Discussion:
[Samba] Authenticating Apache Against Active Directory
James
2015-05-11 15:24:52 UTC
Permalink
Hello,

Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
users against Samba 4.2.1. When I edit 'apache2.conf' with


<Directory />
Options FollowSymLinks
AllowOverride None
Require all granted
Allow from all
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL
ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,domain
AuthLDAPBindPassword password
require ldap-group cn=Nagios-Admins,cn=Users,domain


and attempt to restart Apache. I get the following.

***@nagios:~# service apache2 restart
* Restarting web server
apache2
[fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 159 of /etc/apache2/apache2.conf:
Unknown Authn provider: ldap
Action 'configtest' failed.
The Apache error log may have more information.

I'm not seeing anything of help in the Apache logs.
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
John Yocum
2015-05-11 15:42:16 UTC
Permalink
Post by James
Hello,
Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
users against Samba 4.2.1. When I edit 'apache2.conf' with
<Directory />
Options FollowSymLinks
AllowOverride None
Require all granted
Allow from all
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL
ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,domain
AuthLDAPBindPassword password
require ldap-group cn=Nagios-Admins,cn=Users,domain
and attempt to restart Apache. I get the following.
* Restarting web server
apache2
[fail]
* The apache2 configtest failed.
Unknown Authn provider: ldap
Action 'configtest' failed.
The Apache error log may have more information.
I'm not seeing anything of help in the Apache logs.
Have you enabled the Apache LDAP module with "a2enmod authnz_ldap"?
--
John Yocum, Systems Administrator, DEOHS
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
James
2015-05-11 15:58:24 UTC
Permalink
Post by John Yocum
a2enmod authnz_ldap
John,

I enabled 'a2enmod ldap' and 'a2enmod authnz_ldap'. I no longer get
the error. However I'm not able to log into nagios. Credentials are
invalid. I'll look in the log files now and see if I can uncover the
issue. Thanks.
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
James
2015-05-11 16:43:13 UTC
Permalink
Post by John Yocum
Post by James
Hello,
Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
users against Samba 4.2.1. When I edit 'apache2.conf' with
<Directory />
Options FollowSymLinks
AllowOverride None
Require all granted
Allow from all
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL
ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,domain
AuthLDAPBindPassword password
require ldap-group cn=Nagios-Admins,cn=Users,domain
and attempt to restart Apache. I get the following.
* Restarting web server
apache2
[fail]
* The apache2 configtest failed.
Unknown Authn provider: ldap
Action 'configtest' failed.
The Apache error log may have more information.
I'm not seeing anything of help in the Apache logs.
Have you enabled the Apache LDAP module with "a2enmod authnz_ldap"?
I'm receiving this in my apache logs

[Mon May 11 12:38:26.033264 2015] [auth_basic:error] [pid 1195] [client
172.16.232.30:41027] AH01617: user username: authentication failure for
"/nagios/": Password Mismatch

In my Samba logs with a log level of 3 I get

[2015/05/11 12:38:26.776323, 3, pid=1157, effective(0, 0), real(0, 0)]
../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2015/05/11 12:38:26.794712, 3, pid=1157, effective(0, 0), real(0, 0)]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2015/05/11 12:38:26.794764, 3, pid=1157, effective(0, 0), real(0, 0)]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

I know the password is correct. Any ideas? Thanks.
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Nico Kadel-Garcia
2015-05-12 12:31:34 UTC
Permalink
Post by James
Hello,
Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
users against Samba 4.2.1. When I edit 'apache2.conf' with
<Directory />
Options FollowSymLinks
AllowOverride None
Require all granted
Allow from all
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL
ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,domain
AuthLDAPBindPassword password
require ldap-group cn=Nagios-Admins,cn=Users,domain
Why are you bothering to use anything outside of Kerberos? Very few
web projects actually need any group, uid, or other information and
are much simplified by simply relying in the inherent Kerberos of a
modern Samba server or AD based service. It also helps eliminate any
need for LDAP credentials with which to issue LDAP queries, and lends
itself much more easily to genuine "single-sign-on" solutions.

Nico Kadel-Garcia
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
James
2015-05-12 14:13:09 UTC
Permalink
Post by Nico Kadel-Garcia
Post by James
Hello,
Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
users against Samba 4.2.1. When I edit 'apache2.conf' with
<Directory />
Options FollowSymLinks
AllowOverride None
Require all granted
Allow from all
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL
ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,domain
AuthLDAPBindPassword password
require ldap-group cn=Nagios-Admins,cn=Users,domain
Why are you bothering to use anything outside of Kerberos? Very few
web projects actually need any group, uid, or other information and
are much simplified by simply relying in the inherent Kerberos of a
modern Samba server or AD based service. It also helps eliminate any
need for LDAP credentials with which to issue LDAP queries, and lends
itself much more easily to genuine "single-sign-on" solutions.
Nico Kadel-Garcia
Nico,

Went with Kerberos and everything went smoothly. How do I limit what
users are allowed access?

Here is my Apache config for nagios in case it helps anyone.

<location /"nagios.html">
AuthType Kerberos
AuthName "Network Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.LOCAL
require valid-user
Krb5KeyTab /etc/apache2/conf-enabled/httpd.keytab
KrbLocalUserMapping On
</Location>

I had to install Kerberos first for Apache(Debian based)on Ubuntu
14.04.1 LTS

apt-get install libapache2-mod-auth-kerb
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrey Repin
2015-05-12 14:17:40 UTC
Permalink
Greetings, Nico Kadel-Garcia!
Post by Nico Kadel-Garcia
Post by James
Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
users against Samba 4.2.1. When I edit 'apache2.conf' with
<Directory />
Options FollowSymLinks
AllowOverride None
Require all granted
Allow from all
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL
ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,domain
AuthLDAPBindPassword password
require ldap-group cn=Nagios-Admins,cn=Users,domain
Why are you bothering to use anything outside of Kerberos? Very few
web projects actually need any group, uid, or other information and
are much simplified by simply relying in the inherent Kerberos of a
modern Samba server or AD based service. It also helps eliminate any
need for LDAP credentials with which to issue LDAP queries, and lends
itself much more easily to genuine "single-sign-on" solutions.
You don't need any LDAP credentials other than credentials supplied by
authenticating user.

<IfModule authnz_ldap_module>
Allow from all

AuthName "Subversion repository"
AuthType Basic
AuthBasicProvider ldap

AuthzLDAPAuthoritative on
AuthLDAPURL ldap://127.0.0.1/ou=Users,dc=example,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off

# only developers may access the repository
Require ldap-group cn=CVS,ou=Groups,dc=example,dc=com
Require ldap-attribute gidNumber=600
Satisfy all

# And they should obey to SVN user permissions file
<IfModule authz_svn_module>
AuthzSVNAccessFile "/wwwroot/.svn/.registry"
</IfModule>
</IfModule>
--
With best regards,
Andrey Repin
Tuesday, May 12, 2015 17:13:42

Sorry for my terrible english...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Search results for '[Samba] Authenticating Apache Against Active Directory' (Questions and Answers)
5
replies
can i get question answer of asp.net ?
started 2006-10-11 00:02:47 UTC
software
Loading...