Temos um problema complicado com o apache e o auth_ldap no AD. Apenas um único usuário não tem permissão para fazer login, embora esteja em um dos grupos permitidos e outros usuários desse grupo sejam permitidos.
Quando este usuário tenta fazer o login, ele obtém um código de status 401 e no log de erros do apache (no modo de depuração) obtemos:
[Mon Jun 18 13:34:37.699991 2018] [ssl:debug] [pid 7097] ssl_engine_kernel.c(225): [client 10.0.0.1:45287] AH02034: Initial (No.1) HTTPS request received for child 4
(server xxxxxxxxxxxxx.at:80)
[Mon Jun 18 13:34:37.700189 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group1,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700201 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group2,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700206 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group3,OU=zuChecken,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700210 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group4,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700214 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group5,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700218 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group6,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700244 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group7,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700248 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=group8,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700252 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=group9,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700256 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group cn=group10,xxxxxxxxxxxxxxxxxxxxxxxxxx,dc=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700260 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700381 2018] [authnz_ldap:debug] [pid 7097] mod_authnz_ldap.c(501): [client 10.0.0.1:45287] AH01691: auth_ldap authenticate: using URL ldap://xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxx,dc=at?sAMAccountName
[Mon Jun 18 13:34:37.700522 2018] [ldap:debug] [pid 7097] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Mon Jun 18 13:34:37.953306 2018] [ldap:debug] [pid 7097] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Mon Jun 18 13:34:38.003997 2018] [authnz_ldap:info] [pid 7097] [client 10.0.0.1:45287] AH01695: auth_ldap authenticate: user domain\username authentication failed; URI / [User not found][No such object]
[Mon Jun 18 13:34:38.004050 2018] [auth_basic:error] [pid 7097] [client 10.0.0.1:45287] AH01618: user domain\username not found: /
O arquivo de configuração do Apache se parece com:
Header set Access-Control-Allow-Origin "*"
LogLevel debug
<Location />
AuthName "Login with User"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "CN=xxxxxxxxxxxxxxxxxx,DC=at"
AuthLDAPBindPassword xxxxxxxxxxxxxx
AuthLDAPURL "ldap://xxxxxxxxxx/xxxxxxxxxxx,dc=at?sAMAccountName"
Require ldap-group CN=group1,xxxxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at
Require ldap-group CN=group2,xxxxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at
Require ldap-group ....
</Location>
Como eu disse, todos os outros usuários trabalham, mas não este.
Então eu fui mais longe e fiz um ldapquery para alguns usuários contando o tamanho dos objetos ldap. Eu tenho esse resultado:
for eh in username1 username2 username3 username4 username5; do echo "######### $eh"; ldapsearch -x -h xxxxxxxxxxxxxxxxxx:389 -D "CN=xxxxxxxxxxxxxxxxxx,DC=at" -w 'xxxxxxxxxxxxxxxxxx' -b "xxxxxxxxxxxxxxxxxx" "(sAMAccountName=$eh)"|wc ; done
######### username1
473 778 26675
######### username2
711 1294 40586
######### username3
503 963 25752
######### username4
309 591 15015
######### username5
321 581 16972
Aquele com o problema é username2. E esta é a única diferença real. Eu tenho que adicionar, este usuário foi capaz de logar no passado, mas nós realmente não sabemos o que mudou. Então a questão é, é possível, que o mod_auth_ldap não é capaz de manipular resultados maiores que 32KiB? Ou temos outro problema?
Infelizmente não há documentação sobre os novos números de erro do apaches, como AH01618: /.
Nossa descrição do sistema:
# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
# rpm -qa|grep httpd
httpd-2.4.6-67.el7.centos.6.x86_64
httpd-tools-2.4.6-67.el7.centos.6.x86_64
# rpm -qa|grep ldap
sssd-ldap-1.15.2-50.el7_4.8.x86_64
mod_ldap-2.4.6-67.el7.centos.6.x86_64
openldap-2.4.44-5.el7.x86_64
openldap-clients-2.4.44-5.el7.x86_64
python-ldap-2.4.15-2.el7.x86_64
apr-util-ldap-1.5.2-6.el7.x86_64
Editar:
Verificamos o tamanho máximo do token, como descrito @ ms.com e recebemos a seguinte saída com o usuário afetado:
The computer is Windows Server 2012 R2 and is a member server.
Token Details for user affectedUser
**********************************
User's domain is xxxxxxxx.
Total estimated token size is 7408.
For access to DCs and delegatable resources the total estimated token delegation size is 14816.
Effective MaxTokenSize value is: 48000
Problem not detected.
Em comparação com outro usuário (de trabalho):
Token Details for user workingUser
**********************************
User's domain is xxxxxxxxxx.
Total estimated token size is 4192.
For access to DCs and delegatable resources the total estimated token delegation size is 8384.
Effective MaxTokenSize value is: 48000
Problem not detected.