httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marshall Httpd <httpd.questi...@gmail.com>
Subject Re: [users@httpd] auth_ldap fails after upgrading to 2.4.9
Date Tue, 15 Apr 2014 21:36:37 GMT
Hey Eric,

Yeah, I _just_ ran across the "mod_ldap: When looking up sub-groups, use an
implicit objectClass=* instead of an explicit cn=* filter." for 2.4.7.
I just haven't wrapped my head around it just yet.  Nor have I found the
bug fix entry for this in https://issues.apache.org

> Can you summarize how the logging differs in the two releases?

Logging differences, sure thing...

Using the steve (success) and dev.frank (failure) examples before; they
both start off with...

[Tue Apr 15 09:11:10.320110 2014] [ssl:info] [pid 4844:tid 1040] [client
100.200.300.401:55884] AH01964: Connection to child 52 established (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.321110 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(1920): [client 100.200.300.401:55884] AH02043: SSL
virtual host for servername xxxdev.xxx.example.edu found
[Tue Apr 15 09:11:10.541132 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(1850): [client 100.200.300.401:55884] AH02041:
Protocol: TLSv1.2, Cipher: RC4-SHA (128/128 bits)
[Tue Apr 15 09:11:10.543132 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(226): [client 100.200.300.401:55884] AH02034: Initial
(No.1) HTTPS request received for child 52 (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.543132 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Tue Apr 15 09:11:10.543132 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 15 09:11:10.545132 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(226): [client 100.200.300.401:55884] AH02034:
Subsequent (No.2) HTTPS request received for child 52 (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.545132 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Tue Apr 15 09:11:10.545132 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 15 09:11:10.545132 2014] [authnz_ldap:debug] [pid 4844:tid 1040]
mod_authnz_ldap.c(500): [client 100.200.300.401:55884] AH01691: auth_ldap
authenticate: using URL ldaps://
ad.example.edu:636/DC=ad,DC=example,DC=edu?samAccountName?sub?(&(objectCategory=person)(|(CN=xxxtech)(memberOf=CN=dev_Admins,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_admins,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_Operators,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)))

But then, for steve the next line is:
[Tue Apr 15 09:11:10.551133 2014] [authnz_ldap:debug] [pid 4844:tid 1040]
mod_authnz_ldap.c(592): [client 100.200.300.401:55884] AH01697: auth_ldap
authenticate: accepting steve

Whereas for dev.frank, it's:
[Tue Apr 15 09:11:43.585436 2014] [authnz_ldap:info] [pid 4844:tid 1040]
[client 100.200.300.401:55888] AH01695: auth_ldap authenticate: user
dev.frank authentication failed; URI /svn/databaseProject [User not
found][No Such Object]

Did that help?

> Would you be able to rebuild a patch, or ask your vendor to try
> selectively removing some of the recent LDAP changes?

I don't think they are willing to do this.  You can see for yourself from
the original forum post; but they have done testing on their side and it
works for them.  Thus, they have pointed me in the direction of httpd.

Am I willing?  Er, yes.  Just have to find the time and figure out
_exactly_ how/what needs to be compiled for me to do testing.  The ideal
situation would be for me to isolate httpd and just authenticate through it
some how using my CollabNet Subversion Edge settings for LDAP.


On Tue, Apr 15, 2014 at 4:38 PM, Eric Covener <covener@gmail.com> wrote:

> Can you summarize how the logging differs in the two releases?
>
>
> Here are two candidates:
>
>   *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
>      instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
>
>   *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying
> LDAP
>      SDK option to OFF, and introduce "LDAPReferrals default" to take the
> SDK
>      default, sans rebind authentication callback.
>      [Jan Kaluza <kaluze AT redhat.com>]
>
> Would you be able to rebuild a patch, or ask your vendor to try
> selectively removing some of the recent LDAP changes?
>
> On Tue, Apr 15, 2014 at 3:55 PM, Marshall Httpd
> <httpd.questions@gmail.com> wrote:
> > Hi,
> >
> > Our httpd.exe was recently upgraded from 2.4.6 to 2.4.9.  But, when that
> > happened, some of our users can no longer authenticate via LDAP.  By
> "some",
> > I mean that we have 2 domains.  Users from one domain are fine, but
> users in
> > the 2nd domain can no longer authenticate.
> >
> > E.g. AD\steve can authenticate fine; but DOMAIN\dev.frank now gets
> > "authentication failed"
> >
> > The general error goes something like:
> > [authnz_ldap:info] [pid 4844:tid 1040] [client 100.200.300.401:55888]
> > AH01695: auth_ldap authenticate: user dev.frank authentication failed;
> URI
> > /svn/databaseProject [User not found][No Such Object]
> >
> > Has anyone experienced such a thing before?  And/or know of the fix?
> >
> > Full disclosure:  httpd.exe was upgraded by way of our CollabNet
> Subversion
> > Edge upgrade.  I posed my question there first of course; but this really
> > does seem like its a httpd issue.  And thus, here I am.
> > I captured a great deal of logging information along with configuration
> > settings in their forums.  It's available here:
> >
> https://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=517643
> >
> >
> > Thank you,
> > Marshall
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message