Server :: Apache Authentication: Allow LDAP Group OR User Named Guest But Not All LDAP Users?
May 25, 2011
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
Code:
AuthType Basic
AuthBasicProvider ldap anon
Order allow,deny
Allow from all
This part by itself works for the LDAP authentication:
Anonymous guest
Anonymous_VerifyEmail Off
Anonymous_MustGiveEmail Off
Anonymous_LogEmail on
Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
how to make a new Ubuntu 9.10 box use our LDAP/Samba server for user authentication. Our Red Hat and Windows machines all use it just fine. I've been trying to use the auth-client-config and libnss-ldap packages for this purpose, but I must be missing something. I'm pretty green with LDAP, so this is my first time diving in... Is there a good How-To or step-by-step read on this? All of my searches lead me to setting up Ubuntu as the server, and that isn't what I want. I've also tried the steps listed in [URL] for the LDAP Authentication section.
I want to Configure Linux LDAP Server for user authentication when my users want to connect to the internet.Also i don't want the user to get the home directory on server. i configured ldap server and ldap client without PAM & SASL.and now with perl i can search in ldap for my client's username & password in ldap.
I have an issue with Apache2 and ldap authentication. Here are the specs: Linux 2.6.32-24-generic i686 GNU/Linux Ubuntu 10.04.1 LTS Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch configured
I have installed our site onto a newer server as we were previously running SLES 9.3. The site has installed correctly, however, It seems to be serving the pages a hell of a lot slower than SLES (eventhough the specs etc are much improved). The main problem seems to be with Ldap - sometimes taking 2 or 3 minutes before authenticating/serving the user - and sometimes one minute it works, another minute it doesn't! We know it's a problem specific to this Ubuntu machine, as the older server has no issues with ldap whatsoever. Also, sometimes the ldap authentication fails all together with a timeout, resulting in a 500 status code. I'm not sure whether this a problem with the apache config, the network settings or the server setup. We know ldap itself is fine.
Here's the /etc/apache2/sites-available/default config for ldap. Are these directives correct? (I know a lot of changes were made between apache2 and apache2.2 that may affect this config): Code: ScriptAlias /home/ "/var/www/cgi-bin/" <Directory "/var/www/cgi-bin/"> AuthType Basic AuthzLDAPAuthoritative On AuthBasicProvider ldap AuthName "Active Directory Authentication Required." AuthLDAPURL "ldap://x.x.x.x:3268/DC=xxxxxx,DC=com?userPrincipalName?sub?(objectClass=*)" NONE AuthLDAPBindDN "xxxxx@xxxx.com" AuthLDAPBindPassword xxxxxxxx require valid-user Options +ExecCGI -Includes AllowOverride None </Directory>
Here's some examples of some of the log messages we have been receiving: 1. This one occurs upto ten times in a row when the client is being authenticated: Code: [Thu Nov 04 12:47:19 2010] [debug] mod_authnz_ldap.c(377): [client x.x.x.x] [2892] auth_ldap authenticate: using URL ldap://x.x.x.x:3268/DC=xxxxxxx,DC=com?userPrincipalName?sub?(objectClass=*), referer: http://x.x.x.x/home/page
2. This is output when the authentication works: Code: [debug] mod_authnz_ldap.c(474): [client x.x.x.x] [2734] auth_ldap authenticate: accepting xxxxx@xxxx.xxxxx.com, referer: http://x.x.x.x/home/page
3. And this one is always output after the error above. This one is more interesting. What does this mean exactly? And why does it say 'declining to authorise' directly after saying 'accepting user@domain.com'? Surely this makes no sense: Code: [debug] mod_authnz_ldap.c(546): [client x.x.x.x] [2939] auth_ldap authorise: declining to authorise (no ldap requirements), referer: http://x.x.x.x/home/page
4. This one is output when the authentication attempt times out (after 10 outputs of error number 1): Code: [warn] [client x.x.x.x] [3165] auth_ldap authenticate: user xxxx@xxx.xxxxx.com authentication failed; URI /home/page [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server], referer: http://x.x.x.x/home/page
In the past I found some great help on this forum, so here goes. Bare with me because it's a long story. I'll try to be as complete as possible. I've installed and configured OpenLdap on a virtual machine with ip 192.168.39.134. I've added 2 users via LAM. In the ou WikiUsers and the domain is wiki.local.
I've then created another host with ip 192.168.39.133 with mediawiki installed on it. Then I added the extension LDAPAuthenthication. In the LdapAuthentication file I added this code (only the last paragraph is mine, I added the others to show it's location in the script):
I know I'm close because I can't register any new users or accounts on the mediawiki site. Although I could before I added the LDAP service. This is indeed all just to test and get to know how LDAP works. That's why it's all virtual in VMWare. I did not really configure anything on the LDAP, i just installed it and chose a domain (wiki.local).
