That "Require all granted" effectively provides access regardless of authentication. Try removing this line, so only Require ldap-group applies.
Am 1. Mai 2023 21:57:43 MESZ schrieb Kent Wick <kent.w...@ers.texas.gov>: >Environment: SLES 15 SP4, fully patched, uses SSSD to successfully logon to >the host as an Active Directory account > >Apache version (as compiled / implemented by SuSE) > >Server version: Apache/2.4.51 (Linux/SUSE) >Server built: 2023-03-10 12:56:22.000000000 +0000 >Server's Module Magic Number: 20120211:118 >Server loaded: APR 1.6.3, APR-UTIL 1.6.1 >Compiled using: APR 1.6.3, APR-UTIL 1.6.1 >Architecture: 64-bit >Server MPM: prefork > threaded: no > forked: yes (variable process count) > >My issue: I can successfully logon to the SLES host using an Active Directory >account. > >I can bring up the contents of the "index.html" web page through Apache. > >But... For the life of me I cannot get Apache to use Active Directory to >secure that web page. > > >We are taking this set up from a working Apache server that runs on AIX that >can authenticate with AD. > >What should happen is that when the connection request comes in, before any >data is displayed, there should be a prompt for the AD account and password. >It works with AIX and Apache. The version of Apache that is on the AIX host: > >Server version: Apache/2.4.28 (Unix) >Server built: Oct 18 2017 12:41:23 >Server's Module Magic Number: 20120211:68 >Server loaded: APR 1.6.2, APR-UTIL 1.6.0 >Compiled using: APR 1.6.2, APR-UTIL 1.6.0 >Architecture: 32-bit >Server MPM: worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > >Comparing the original httpd.conf to what I'm running: > >diff httpd.conf_original httpd.conf >147a148,149 >> Include /etc/apache2/ldap_connection.conf >> > >The file ldap_connection.conf has the contents of: > >LDAPSharedCacheSize 500000 >LDAPCacheEntries 1024 >LDAPCacheTTL 600 >LDAPOpCacheEntries 1024 >LDAPOpCacheTTL 600 >LDAPConnectionTimeout 5 ># >LDAPLibraryDebug 7 > >The vhost.conf that I'm using: > ><VirtualHost 10.2.16.120:80> This is the SLES host I'm >working on > DocumentRoot /etc/apache2/conf.d ></VirtualHost> ><VirtualHost 10.2.16.120:80> > DocumentRoot "/var/mnt/aixhost_docs/docs" > ServerName nbendev8 > ServerAlias nbendev8.our_domain > ServerAdmin Org-IS_SE_ES@our_email_domain > ErrorLog /var/mnt/aixhost_docs/logs/nbendev8_error.log > CustomLog /var/mnt/aixhost_docs/logs/nbendev8_access.log common > LogLevel debug > > <Directory "/var/mnt/aixhost_docs/docs"> > AuthName "Enter Windows Userid/Password" > AuthType Basic > AuthBasicProvider ldap > AuthLDAPURL > "ldap://our_domain:389/dc=XX,dc=XX,dc=state,dc=tx,dc=us?sAMAccountName?sub?(objectClass=user)" > AuthLDAPBindDN xxx_yyy_zzz@out_domain > AuthLDAPBindPassword password_for_above BindDN I've tested logon to > the SLES host from the console with that AD account and it works. > AuthBasicAuthoritative on > Require ldap-group > cn=http-users-bendev1,ou=Apache,ou=AIX-Servers,ou=Applications,dc=XX,dc=XX,dc=state,dc=tx,dc=us > Options Indexes FollowSymLinks > AllowOverride AuthConfig << I've tried using "none" and it > didn't make a difference > Require all granted > </Directory> ></VirtualHost> > >If anyone has an idea of what I could look for or maybe an example of a >working Apache/Linux (or SLES)/ActiveDirectory it would be much appreciated. > >I would include some logs but there isn't any useful information in them.
