Apache mod_authnz_ldap strange work.

Discussion in 'Apache' started by Lebensgefahr, Jun 4, 2012.

0
  1. #1
    I've try to use mod_authnz_ldap to autorize users with AD.

    If i use ldapsearch 
    ldapsearch -v -w somepassword -x -D cn=unix,ou="Special Tasks",dc=ok,dc=somedomain,dc=ru -H ldap://a-server:389 -b "DC=ok,dc=somedomain,dc=ru" sAMAccountName=someuser
    Code (markup):
    Ldapsearch works great and it return me information about someuser as it must.

    But if i use same search string in apache configuration file i recieve nothing.

    apache configuration file:

    <Location "/">
    Dav On

    AuthType Basic
    AuthName "Data Exchange"
    AuthBasicProvider ldap
    AuthLDAPBindDN "cn=unix,ou=Special Tasks,dc=ok,dc=somedomain,dc=ru"
    AuthLDAPBindPassword "somepassword"
    AuthLDAPUrl "ldap://a-server/DC=ok,DC=somedomain,DC=ru?sAMAccountName" NONE
    AuthzLDAPAuthoritative off
    AuthLDAPGroupAttribute memberOf

    Require ldap-group CN=dav,OU=External Users,DC=ok,DC=somedomain,DC=ru CN=dav_system,OU=External Users,DC=ok,DC=somedomain,DC=ru
</Location>
    Code (markup):
    This is tcpdump switches on ldapsearch

    13:53:57.441451 IP 172.16.6.241.52925 > 172.16.20.28.389: Flags [P.], seq 72:152, ack 23, win 1040, options [nop,nop,TS val 35381941 ecr 42495885], length 80
        0x0000:  4500 0084 5774 4000 4006 6fd2 ac10 06f1  E...Wt@.@.o.....
        0x0010:  ac10 141c cebd 0185 8a62 b924 e665 f09a  .........b.$.e..
        0x0020:  8018 0410 73a4 0000 0101 080a 021b e2b5  ....s...........
        0x0030:  0288 6f8d 304e 0201 0263 4904 1644 433d  ..o.0N...cI..DC=
        0x0040:  6f6b 2c64 633d 756e 6963 6f6e 662c 6463  ok,dc=somedomain,dc
        0x0050:  3d72 750a 0102 0a01 0002 0100 0201 0001  =ru.............
        0x0060:  0100 a31e 040e 7341 4d41 6363 6f75 6e74  ......sAMAccount
        0x0070:  4e61 6d65 040c 6176 6269 616c 6b65 7669  Name..someuser
    Code (markup):
    This is tcpdump switches on apache

    09:38:37.143819 IP 172.16.6.241.29748 > 172.16.20.28.389: Flags [P.], seq 72:183, ack 23, win 1040, options [nop,nop,TS val 42489791 ecr 43206687], length 111
        0x0000:  4500 00a3 f727 4000 4006 cfff ac10 06f1  E....'@.@.......
        0x0010:  ac10 141c 7434 0185 e6fc bfa2 054f 54b1  ....t4.......OT.
        0x0020:  8018 0410 73c3 0000 0101 080a 0288 57bf  ....s.........W.
        0x0030:  0293 481f 306d 0201 0263 6804 1644 433d  ..H.0m...ch..DC=
        0x0040:  6f6b 2c44 433d 756e 6963 6f6e 662c 4443  ok,DC=somedomain,DC
        0x0050:  3d72 750a 0102 0a01 0302 0100 0201 0001  =ru.............
        0x0060:  0100 a02d 870b 6f62 6a65 6374 436c 6173  ...-..objectClas
        0x0070:  73a3 1e04 0e73 414d 4163 636f 756e 744e  s....sAMAccountN
        0x0080:  616d 6504 0c61 7662 6961 6c6b 6576 6963  ame..someuser
        0x0090:  6830 1004 0e73 414d 4163 636f 756e 744e  0...sAMAccountN
        0x00a0:  616d 65                                  ame
    Code (markup):
    In second case after 3-4 requests i recieve following error
    09:38:37.151427 IP 172.16.20.28.389 > 172.16.6.241.11002: Flags [P.], seq 1:174, ack 128, win 65393, options [nop,nop,TS val 43206687 ecr 42489791], length 173
        0x0000:  4500 00e1 5360 4000 8006 3389 ac10 141c  E...S`@...3.....
        0x0010:  ac10 06f1 0185 2afa 663f 78d0 2d57 5d3d  ......*.f?x.-W]=
        0x0020:  8018 ff71 b17d 0000 0101 080a 0293 481f  ...q.}........H.
        0x0030:  0288 57bf 3084 0000 00a7 0201 0765 8400  ..W.0........e..
        0x0040:  0000 9e0a 0101 0400 0484 0000 0093 3030  ..............00
        0x0050:  3030 3030 3030 3a20 4c64 6170 4572 723a  000000:.LdapErr:
        0x0060:  2044 5349 442d 3043 3039 3036 3237 2c20  .DSID-0C090627,.
        0x0070:  636f 6d6d 656e 743a 2049 6e20 6f72 6465  comment:.In.orde
        0x0080:  7220 746f 2070 6572 666f 726d 2074 6869  r.to.perform.thi
        0x0090:  7320 6f70 6572 6174 696f 6e20 6120 7375  s.operation.a.su
        0x00a0:  6363 6573 7366 756c 2062 696e 6420 6d75  ccessful.bind.mu
        0x00b0:  7374 2062 6520 636f 6d70 6c65 7465 6420  st.be.completed.
        0x00c0:  6f6e 2074 6865 2063 6f6e 6e65 6374 696f  on.the.connectio
        0x00d0:  6e2e 2c20 6461 7461 2030 2c20 7665 6365  n.,.data.0,.vece
        0x00e0:  00                                       .
    Code (markup):
    comment: In order to perform this operation a successful bind must be completed on the connection
    Code (markup):
    But if i try another string in mod_authnz_ldap search i recieve all i want.

    This is that string that works great
    AuthLDAPUrl "ldap://a-server/DC=ok,DC=somedomain,DC=ru?sAMAccountName,memberOf" NONE
    Code (markup):
    In this case i recieved exactly that information that i recieved with ldapsearch with the same search parametres.

    In httpd-error.log it looks like
    [Tue Jun 05 10:05:09 2012] [info] [client 172.16.6.242] [4733] auth_ldap authenticate: user someuser authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]
    Code (markup):
    Is it my or apache mod error?
     
    Lebensgefahr, Jun 4, 2012 IP
  2. Lebensgefahr

    Lebensgefahr Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    problem is SOLVED
     
    Lebensgefahr, Jun 6, 2012 IP