I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam It works perfect without pam (pam-0.77-66), both with password and public key auth. Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens: system users: I can do ssh with both password and public key LDAP users: public key works for remote users, still I cannot do ssh with just password. I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.
I have tomcat installed with port forwarding to http port 80. I configure ldap authentication for apache2(/var/www). But I could not configure tomcat for ldap authentication.
I've enabled LDAP authentication on my 2.2.15 Apache server, but now pages load very slowly. As in, 1.515s with it enabled, and 187.4ms without (just the base page, numbers collected via Firebug). Here's my LDAP config (other directives snipped) -
I installed CentOS 5.2 and then run yum update. I configured this server as LDAP/Samba primary domain controller. LDAP seems to be OK and for testing I am able to create users with:smbldap-tools useradd -am usernameI can ssh into the server as root and also as a Linux user which was locally created in the server. But ssh into the server as LDAP user fails (from a Fedora 11 machine) with "Permission denied, please try again", prompting again for password.Some data:
I have a centos 5 system with openldap configured. I need openldap for simple user authentication. ie.. to be able to use it for authenticating it from remote applications and systems like mail clients...etc.
I was able to succefully install and configure openldap and ran a slaptest to verify the slapd.conf file for errors and found none. so now all i want to do is to add username and passwords to the ldap database.
iam just not sure what all objectClasses i need to use for Attributes uid and userPassword and what exactly should be the ldif file syntax for the above entries. I tried various sources but i do either get errors while adding or after adding do get errors trying to access it.
above all, iam able to access the ldap server from my phpldapadmin only as a anonymous user and not as a root user that i added as a first entry.
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following: sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds Here's my /etc/nsswitch.conf: passwd: files ldap [NOTFOUND=return] db group: files ldap [NOTFOUND=return] db
I've a webpage that has some links to videos. When an user click on that link, I need the user to redirected to the login page which check credentials with ldap server and then grants access to the video. I've searched google for some code but all I found is some samples that authenticates the user. But when the user enters the login credentials how do I implement that code in the backend and redirect to the video if the user can authenticate himself?
I'm working on a media delivery platform where when a user click on the rstp link of the video,it should sent the request and see if the user is a valid user(using his username and password)
I'm trying to utilize my company's IT orginazation's LDAP service (running on some sort of windows) for authenticating users on an Ubuntu box.Another group has done something similar for CENTOS; I've used their ldap.conf as a reference as well as ap-server.html (LDAP Authentication section)I can't get it to work. When I try to connect as my corporate user I see this in auth.log:
Code: Jan 14 14:32:24 Algalon sshd[7062]: nss_ldap: could not connect to any LDAP server as cn=ldapquery2,cn=Users,dc=<companyname>,dc=com - Can't contact LDAP server
I have a openldap server running on one machine (fedora10) and pam_ldap.so and nss_ldap.so running on the other machine.
I have added a new user to the LDAP server database, this user is not created on client machine.
1. Can i login to the client machine using this new user?
2. Now if i try logging with this new user I am getting error messages, the error messages are as follows at client side
Sep 2 10:34:36 localhost sshd[8484]: Invalid user kim from 10.254.194.148 Sep 2 10:34:36 localhost sshd[8485]: input_userauth_request: invalid user kim Sep 2 10:35:16 localhost sshd[8484]: pam_ldap: error trying to bind as user "cn=min soo,ou=people,dc=samsung,dc=com" (Invalid credentials)
Here are the specs of my machine: Linux matrix 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686 i386 GNU/Linux Red Hat Enterprise Linux Server release 5.2 (Tikanga)
When I run an ldapsearch in root, it works fine. tcpdump filtered by dest IP shows packets captured.
When I run an ldapsearch in a perl script as root, it works fine. tcpdump filtered by dest IP shows packets captured.
However, when I run it via a perl script in my cgi-bin directory it fails. tcpdump shows no packets captured. When I added a "2>&1" to my ldap search in my cgi script, I got "ldap_bind: Can't contact LDAP server (-1)".
I ran a "whoami" in my cgi script and it showed up as apache.
Another twist to all this is that I ran the same test on my slackware box, and everything works (esp the cgi script). Here's what the specs are on that machine:
Linux slackvm 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686 Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz GenuineIntel GNU/Linux
I checked the permissions on the ldapsearch file and directory, and they're the same (755).
Could there be something blocking the apache user on my Red Hat box from sending packets out?
