Hello,
Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
users against Samba 4.2.1. When I edit 'apache2.conf' with
<Directory />
Options FollowSymLinks
AllowOverride None
Require all granted
Allow from all
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL
ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,domain
AuthLDAPBindPassword password
require ldap-group cn=Nagios-Admins,cn=Users,domain
and attempt to restart Apache. I get the following.
root at nagios:~# service apache2 restart
* Restarting web server
apache2
[fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 159 of /etc/apache2/apache2.conf:
Unknown Authn provider: ldap
Action 'configtest' failed.
The Apache error log may have more information.
I'm not seeing anything of help in the Apache logs.
--
-James
On 05/11/2015 08:24 AM, James wrote:> Hello, > > Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate > users against Samba 4.2.1. When I edit 'apache2.conf' with > > > <Directory /> > Options FollowSymLinks > AllowOverride None > Require all granted > Allow from all > AuthName "AD authentication" > AuthBasicProvider ldap > AuthType Basic > AuthLDAPGroupAttribute member > AuthLDAPGroupAttributeIsDN On > AuthLDAPURL > ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*) > AuthLDAPBindDN cn=apache-connect,cn=Users,domain > AuthLDAPBindPassword password > require ldap-group cn=Nagios-Admins,cn=Users,domain > > > and attempt to restart Apache. I get the following. > > root at nagios:~# service apache2 restart > * Restarting web server > apache2 > [fail] > * The apache2 configtest failed. > Output of config test was: > AH00526: Syntax error on line 159 of /etc/apache2/apache2.conf: > Unknown Authn provider: ldap > Action 'configtest' failed. > The Apache error log may have more information. > > I'm not seeing anything of help in the Apache logs. >Have you enabled the Apache LDAP module with "a2enmod authnz_ldap"? -- John Yocum, Systems Administrator, DEOHS
On 5/11/2015 11:42 AM, John Yocum wrote:> a2enmod authnz_ldapJohn, I enabled 'a2enmod ldap' and 'a2enmod authnz_ldap'. I no longer get the error. However I'm not able to log into nagios. Credentials are invalid. I'll look in the log files now and see if I can uncover the issue. Thanks. -- -James
On 5/11/2015 11:42 AM, John Yocum wrote:> On 05/11/2015 08:24 AM, James wrote: >> Hello, >> >> Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate >> users against Samba 4.2.1. When I edit 'apache2.conf' with >> >> >> <Directory /> >> Options FollowSymLinks >> AllowOverride None >> Require all granted >> Allow from all >> AuthName "AD authentication" >> AuthBasicProvider ldap >> AuthType Basic >> AuthLDAPGroupAttribute member >> AuthLDAPGroupAttributeIsDN On >> AuthLDAPURL >> ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*) >> AuthLDAPBindDN cn=apache-connect,cn=Users,domain >> AuthLDAPBindPassword password >> require ldap-group cn=Nagios-Admins,cn=Users,domain >> >> >> and attempt to restart Apache. I get the following. >> >> root at nagios:~# service apache2 restart >> * Restarting web server >> apache2 >> [fail] >> * The apache2 configtest failed. >> Output of config test was: >> AH00526: Syntax error on line 159 of /etc/apache2/apache2.conf: >> Unknown Authn provider: ldap >> Action 'configtest' failed. >> The Apache error log may have more information. >> >> I'm not seeing anything of help in the Apache logs. >> > Have you enabled the Apache LDAP module with "a2enmod authnz_ldap"? > >I'm receiving this in my apache logs [Mon May 11 12:38:26.033264 2015] [auth_basic:error] [pid 1195] [client 172.16.232.30:41027] AH01617: user username: authentication failure for "/nagios/": Password Mismatch In my Samba logs with a log level of 3 I get [2015/05/11 12:38:26.776323, 3, pid=1157, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2015/05/11 12:38:26.794712, 3, pid=1157, effective(0, 0), real(0, 0)] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2015/05/11 12:38:26.794764, 3, pid=1157, effective(0, 0), real(0, 0)] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] I know the password is correct. Any ideas? Thanks. -- -James
Nico Kadel-Garcia
2015-May-12 12:31 UTC
[Samba] Authenticating Apache Against Active Directory
