1 votes

Display Name avatar

Apache 2.4 et LDAP. Problèmes d'authentification de base

Demandé el 21 de Juillet, 2021
Quand la question a-t-elle été
680 affichage
Nombre de visites la question a
1 Réponses
Nombre de réponses aux questions
Ouvert
Situation réelle de la question

J'utilise CentOS 8 Stream + Apache 2.4 + Subversion.

Je veux autoriser l'accès à SVN uniquement aux utilisateurs qui appartiennent à un groupe LDAP spécifique (svn-users).

J'ai les problèmes suivants.

cas 1. Entrez l'ID / PW correct en tant qu'utilisateur LDAP appartenant à svn-users

Cela fonctionne comme prévu.

Cet utilisateur peut accéder au SVN.

cas 2. Entrez l'ID / PW correct comme un utilisateur LDAP qui n'appartient pas à svn-users

Cela ne fonctionne pas comme prévu.

Je pensais que cet utilisateur ne pouvait pas accéder à SVN, mais en réalité il le peut.

cas3. Entrer un mauvais ID LDAP / PW

Une erreur de serveur interne 500 se produit.

Pour les navigateurs, la boîte de dialogue d'authentification de base ne réapparaît pas et l'utilisateur doit redémarrer le navigateur.

Je veux résoudre les cas 2 et 3.

Quelqu'un peut-il m'aider ?

Ma configuration et mon journal sont ci-dessous.

/etc/httpd/conf/httpd.conf

[root@my-redmine conf]# cat httpd.conf | egrep -v "^\s*#|^$"
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/subversion.conf
[root@my-redmine conf]#

/etc/httpd/conf,d/subversion.conf

[root@my-redmine conf.d]# cat subversion.conf | egrep -v "^\s*#|^$"
<Location /svn/svn-test>
    DAV svn
    SVNPath /usr/local/svn/svn-test
    LogLevel debug

    AuthLDAPBindDN <MyAdmin>
    AuthLDAPBindPassword <MyAdminPassword>
    LDAPReferrals off
    AuthLDAPBindAuthoritative off
    AuthType Basic
    AuthName "Subversion repository(LDAP)"
    AuthBasicAuthoritative off
    AuthUserFile /dev/null
    AuthBasicProvider ldap
    AuthzSVNAccessFile /usr/local/svn/svn-test/authzsvn.conf
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    AuthLDAPUrl ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
    Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local
</Location>
[root@my-redmine conf.d]#

Le module comprend

[root@my-redmine conf.d]]# httpd -t -M | grep auth
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 authnz_ldap_module (shared)
 authz_svn_module (shared)
[root@my-redmine conf.d]]#

cas 1 error_log

[Tue Jul 20 21:56:43.046463 2021] [authz_svn:info] [pid 195900:tid 140586535274240] [client 192.168.100.120:61050] Access granted: - GET (null)
[Tue Jul 20 21:56:43.046514 2021] [authz_core:debug] [pid 195900:tid 140586535274240] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:43.046519 2021] [authz_core:debug] [pid 195900:tid 140586535274240] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339879 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339918 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339927 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343581 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343608 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET (null)
[Tue Jul 20 21:56:45.343845 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343852 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343858 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343869 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343876 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343905 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/branches
[Tue Jul 20 21:56:45.343929 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343942 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343946 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343953 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343958 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343961 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/tags
[Tue Jul 20 21:56:45.343974 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343977 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343980 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343987 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343991 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343994 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/trunk

cas 2 error_log

[Tue Jul 20 21:57:46.345179 2021] [authz_svn:info] [pid 195900:tid 140586577237760] [client 192.168.100.120:61657] Access granted: - GET (null)
[Tue Jul 20 21:57:46.345227 2021] [authz_core:debug] [pid 195900:tid 140586577237760] mod_authz_core.c(820): [client 192.168.100.120:61657] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:46.345231 2021] [authz_core:debug] [pid 195900:tid 140586577237760] mod_authz_core.c(820): [client 192.168.100.120:61657] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242776 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242818 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242828 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.242843 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.242854 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET (null)
[Tue Jul 20 21:57:52.243059 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243069 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243074 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243080 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243104 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243190 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/branches
[Tue Jul 20 21:57:52.243215 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243220 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243224 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243231 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243235 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243238 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/tags
[Tue Jul 20 21:57:52.243248 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243251 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243254 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243261 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243265 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243274 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/trunk

cas 3 error_log

[Tue Jul 20 21:55:55.187406 2021] [authz_svn:info] [pid 195900:tid 140586669557504] [client 192.168.100.120:56967] Access granted: - GET (null)
[Tue Jul 20 21:55:55.187474 2021] [authz_core:debug] [pid 195900:tid 140586669557504] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:55:55.187484 2021] [authz_core:debug] [pid 195900:tid 140586669557504] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763087 2021] [authz_core:debug] [pid 195900:tid 140586635986688] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763150 2021] [authz_core:debug] [pid 195900:tid 140586635986688] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763159 2021] [authnz_ldap:debug] [pid 195900:tid 140586635986688] mod_authnz_ldap.c(523): [client 192.168.100.120:56967] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:55:58.765260 2021] [authnz_ldap:debug] [pid 195900:tid 140586635986688] mod_authnz_ldap.c(561): [client 192.168.100.120:56967] AH01694: auth_ldap authenticate: user svnuser authentication failed; URI /svn/svn-test/ [ldap_simple_bind() to check user credentials failed][Invalid credentials] (not authoritative)
[Tue Jul 20 21:55:58.765297 2021] [authn_core:error] [pid 195900:tid 140586635986688] [client 192.168.100.120:56967] AH01796: AuthType Basic configured without corresponding module
Demandé el 21 de Juillet, 2021 par Display Name

Réponse

Trop de publicités?

0voto

DanJGer avatar
DanJGer Points 111

Essayez de supprimer AuthzBasicAuthoritative et de définir AuthzLDAPBindAuthoritative = on.

De cette façon, l'authentification devrait échouer immédiatement sans essayer de passer par d'autres mécanismes d'authentification.

Répondu el 13 de Août, 2021 par DanJGer (111 Points )

Questions en vedette

Top Tags

Dans notre réseau

SistemesEz.com

SystemesEZ est une communauté de sysadmins où vous pouvez résoudre vos problèmes et vos doutes. Vous pouvez consulter les questions des autres sysadmins, poser vos propres questions ou résoudre celles des autres.

Powered by:

Yandex
X