I have Ubuntu 10.04.2 (Linux 2.6.32-33-server on x86_64) with OpenLDAP 2.4.21 and Webmin1.550. I converted my ldap database from another system with the older style schema (OpenLDAP 2.3.3 with slightly older Webmin version 1.480) and no longer use slapd.conf, but the newer slapd.d format.
It all works fine except for one thing. When I add a new user, it lets me type in the additional LDAP fields:
But when I click the Create button, all the fields get jumbled together in the Title/Position box with a diamond question mark delimiting the fields:
Modifying existing users (which have the Additional fields displaying correctly) also has the same result - it moves the fields all into the one Title/Position box with the diamond shapes with question marks inside between each entry. Is it a problem with my schema files? I tried reverting to the older shema files and slapd.conf and it still did the same thing on the new system. I am really at a loss.
Here is also the output of ldapsearch for that user (host and samba ids are sanitized):
Previously added users that show the fields properly have "description:" and then the field listed for each Additional LDAP field. Also shouldn't the "title" be visible in plain human readable text here? - it looks like it encrypted it somehow - similar to a password hash. The older system works fine and the fields are all readable and in their proper locations. But the new system just doesn't work right.
i have configured ldapserver on rhel4 for creating address book
following are configuration files on ldap server /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
i am able to import this ldif file into database.also when i perform the ldapsearch on this server with command"ldapsearch �x �W �D �cn=manager, dc=example, dc =com� �b �dc=example, dc=com�" i get correct output.
but when i am trying to search from another client machine, i am getting "error ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
also when i configured address book on mozilla on server., it is working fine.but not working on another machine.is any configuration is missing on client machine.both ldap server and client are configured on rhel4es without any firewall or selinux.
we have a weird problem with our opensuse 11.2 server installation.
We want to set up a LDAP Server using the Yast-LDAP Server configuriation tool.
This indeed already worked weeks ago until....this week. Maybe some updates??!
I do not know what happend exactly. The server just does not want to start again and throws following error:
Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1 failed
This happend after a little check of the configuration, but without a change, with Yast. Google delivered only "reinstall your box"-answers.
So.. i did that. And now the "mystical" part: The SAME ERROR occurs with a fresh vanilla system with a brand new and simple configuration (certificats, database, pw...the first Yast config dialog...). I did not change the way i set it up.
I remember, when i did this the first time with 11.2 on that machine, when no problems occured...everything was running out of the box (except the "use commen server certificate" option...).
I installed Nconf software on a Debian server.I am trying to configure Nconf Authentication with LDAP.I edited nconf's authentication.php file accordingly and I installed php5-ldap package.When i enter user-name and password in Nconf's login screen.
Just installed openldap server on a VM CentOS called 'ldapsrv', it works fine, ldapsearch returns all ldap information.
Installed openldap client on another VM CentOS called 'ldapclient1', configured it with most basic configuration, no ssl/tls etc. but ldapsearch returns error:
I have openldap server and i am authenticating with Redhat Directory Services(RHDS).I have confgured the RHDS for the user login giving /bin/bash as the login shell and joined the client machine using system-config-authentication.The user is able to login in connand line but below it gives the error : "cannot find name for group id <id number>"
I've installed Directory Server (LDAP). The setup has been done according to the tutorials online. Able to access the interface as well. So far so good. The issue I have is with permissions. I can assign file permissions to a user created in the Directory Server ( user not created on the local server). But the same can't be done for a group - alteast the way I currently see it. How could i assign file system rights to a group created in the directory server.
I've several servers (windows+linux) that authenticate to an LDAP server. There is one machine that I would like to allow only certain groups from LDAP server to have access and I am not sure where to start.
If that cannot be done, is it possible to disable LDAP root user to access these machines?
I'm trying to set up a Linux server and I am new to this. I have gone through most of the configuration using SAMBA 3.0 and when I populate the ldap directory all I get this error before the password request:
Then when I perform an ldapsearch to see if the directory is populated I get this message:
I'm checking with a sniffer and there's activity going on between the client and the LDAP server... as a matter of fact, the sniffer shows that the search is producing one ldap item, however, php says it can't contact the ldap server (after it has bound and everything):
The script is working beautifully on another host with debian.
how to export normal unix user to ldap I've unbuntu ldap server with some local users. I want to export all my local users to ldap database as a ldap users. Or if there is any configuration so that when ever a normal user is created then automatically an ldap user with the same name as the normal user will be created
I have Centos ( and Postfix+ldap+dovecot ) TLS works with Postfix and LDAP. When I open evolution mail client I can browse ldap tree and search for users, send-receive mails ...all fine
