users,dc=domain,dc=com?uid STARTTLS > AuthLDAPBindDN cn=user,ou=Users,dc=domain,dc=com > AuthLDAPBindPassword password > AuthLDAPGroupAttribute memberUid > AuthLDAPGroupAttributeIsDN on > </AuthnProviderAlias> > </IfModule> > > and referenced in the default virtual host as: > > <IfModule mod_ldap.c> > AuthBasicProvider ldap1 ldap2 > AuthType Basic > AuthName "Secure access" > Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com" > Require valid-user > Satisfy all > </IfModule> > > Even with debugging enabled all I can see in the logs is: > > [Fri Apr 06 02:26:21.260285 2018] [authz_core:debug] [pid 10784:tid > 140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535] > AH01626: authorization result of Require all granted: granted > [Fri Apr 06 02:26:21.260367 2018] [authz_core:debug] [pid 10784:tid > 140553274521344] mod_authz_core.c(809): [client 210.10.195.106:37535] > AH01626: authorization result of <RequireAny>: granted > > It's like the whole LDAP thing is just being ignored. I can also confirm > in the LDAP server side logs the Apache server never even tries making a > connection. > > What can be the problem? Any ideas? > > Thanks > Replying to myself, solved for 2.4 by removing the <IfModule> condition which does not work and changing "Require all" from allowed to denied: Require all denied AuthBasicProvider ldap1 ldap2 AuthType Basic AuthName "Secure access" Require ldap-group "cn=mygroup,ou=Groups,dc=domain,dc=com" Require valid-user Satisfy all