LDAP Authentication fails with 500 or 401 depending on bind for Apache2

apache-2.2 active-directory svn ldap redhat

18,686

Solution 1

Turns out I was nearly there. I simply missed the AuthzLDAPAuthoritative off directive which is specific to my instance.

As a further note we also wanted to limit the repo to only identified users so we chained the authentication with a file as well. Example below:

RedirectMatch ^(/repos)$ $1/
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

<Location /repos/>
    DAV svn
    SVNParentPath /var/svn/repos
    SVNListParentPath On
    SVNAutoversioning On

    AuthType Basic
    AuthName "Subversion Repository"

    AuthBasicProvider file ldap
    AuthzLDAPAuthoritative off
    AuthLDAPBindDN "OU=Service Accounts,OU=User Accounts,DC=example,DC=com"
    AuthLDAPBindPassword xXxXxXx
    AuthLDAPUrl "ldap://ldap.example.com:389/OU=User Accounts,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"

    AuthzSVNAccessFile /etc/svn-authn
    SVNIndexXSLT "/styles/svnindexICore.xsl"
    AuthUserFile /etc/svn-auth-file 

    #AuthBasicProvider file ldap
    Require valid-user
</Location>

Solution 2

I had the same problem. The identical configuration i tested on Ubuntu did not work on RHEL5. I ended up changing from port 389 to 3268 after reading this and that fixed my problem.

Solution 3

Comparing your configuration to a working configuration with Active Directory on Apache 2.2.3 the only differences I'm seeing are:

I am using the "DOMAIN\sAMAccountName" style username for my AuthLDAPBindDN
I do not have NONE after my AuthLDAPURL

Aside from those suggestions, I'd recommend running tcpdump on the conversation between Apache and Active Directory to see what might be transpiring there, too.

18,686

Erik

on the bleeding edge of yesterday

Updated on September 17, 2022

Comments

Erik almost 2 years
I'm setting up LDAP authentication for our Subversion repository hosted through Apache on a RHEL 5 system. I run into two different issues when I try to authenticate against Active Directory.
```
<Location /svn/>
Dav svn
SvnParentPath /srv/subversion
SVNListParentPath On
AuthType Basic
AuthName "Subversion Repository"

AuthBasicProvider ldap

AuthLDAPBindDN "cn=userfoo,ou=Service Accounts,ou=User Accounts,dc=my,dc=example,dc=com"
AuthLDAPBindPassword "mypass"

AuthLDAPUrl "ldap://my.example.com:389/ou=User Accounts,dc=my,dc=example,dc=com?sAMAccountName?sub?(objectClass=user)" NONE

Require valid-user
</Location>
```
If I use the above configuration it continually prompts me with the Basic prompt and I have to eventually select Cancel, which returns a 401 (Authorization Required). If I comment out the bind parts it returns 500 (Internal Server Error), griping that authentication failed:
```
[Mon Nov 02 12:00:00 2009] [warn] [client x.x.x.x] [10744] auth_ldap authenticate: user myuser authentication failed; URI /svn [ldap_search_ext_s() for user failed][Operations error]
```
When I perform the bind using ldapsearch and filter for a simple attribute it returns correctly:
```
ldapsearch -h my.example.com -p 389 -D "cn=userfoo,ou=Service Accounts,ou=User Accounts,dc=my,dc=example,dc=com" -b "ou=User Accounts,dc=my,dc=example,dc=com" -w - "&(objectClass=user)(cn=myuser)" sAMAccountName
```
Unfortunately I have no control or insight into the AD part of the system, only the RHEL server. Does anyone know what the hang up is here?
- Rilindo over 12 years
  
  What does apache error_log say?
- Erik over 12 years
  
  It's the code block just after the griping that authentication failed: statement.
Erik over 14 years

cn or SAMAccountName are both available, and in the case of our network interchangeable.
silk over 14 years

Can you access the AD logs? It would be good to confront what apache asks the AD. I have similar configuartion with OpenLDAP and it is working fine. So a problem musy lay somewhere else. Maybe some SE extensions or sth? Maybe apache process is not able to open sockets? No other ideas.
Erik about 14 years

I found these docs as well. unfortunately they didn't provide any insight as to the underlying issue
Erik about 14 years

I spoke with the LDAP admin and they couldn't identify anything in the logs. Also problematic is the LDAP instance deals with logins from nearly 13,000 accounts daily. A proverbial needle.
silk about 14 years

Couldn't identify anything? This seems strange :) At least he should be able to tell you if the apach at least connects, and later what queries it issues.
voretaq7 over 12 years

Hi Kieren, can you please include some of the salient details of that discussion (like what specific steps you took to resolve the problem) in your answer? This makes your answer useful if that form post ever goes away (see here for more info)