httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Yamry <rya...@kimberly.k12.wi.us>
Subject Re: [users@httpd] Cannot authentication locally when LDAP is unavailable
Date Mon, 13 Jan 2014 14:35:50 GMT
When the LDAP server is offline, the request never fails. It just sits
there..

[Mon Jan 13 08:23:45 2014] [debug] mod_authnz_ldap.c(977): LDAP: auth_ldap
not using SSL connections
[Mon Jan 13 08:23:45 2014] [debug] mod_authnz_ldap.c(582): [client
10.1.1.1] ldap authorize: Creating LDAP req structure
[Mon Jan 13 08:24:01 2014] [debug] mod_authnz_ldap.c(377): [client
10.1.1.1] [18488] auth_ldap authenticate: using URL ldap://
ldap.server.com:389/OU=Users,DC=server,DC=com?sAMAccountName
[Mon Jan 13 08:25:25 2014] [debug] mod_authnz_ldap.c(594): [client
10.1.1.1] auth_ldap authorise: User DN not found, LDAP:
ldap_simple_bind_s() failed

The third line there is when I put in the local-file user credentials.
 After about 90 seconds, I made LDAP available again and the browser
immediately authenticated as the local user and the failed bind was logged,
as that user is not in LDAP.  You can see the LDAP didnt fail until it was
available.

Shouldnt this config: 1) try the local file first; and, 2) time-out after a
period of time?  I thought I saw the default timeout period was 10 seconds?




---
Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |  Phone:
920.788.7900  x 4158  |  Direct: 920.423.4158  |  ryamry@kimberly.k12.wi.us


On Mon, Jan 13, 2014 at 7:35 AM, Eric Covener <covener@gmail.com> wrote:

> your symptom is very odd, because your configuration should try
> file-based authn first.  Can you bump the logging to DEBUG?  A failed
> LDAP connection should be logged.
>
> Also, upgrading to either a contemporary 2.2 release or 2.4 wouldn't hurt!
>
> On Mon, Jan 13, 2014 at 8:10 AM, Rob Yamry <ryamry@kimberly.k12.wi.us>
> wrote:
> > Are there any options I can try with this to get it working as needed?
>  Any
> > other thoughts or help would be appreciated!
> >
> >
> > ---
> > Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |
>  Phone:
> > 920.788.7900 x 4158  |  Direct: 920.423.4158  |
> ryamry@kimberly.k12.wi.us
> >
> >
> > On Thu, Jan 9, 2014 at 12:26 PM, Rob Yamry <ryamry@kimberly.k12.wi.us>
> > wrote:
> >>
> >> I retract that log entry.  The time stamp seemed off after I sent it
> and I
> >> retested it.  Nothing gets logged in the access_log or error_log.  Yes
> its
> >> 2.2.10.  Authentication is the problem.
> >>
> >>
> >> ---
> >> Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |
> >> Phone: 920.788.7900 x 4158  |  Direct: 920.423.4158  |
> >> ryamry@kimberly.k12.wi.us
> >>
> >>
> >> On Thu, Jan 9, 2014 at 11:52 AM, Rob Yamry <ryamry@kimberly.k12.wi.us>
> >> wrote:
> >>>
> >>> error.log states:
> >>>
> >>> [Thu Jan 09 10:22:36 2014] [warn] [client 10.9.2.49] [18090] auth_ldap
> >>> authenticate: user user1 authentication failed; URI /index.php [User
> not
> >>> found][No such object]
> >>>
> >>> At this point the ldap server was offline.  Of course, that user only
> >>> resides locally in the AuthUserFile.
> >>>
> >>>
> >>> ---
> >>> Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |
> >>> Phone: 920.788.7900  x 4158  |  Direct: 920.423.4158  |
> >>> ryamry@kimberly.k12.wi.us
> >>>
> >>>
> >>> On Thu, Jan 9, 2014 at 11:33 AM, Eric Covener <covener@gmail.com>
> wrote:
> >>>>
> >>>> On Thu, Jan 9, 2014 at 12:28 PM, Rob Yamry <ryamry@kimberly.k12.wi.us
> >
> >>>> wrote:
> >>>> > Hello-
> >>>> >   Im having a problem where local authentication will not work
when
> >>>> > when the
> >>>> > configured LDAP server is unavailble.  When the ldap server is
> online
> >>>> > I can
> >>>> > authenticate fine against ldap and local file.  However, when the
> ldap
> >>>> > server is offline, I cannot authenticate with the user1 account.
> >>>> >
> >>>> > Id appreciate any help you could provide.  Ive searched a lot on
> this
> >>>> > and
> >>>> > found many examples, all very similar to my config below, but I
> still
> >>>> > cannot
> >>>> > failback authentication to local file when ldap is unavailable.
 Im
> >>>> > running
> >>>> > Apache/2.2.10
> >>>> >
> >>>> > AuthName "Server Access"
> >>>> > AuthType Basic
> >>>> > # Check ldap auth first, then file auth
> >>>> > AuthBasicProvider file ldap
> >>>> > AuthUserFile /etc/apache2/htpasswd
> >>>> > AuthzLDAPAuthoritative off
> >>>> > AuthLDAPURL
> >>>> > ldap://ldap.domain.com:389/OU=Users,DC=domain,DC=com?sAMAccountName
> >>>> > AuthLDAPBindDN "domain\ldap_user"
> >>>> > AuthLDAPBindPassword password
> >>>> > AuthLDAPGroupAttributeIsDN off
> >>>> >
> >>>>
> >>>> logs?
> >>>>
> >>>> really 2.2.10 or w/ patches?
> >>>>
> >>>> > Require user user1
> >>>> > Require ldap-attribute memberOf=CN=groupName,DC=domain,DC=com
> >>>> >
> >>>>
> >>>> is it authentication or authorization that fails?
> >>>>
> >>>> --
> >>>> Eric Covener
> >>>> covener@gmail.com
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>>> For additional commands, e-mail: users-help@httpd.apache.org
> >>>>
> >>>
> >>
> >
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message