httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] Cannot authentication locally when LDAP is unavailable
Date Mon, 13 Jan 2014 16:07:57 GMT
Later apache has all kinds of bind and network timeouts.  Maybe your
network drops the TCP RST flag so the webserver can never know the
connection is actively refused?

On Mon, Jan 13, 2014 at 9:35 AM, Rob Yamry <ryamry@kimberly.k12.wi.us> wrote:
> When the LDAP server is offline, the request never fails. It just sits
> there..
>
> [Mon Jan 13 08:23:45 2014] [debug] mod_authnz_ldap.c(977): LDAP: auth_ldap
> not using SSL connections
> [Mon Jan 13 08:23:45 2014] [debug] mod_authnz_ldap.c(582): [client 10.1.1.1]
> ldap authorize: Creating LDAP req structure
> [Mon Jan 13 08:24:01 2014] [debug] mod_authnz_ldap.c(377): [client 10.1.1.1]
> [18488] auth_ldap authenticate: using URL
> ldap://ldap.server.com:389/OU=Users,DC=server,DC=com?sAMAccountName
> [Mon Jan 13 08:25:25 2014] [debug] mod_authnz_ldap.c(594): [client 10.1.1.1]
> auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed
>
> The third line there is when I put in the local-file user credentials.
> After about 90 seconds, I made LDAP available again and the browser
> immediately authenticated as the local user and the failed bind was logged,
> as that user is not in LDAP.  You can see the LDAP didnt fail until it was
> available.
>
> Shouldnt this config: 1) try the local file first; and, 2) time-out after a
> period of time?  I thought I saw the default timeout period was 10 seconds?
>
>
>
>
> ---
> Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |  Phone:
> 920.788.7900  x 4158  |  Direct: 920.423.4158  |  ryamry@kimberly.k12.wi.us
>
>
> On Mon, Jan 13, 2014 at 7:35 AM, Eric Covener <covener@gmail.com> wrote:
>>
>> your symptom is very odd, because your configuration should try
>> file-based authn first.  Can you bump the logging to DEBUG?  A failed
>> LDAP connection should be logged.
>>
>> Also, upgrading to either a contemporary 2.2 release or 2.4 wouldn't hurt!
>>
>> On Mon, Jan 13, 2014 at 8:10 AM, Rob Yamry <ryamry@kimberly.k12.wi.us>
>> wrote:
>> > Are there any options I can try with this to get it working as needed?
>> > Any
>> > other thoughts or help would be appreciated!
>> >
>> >
>> > ---
>> > Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |
>> > Phone:
>> > 920.788.7900 x 4158  |  Direct: 920.423.4158  |
>> > ryamry@kimberly.k12.wi.us
>> >
>> >
>> > On Thu, Jan 9, 2014 at 12:26 PM, Rob Yamry <ryamry@kimberly.k12.wi.us>
>> > wrote:
>> >>
>> >> I retract that log entry.  The time stamp seemed off after I sent it
>> >> and I
>> >> retested it.  Nothing gets logged in the access_log or error_log.  Yes
>> >> its
>> >> 2.2.10.  Authentication is the problem.
>> >>
>> >>
>> >> ---
>> >> Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |
>> >> Phone: 920.788.7900 x 4158  |  Direct: 920.423.4158  |
>> >> ryamry@kimberly.k12.wi.us
>> >>
>> >>
>> >> On Thu, Jan 9, 2014 at 11:52 AM, Rob Yamry <ryamry@kimberly.k12.wi.us>
>> >> wrote:
>> >>>
>> >>> error.log states:
>> >>>
>> >>> [Thu Jan 09 10:22:36 2014] [warn] [client 10.9.2.49] [18090] auth_ldap
>> >>> authenticate: user user1 authentication failed; URI /index.php [User
>> >>> not
>> >>> found][No such object]
>> >>>
>> >>> At this point the ldap server was offline.  Of course, that user only
>> >>> resides locally in the AuthUserFile.
>> >>>
>> >>>
>> >>> ---
>> >>> Rob Yamry  |  Network Engineer  |  Kimberly Area School District  |
>> >>> Phone: 920.788.7900  x 4158  |  Direct: 920.423.4158  |
>> >>> ryamry@kimberly.k12.wi.us
>> >>>
>> >>>
>> >>> On Thu, Jan 9, 2014 at 11:33 AM, Eric Covener <covener@gmail.com>
>> >>> wrote:
>> >>>>
>> >>>> On Thu, Jan 9, 2014 at 12:28 PM, Rob Yamry
>> >>>> <ryamry@kimberly.k12.wi.us>
>> >>>> wrote:
>> >>>> > Hello-
>> >>>> >   Im having a problem where local authentication will not work
when
>> >>>> > when the
>> >>>> > configured LDAP server is unavailble.  When the ldap server
is
>> >>>> > online
>> >>>> > I can
>> >>>> > authenticate fine against ldap and local file.  However, when
the
>> >>>> > ldap
>> >>>> > server is offline, I cannot authenticate with the user1 account.
>> >>>> >
>> >>>> > Id appreciate any help you could provide.  Ive searched a lot
on
>> >>>> > this
>> >>>> > and
>> >>>> > found many examples, all very similar to my config below, but
I
>> >>>> > still
>> >>>> > cannot
>> >>>> > failback authentication to local file when ldap is unavailable.
 Im
>> >>>> > running
>> >>>> > Apache/2.2.10
>> >>>> >
>> >>>> > AuthName "Server Access"
>> >>>> > AuthType Basic
>> >>>> > # Check ldap auth first, then file auth
>> >>>> > AuthBasicProvider file ldap
>> >>>> > AuthUserFile /etc/apache2/htpasswd
>> >>>> > AuthzLDAPAuthoritative off
>> >>>> > AuthLDAPURL
>> >>>> > ldap://ldap.domain.com:389/OU=Users,DC=domain,DC=com?sAMAccountName
>> >>>> > AuthLDAPBindDN "domain\ldap_user"
>> >>>> > AuthLDAPBindPassword password
>> >>>> > AuthLDAPGroupAttributeIsDN off
>> >>>> >
>> >>>>
>> >>>> logs?
>> >>>>
>> >>>> really 2.2.10 or w/ patches?
>> >>>>
>> >>>> > Require user user1
>> >>>> > Require ldap-attribute memberOf=CN=groupName,DC=domain,DC=com
>> >>>> >
>> >>>>
>> >>>> is it authentication or authorization that fails?
>> >>>>
>> >>>> --
>> >>>> Eric Covener
>> >>>> covener@gmail.com
>> >>>>
>> >>>> ---------------------------------------------------------------------
>> >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >>>> For additional commands, e-mail: users-help@httpd.apache.org
>> >>>>
>> >>>
>> >>
>> >
>>
>>
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>



-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message