Hi,
I'm pulling my hair with FreeIPA and Apache BasicAuth LDAP.
I have an application behind an Apache reverse Proxy that I want to "protect" with LDAP Authentification.
This is the (redacted) apache configuration:
--------------------------------------------------------------------------------------
<VirtualHost *:443>
ServerName acme.server.org
ProxyRequests Off ProxyPreserveHost On
# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time <Proxy *> #Require all granted </Proxy>
<Location /admin> Order Deny,Allow Deny from all Allow from 10.66.38.0/24 </Location>
ProxyPass / http://INTSERVER:1234/ ProxyPassReverse / http://INTSERVER:1234/
Loglevel ldap_module:debug Loglevel auth_basic:debug Loglevel authz_core:debug
<Location />
Options Indexes FollowSymlinks
AuthType Basic AuthBasicProvider ldap AuthName "ACME AUTHENTICATION"
AuthLDAPURL ldap://ipa2.internal.lan/cn=users,cn=accounts,dc=internal,dc=lan?uid?sub AuthLDAPBindDN uid=s_ldapquery,cn=sysaccounts,cn=etc,dc=internal,dc=lan AuthLDAPBindPassword XXXXXXXXXXXXXXXXXXXXX
Require valid-user
</Location>
SSLCertificateFile /etc/letsencrypt/live/XXXX/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/XXXX/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/XXXX/chain.pem </VirtualHost>
--------------------------------------------------------------------------------------
The Bind-User "s_ldapquery" is working fine, passwords tripple checked and used with other LDAP integrations.
When authenticating, apache logs show:
[Sat Sep 25 18:40:25.891588 2021] [authz_core:debug] [pid 414] mod_authz_core.c(809): [client 1.2.3.4:52628] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:40:25.891683 2021] [authz_core:debug] [pid 414] mod_authz_core.c(809): [client 1.2.3.4:52628] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:40:35.786942 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:40:35.787025 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:40:36.028473 2021] [ldap:debug] [pid 413] util_ldap.c(379): AH01278: LDAP: Setting referrals to On. [Sat Sep 25 18:40:36.210906 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : granted [Sat Sep 25 18:40:36.210987 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: granted [Sat Sep 25 18:40:36.300669 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://acme.server.org/ [Sat Sep 25 18:40:36.300749 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://acme.server.org/
There is a "granted" in between, but it does not work. Then authentication itself seems to work, though, because if I specify the wrong password, the logs lines change to:
[Sat Sep 25 18:43:43.542566 2021] [authz_core:debug] [pid 432] mod_authz_core.c(809): [client 1.2.3.4:52678] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:43:43.542639 2021] [authz_core:debug] [pid 432] mod_authz_core.c(809): [client 1.2.3.4:52678] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:43:45.956792 2021] [ldap:debug] [pid 432] util_ldap.c(379): AH01278: LDAP: Setting referrals to On. [Sat Sep 25 18:43:46.139978 2021] [auth_basic:error] [pid 432] [client 1.2.3.4:52678] AH01617: user u_test: authentication failure for "/": Password Mismatch
I tried various examples found online on how to setup Apache BasicAuth LDAP Integration with FreeIPA but none worked.
What I don't understand in the first place is the "denied (no authenticated user yet)" repeating and then in the midle a "require valid-user: granted". What am I doing wrong here or am I missing the point entirely?
Any help would be appreciated!
best regards,
Thorsten
Hi again,
my problem was that Apache tried to forward the Authentication to the proxied application. So it was not even an LDAP Problem.
This line in the VirtualHost section solved it:
|RequestHeader unset Authorization |
Kudos to https://serverfault.com/questions/875604/how-to-correctly-configure-httpd-ba...
Cheers, Thorsten
On 25.09.21 18:49, Thorsten Johannsen via FreeIPA-users wrote:
Hi,
I'm pulling my hair with FreeIPA and Apache BasicAuth LDAP.
I have an application behind an Apache reverse Proxy that I want to "protect" with LDAP Authentification.
This is the (redacted) apache configuration:
<VirtualHost *:443>
ServerName acme.server.org
ProxyRequests Off ProxyPreserveHost On
# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time <Proxy *> #Require all granted </Proxy>
<Location /admin> Order Deny,Allow Deny from all Allow from 10.66.38.0/24 </Location>
ProxyPass / http://INTSERVER:1234/ ProxyPassReverse / http://INTSERVER:1234/
Loglevel ldap_module:debug Loglevel auth_basic:debug Loglevel authz_core:debug
<Location />
Options Indexes FollowSymlinks
AuthType Basic AuthBasicProvider ldap AuthName "ACME AUTHENTICATION"
AuthLDAPURL ldap://ipa2.internal.lan/cn=users,cn=accounts,dc=internal,dc=lan?uid?sub AuthLDAPBindDN uid=s_ldapquery,cn=sysaccounts,cn=etc,dc=internal,dc=lan AuthLDAPBindPassword XXXXXXXXXXXXXXXXXXXXX
Require valid-user
</Location>
SSLCertificateFile /etc/letsencrypt/live/XXXX/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/XXXX/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/XXXX/chain.pem
</VirtualHost>
The Bind-User "s_ldapquery" is working fine, passwords tripple checked and used with other LDAP integrations.
When authenticating, apache logs show:
[Sat Sep 25 18:40:25.891588 2021] [authz_core:debug] [pid 414] mod_authz_core.c(809): [client 1.2.3.4:52628] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:40:25.891683 2021] [authz_core:debug] [pid 414] mod_authz_core.c(809): [client 1.2.3.4:52628] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:40:35.786942 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:40:35.787025 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:40:36.028473 2021] [ldap:debug] [pid 413] util_ldap.c(379): AH01278: LDAP: Setting referrals to On. [Sat Sep 25 18:40:36.210906 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : granted [Sat Sep 25 18:40:36.210987 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: granted [Sat Sep 25 18:40:36.300669 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://acme.server.org/ [Sat Sep 25 18:40:36.300749 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://acme.server.org/
There is a "granted" in between, but it does not work. Then authentication itself seems to work, though, because if I specify the wrong password, the logs lines change to:
[Sat Sep 25 18:43:43.542566 2021] [authz_core:debug] [pid 432] mod_authz_core.c(809): [client 1.2.3.4:52678] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:43:43.542639 2021] [authz_core:debug] [pid 432] mod_authz_core.c(809): [client 1.2.3.4:52678] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:43:45.956792 2021] [ldap:debug] [pid 432] util_ldap.c(379): AH01278: LDAP: Setting referrals to On. [Sat Sep 25 18:43:46.139978 2021] [auth_basic:error] [pid 432] [client 1.2.3.4:52678] AH01617: user u_test: authentication failure for "/": Password Mismatch
I tried various examples found online on how to setup Apache BasicAuth LDAP Integration with FreeIPA but none worked.
What I don't understand in the first place is the "denied (no authenticated user yet)" repeating and then in the midle a "require valid-user: granted". What am I doing wrong here or am I missing the point entirely?
Any help would be appreciated!
best regards,
Thorsten
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
Thorsten Johannsen