Hi, I'm pulling my hair with FreeIPA and Apache BasicAuth LDAP.
I have an application behind an Apache reverse Proxy that I want to "protect" with LDAP Authentification. This is the (redacted) apache configuration: -------------------------------------------------------------------------------------- <VirtualHost *:443> ServerName acme.server.org ProxyRequests Off ProxyPreserveHost On # Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time <Proxy *> #Require all granted </Proxy> <Location /admin> Order Deny,Allow Deny from all Allow from 10.66.38.0/24 </Location> ProxyPass / http://INTSERVER:1234/ ProxyPassReverse / http://INTSERVER:1234/ Loglevel ldap_module:debug Loglevel auth_basic:debug Loglevel authz_core:debug <Location /> Options Indexes FollowSymlinks AuthType Basic AuthBasicProvider ldap AuthName "ACME AUTHENTICATION" AuthLDAPURL ldap://ipa2.internal.lan/cn=users,cn=accounts,dc=internal,dc=lan?uid?sub AuthLDAPBindDN uid=s_ldapquery,cn=sysaccounts,cn=etc,dc=internal,dc=lan AuthLDAPBindPassword XXXXXXXXXXXXXXXXXXXXX Require valid-user </Location> SSLCertificateFile /etc/letsencrypt/live/XXXX/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/XXXX/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/XXXX/chain.pem </VirtualHost> -------------------------------------------------------------------------------------- The Bind-User "s_ldapquery" is working fine, passwords tripple checked and used with other LDAP integrations. When authenticating, apache logs show: [Sat Sep 25 18:40:25.891588 2021] [authz_core:debug] [pid 414] mod_authz_core.c(809): [client 1.2.3.4:52628] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:40:25.891683 2021] [authz_core:debug] [pid 414] mod_authz_core.c(809): [client 1.2.3.4:52628] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:40:35.786942 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:40:35.787025 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:40:36.028473 2021] [ldap:debug] [pid 413] util_ldap.c(379): AH01278: LDAP: Setting referrals to On. [Sat Sep 25 18:40:36.210906 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : granted [Sat Sep 25 18:40:36.210987 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: granted [Sat Sep 25 18:40:36.300669 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://acme.server.org/ [Sat Sep 25 18:40:36.300749 2021] [authz_core:debug] [pid 413] mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://acme.server.org/ There is a "granted" in between, but it does not work. Then authentication itself seems to work, though, because if I specify the wrong password, the logs lines change to: [Sat Sep 25 18:43:43.542566 2021] [authz_core:debug] [pid 432] mod_authz_core.c(809): [client 1.2.3.4:52678] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Sat Sep 25 18:43:43.542639 2021] [authz_core:debug] [pid 432] mod_authz_core.c(809): [client 1.2.3.4:52678] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sat Sep 25 18:43:45.956792 2021] [ldap:debug] [pid 432] util_ldap.c(379): AH01278: LDAP: Setting referrals to On. [Sat Sep 25 18:43:46.139978 2021] [auth_basic:error] [pid 432] [client 1.2.3.4:52678] AH01617: user u_test: authentication failure for "/": Password Mismatch I tried various examples found online on how to setup Apache BasicAuth LDAP Integration with FreeIPA but none worked. What I don't understand in the first place is the "denied (no authenticated user yet)" repeating and then in the midle a "require valid-user: granted". What am I doing wrong here or am I missing the point entirely? Any help would be appreciated! best regards, Thorsten _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