On Mon, May 11, 2015 at 11:24 AM, James <lingpanda101 at gmail.com> wrote:> Hello, > > Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate > users against Samba 4.2.1. When I edit 'apache2.conf' with > > > <Directory /> > Options FollowSymLinks > AllowOverride None > Require all granted > Allow from all > AuthName "AD authentication" > AuthBasicProvider ldap > AuthType Basic > AuthLDAPGroupAttribute member > AuthLDAPGroupAttributeIsDN On > AuthLDAPURL > ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*) > AuthLDAPBindDN cn=apache-connect,cn=Users,domain > AuthLDAPBindPassword password > require ldap-group cn=Nagios-Admins,cn=Users,domainWhy are you bothering to use anything outside of Kerberos? Very few web projects actually need any group, uid, or other information and are much simplified by simply relying in the inherent Kerberos of a modern Samba server or AD based service. It also helps eliminate any need for LDAP credentials with which to issue LDAP queries, and lends itself much more easily to genuine "single-sign-on" solutions. Nico Kadel-Garcia
On 5/12/2015 8:31 AM, Nico Kadel-Garcia wrote:> On Mon, May 11, 2015 at 11:24 AM, James <lingpanda101 at gmail.com> wrote: >> Hello, >> >> Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate >> users against Samba 4.2.1. When I edit 'apache2.conf' with >> >> >> <Directory /> >> Options FollowSymLinks >> AllowOverride None >> Require all granted >> Allow from all >> AuthName "AD authentication" >> AuthBasicProvider ldap >> AuthType Basic >> AuthLDAPGroupAttribute member >> AuthLDAPGroupAttributeIsDN On >> AuthLDAPURL >> ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*) >> AuthLDAPBindDN cn=apache-connect,cn=Users,domain >> AuthLDAPBindPassword password >> require ldap-group cn=Nagios-Admins,cn=Users,domain > Why are you bothering to use anything outside of Kerberos? Very few > web projects actually need any group, uid, or other information and > are much simplified by simply relying in the inherent Kerberos of a > modern Samba server or AD based service. It also helps eliminate any > need for LDAP credentials with which to issue LDAP queries, and lends > itself much more easily to genuine "single-sign-on" solutions. > > Nico Kadel-GarciaNico, Went with Kerberos and everything went smoothly. How do I limit what users are allowed access? Here is my Apache config for nagios in case it helps anyone. <location /"nagios.html"> AuthType Kerberos AuthName "Network Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms DOMAIN.LOCAL require valid-user Krb5KeyTab /etc/apache2/conf-enabled/httpd.keytab KrbLocalUserMapping On </Location> I had to install Kerberos first for Apache(Debian based)on Ubuntu 14.04.1 LTS apt-get install libapache2-mod-auth-kerb -- -James
Greetings, Nico Kadel-Garcia!>> Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate >> users against Samba 4.2.1. When I edit 'apache2.conf' with >> >> >> <Directory /> >> Options FollowSymLinks >> AllowOverride None >> Require all granted >> Allow from all >> AuthName "AD authentication" >> AuthBasicProvider ldap >> AuthType Basic >> AuthLDAPGroupAttribute member >> AuthLDAPGroupAttributeIsDN On >> AuthLDAPURL >> ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*) >> AuthLDAPBindDN cn=apache-connect,cn=Users,domain >> AuthLDAPBindPassword password >> require ldap-group cn=Nagios-Admins,cn=Users,domain> Why are you bothering to use anything outside of Kerberos? Very few > web projects actually need any group, uid, or other information and > are much simplified by simply relying in the inherent Kerberos of a > modern Samba server or AD based service. It also helps eliminate any > need for LDAP credentials with which to issue LDAP queries, and lends > itself much more easily to genuine "single-sign-on" solutions.You don't need any LDAP credentials other than credentials supplied by authenticating user. <IfModule authnz_ldap_module> Allow from all AuthName "Subversion repository" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://127.0.0.1/ou=Users,dc=example,dc=com?uid AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off # only developers may access the repository Require ldap-group cn=CVS,ou=Groups,dc=example,dc=com Require ldap-attribute gidNumber=600 Satisfy all # And they should obey to SVN user permissions file <IfModule authz_svn_module> AuthzSVNAccessFile "/wwwroot/.svn/.registry" </IfModule> </IfModule> -- With best regards, Andrey Repin Tuesday, May 12, 2015 17:13:42 Sorry for my terrible english...