Re: [users@httpd]Login difficulty after integration of httpd with LDAP

[Mike Rumph]

Adding a subject for easier tracking


On 7/5/2016 8:36 AM, Roger Paanini wrote:

Hi Folks,

I am trying to integrate httpd with LDAP (Active Directory) but I am running into some trouble: Every time I try to login, here is what I see:

Tue Jul 05 09:23:50.471191 2016] [ssl:info] [pid 35839:tid 139644016523008] [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH01964: Connection to child 66 established (server apachehost.my.com:443 <http://apachehost.my.com:443/>) [Tue Jul 05 09:23:50.471383 2016] [ssl:debug] [pid 35839:tid 139644016523008] ssl_engine_kernel.c(2101): [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH02043: SSL virtual host for servername apachehost.my.com <http://apachehost.my.com/> found [Tue Jul 05 09:23:50.487945 2016] [ssl:debug] [pid 35839:tid 139644016523008] ssl_engine_kernel.c(2028): [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) [Tue Jul 05 09:23:50.488842 2016] [ssl:debug] [pid 35839:tid 139644016523008] ssl_engine_kernel.c(366): [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH02034: Initial (No.1) HTTPS request received for child 66 (server apachehost.my.com:443 <http://apachehost.my.com:443/>) [Tue Jul 05 09:23:50.488887 2016] [authz_core:debug] [pid 35839:tid 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Tue Jul 05 09:23:50.488899 2016] [authz_core:debug] [pid 35839:tid 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH01626: authorization result of Require ldap-group "CN=Architecture Team,OU=Groups,OU=Core,DC=my,DC=com": denied (no authenticated user yet) [Tue Jul 05 09:23:50.488903 2016] [authz_core:debug] [pid 35839:tid 139644016523008] mod_authz_core.c(809): [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 05 09:23:50.488925 2016] [authnz_ldap:debug] [pid 35839:tid 139644016523008] mod_authnz_ldap.c(516): [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH01691: auth_ldap authenticate: using URL ldaps://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?(objectclass=user) <http://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?%28objectclass=user%29> [Tue Jul 05 09:23:50.546246 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1790): AH00925: initializing worker http://appserver.my.com:8500/ shared [Tue Jul 05 09:23:50.546308 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1832): AH00927: initializing worker http://appserver.my.com:8500/ local [Tue Jul 05 09:23:50.546358 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1867): AH00930: initialized pool in child 53629 for (appserver.my.com <http://appserver.my.com/>) min=0 max=25 smax=25 [Tue Jul 05 09:23:50.546381 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1790): AH00925: initializing worker proxy:reverse shared [Tue Jul 05 09:23:50.546384 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1832): AH00927: initializing worker proxy:reverse local [Tue Jul 05 09:23:50.546396 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1867): AH00930: initialized pool in child 53629 for (*) min=0 max=25 smax=25 [Tue Jul 05 09:23:50.546415 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1785): AH00924: worker http://appserver.my.com:8500/ shared already initialized [Tue Jul 05 09:23:50.546425 2016] [proxy:debug] [pid 53629:tid 139644279056192] proxy_util.c(1827): AH00926: worker http://appserver.my.com:8500/ local already initialized [Tue Jul 05 09:23:50.546624 2016] [mpm_event:debug] [pid 53629:tid 139644108920576] event.c(2096): AH02471: start_threads: Using epoll [Tue Jul 05 09:23:50.587187 2016] [authnz_ldap:info] [pid 35839:tid 139644016523008] [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH01695: auth_ldap authenticate: user testuser authentication failed; URI /ui [User not found][No such object] [Tue Jul 05 09:23:50.587224 2016] [auth_basic:error] [pid 35839:tid 139644016523008] [client 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH01618: user testuser not found: /ui [Tue Jul 05 09:23:55.577658 2016] [ssl:debug] [pid 35839:tid 139643823490816] ssl_engine_io.c(1033): [remote 10.204.1.1:51637 <http://10.204.1.1:51637/>] AH02001: Connection closed to child 66 with standard shutdown (server apachehost.my.com:443 <http://apachehost.my.com:443/>)

And here is the configuration snippet from httpd.conf:

LDAPTrustedGlobalCert CA_BASE64 /usr/local/apache2/conf/certs/ldapCert.pem

LDAPVerifyServerCert Off

<Location />
        AuthType Basic
        AuthLDAPBindDN "CN=ldap,OU=acct,DC=my,DC=com"
        AuthLDAPBindPassword ******
        AuthBasicProvider ldap
        AuthName "LDAP - login"

AuthLDAPURL "ldaps://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?(objectclass=user) <http://my.com:636/DC=my,DC=com?sAMAccountNamei?sub?%28objectclass=user%29>"

        Require valid-user

Require ldap-group "CN=Architecture Team,OU=Groups,OU=Core,DC=my,DC=com"

        AuthLDAPRemoteUserAttribute uid
#RewriteEngine On
#RewriteCond %{LA-U:REMOTE_USER} (.+)
#RewriteRule .* - [E=RU:%1]
#RequestHeader set REMOTE_USER %{RU}e
</Location>

Any clues on what I am missing or how to go about debugging this issue?

Thanks in advance!