Questions[mod-auth-ldap](server)

I'm trying to debug a timeout problem I have with Apache, for some months now.

The pattern looks like this:

On every first request of a new session (or after some time after the last request) the browser asks instantly for credentials, then sends the request with basic auth. Then the server waits exactly 1 minute before sending the result.

Subsequent requests are answered instantly, this only happens for requests after some time (couldn't pinpoint it exactly yet, between 5 and 15 minutes).

The fact that the wait time is reproducible exactly 60 seconds smells like a timeout to me. If I cancel the request and hit reload I get the requested URL instantly.

Since the password prompt appears instantly as well I can rule out a problem with the SSL handshake between client and server, or DNS problems on that leg. It doesn't matter if I request a PHP script or a blank text file, which rules a problem with scripts on the server out as well. I guess the result of the auth process is then cached for a while, so it isn't necessary for subsequent requests.

Note that the authentication always succeeds, so I can rule out a "the domain controller didn't answer" problem as well.

Apache 2.4 is running on Windows Server 2012 R2. It is configured for LDAP auth:

<Location />
    AuthType Basic
    AuthName "AD Login"
    AuthBasicProvider ldap
    LDAPReferrals Off
    #AuthLDAPUrl ldap://dc01.domain.de:3268/dc=ad,dc=domain,dc=de?sAMAccountName?sub?(objectClass=*)
    #AuthLDAPUrl ldap://ad.domain.de:389/dc=ad,dc=domain,dc=de?sAMAccountName?sub?(objectClass=*) STARTTLS
    AuthLDAPUrl ldap://ad.domain.de:389/dc=ad,dc=domain,dc=de?sAMAccountName?sub?(objectClass=*) TLS
    AuthLDAPBindDN "[email protected]"
    AuthLDAPBindPassword "secret"
    Require valid-user
    Require all denied
</Location>

As you can see I tried different connection types to the domain controllers, it doesn't really seem to matter which encryption method I use, or if I pass on encryption at all.

ad.domain.de resolves to multiple domain controllers, but the behavior is the same if I connect to a specific DC.

No entries in the error log on LogLevel info, I'm yet hesitant to increase it to debug, as I know from experience that I have trouble sifting through the generated debug information.

Is there anything I missed yet that I can use to debug the problem, or do I have to go through debug level logging?

i would like to auhenticate and authorize all users of one LDAP group (ApacheDS 2.0.0-20 on Windows, using multiple uniqueMember attributes in the group and the "Require ldap-group" statement in httpd config) for access to a web ressource.

The user which tries to authenticate is also part of this LDAP group and is authorized if i use the "Require valid-user" statement instead of "Require ldap-group" in httpd config.

Setup:

• Linux based Apache 2.4.23 (from OpenSuse 42.1 Apache Repository)
• LDAP: MS windows based ApacheDS 2.0.0-20

Group configuration in ApacheDS LDAP:

Excerpt of configuration of httpd:

<AuthnProviderAlias ldap ldapconfig>
        LDAPReferrals Off
        AuthLDAPBindDN "cn=query,ou=users,o=WJWext"
        AuthLDAPBindPassword secretpassword
        AuthLDAPURL "ldap://ldap.hostname:10389/o=WJWext?uid?sub"
</AuthnProviderAlias>

...
LogLevel trace7

<Location /xy>
...
        AuthType Basic
        AuthName "xy"
        AuthBasicProvider ldapconfig
        AuthLDAPGroupAttributeIsDN on
        AuthLDAPGroupAttribute uniqueMember
        AuthLDAPMaxSubGroupDepth 0
        AuthLDAPSubGroupClass groupOfUniqueNames
        Require ldap-group cn=groupname,ou=groups,o=WJWext
...
</Location>

The log file of httpd shows that the user can be authenticated but is not authorized by group:

[Tue Nov 08 21:44:23.601378 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of Require ldap-group cn=groupname,ou=groups,o=WJWext)
[Tue Nov 08 21:44:23.601415 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 08 21:44:23.601547 2016] [authnz_ldap:debug] [pid 15148] mod_authnz_ldap.c(516): [client a.b.c.d:59427] AH01691: auth_ldap authenticate: using URL ldap://ldap.hostname:10389/o=WJWext?uid?sub
[Tue Nov 08 21:44:23.601590 2016] [authnz_ldap:trace1] [pid 15148] mod_authnz_ldap.c(537): [client a.b.c.d:59427] auth_ldap authenticate: final authn filter is (&(objectclass=*)(uid=hudson))
[Tue Nov 08 21:44:23.615090 2016] [ldap:trace5] [pid 15148] util_ldap.c(1843): [client a.b.c.d:59427] LDC 55e4b4a94070 used for authn, must be rebound
[Tue Nov 08 21:44:23.615236 2016] [authnz_ldap:debug] [pid 15148] mod_authnz_ldap.c(613): [client a.b.c.d:59427] AH01697: auth_ldap authenticate: accepting hudson
[Tue Nov 08 21:44:23.615410 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of Require ldap-group cn=groupname,ou=groups,o=WJWext:denied

What is somewhat surprising: In the log files and looking at a network traffic trace it seems that there's no search request for gathering the group membership of the user.

Is there any idea what we are doing wrong?

For whatever reason, I am not able to include the following line in my httpd.conf:

AuthBasicProvider file ldap    

I keep getting the following error:

Unknown Authn provider: ldap

Apache is compiled from source with :

--enable-authnz-ldap 
--enable-ldap

What other compile-time options should I pass? Building this for svn/ldap servers, compiling support in instead of dso.

Thanks! V

It is possible to use a portion of the request URI as an input into mod_authnz_ldap's Require ldap-group directive?

I'm trying to dynamically check access to a bunch of different project directories, all under http://testserver.com/projects/, such that a user accessing /projects/abc would be checked for membership in cn=abc,ou=groups,dc=test. Ideally I'd like to do this without creating a separate Location directive for each project, since there could well be hundreds of them.

I have come up with this, which illustrates the general concept, but which doesn't work (project_name doesn't retrive the actual variable contents):

<Location /projects>
    SetEnvIf Request_URI "/projects/([-a-z0-9A-Z_]+)/" project_name=$1

    AuthType Basic
    AuthBasicProvider ldap
    AuthName "Restricted Resource - SVN (LDAP)"
    AuthLDAPURL "ldap://127.0.0.1:389/dc=test?uid"
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    Require ldap-group cn=%{project_name},ou=groups,dc=test
</Location>

Help?

A - Is there a LDAP authentication module (mod_auth_ldap) for the version of Apache that comes built into MacOS Server 10.5?

(I'm pretty sure no, but maybe someone compiled one.)

B - If not, can it be compiled into MacOS' version of Apache?

(Man, that would be nice.)

3 - If I can't use the Apple version of Apache for this, what is the best way to get Apache LDAP authentication working on MacOS Server 10.5?

(Preferably one that works with MacOS Servers management software)