logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache 2.4: Users autenthication in Active Directory
Author
iam



Joined: 21 May 2018
Posts: 1

PostPosted: Mon 21 May '18 13:55    Post subject: Apache 2.4: Users autenthication in Active Directory Reply with quote

Hi!
Thanks in advance!

I need help with Apache configuration to enable login through Active directory.

I want allow login if a user is member of a group contained in other group.

Now I have this:
Code:

Alias /nagios /opt/nagios/share
<Directory "/opt/nagios/share">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all

   AuthType Basic
   AuthName "Acceso restringido"
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://server/DC=domain,DC=red?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPBindDN user@domain.red
   AuthLDAPBindPassword "xxxxxx"
   Require ldap-group CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red
</Directory>


And Canīt login. If I put: require valid-user itīs go well.

Code:
[Mon May 21 13:36:05.060787 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": failed [Comparison complete][34 - Invalid DN syntax], checking sub-groups
[Mon May 21 13:36:05.062229 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap authorise: require group (sub-group) "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN failed group verification. [member][34 - Invalid DN syntax]
[Mon May 21 13:36:05.062250 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": failed [DN failed group verification.][34 - Invalid DN syntax], checking sub-groups
[Mon May 21 13:36:05.063471 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap authorise: require group (sub-group) "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN failed group verification. [uniqueMember][34 - Invalid DN syntax]
[Mon May 21 13:36:05.063481 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(996): [client 10.10.10.10:51069] AH01720: auth_ldap authorize group: authorization denied for user ext-agumarjo to /nagios/
[Mon May 21 13:36:05.063486 2018] [authz_core:debug] [pid 9315] mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626: authorization result of Require ldap-group CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red: denied
[Mon May 21 13:36:05.063489 2018] [authz_core:debug] [pid 9315] mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626: authorization result of <RequireAny>: denied
[Mon May 21 13:36:05.063492 2018] [authz_core:error] [pid 9315] [client 10.10.10.10:51069] AH01631: user ext-agumarjo: authorization failure for "/nagios/":


What is I doing bad?


THANKS!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 27 Mar '19 16:53    Post subject: Reply with quote

You mix old and new config

Order allow,deny
Allow from all

is 2.2 while Require ldap-group is 2.4

Please do not use both! use only 2.4 and remove mod_access_compat from your config!
Back to top
rajeev_guleria



Joined: 28 May 2020
Posts: 1
Location: USA

PostPosted: Thu 28 May '20 13:08    Post subject: Reply with quote

I do not have
Order allow,deny
Allow from all

But iam facing exactly same issue with the LDAP AD group auth, what was the fix applied at your end for below listed issue, precipitate your response
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Fri 05 Jun '20 15:06    Post subject: Reply with quote

You might try mod_authn_ntlm

With that you can do

Code:

<RequireAny>
    require sspi-group "DOMAIN\GROUP2" "DOMAIN\GROUP1"
</RequireAny>
Back to top


Reply to topic   Topic: Apache 2.4: Users autenthication in Active Directory View previous topic :: View next topic
Post new topic   Forum Index -> Apache