tentando permitir o acesso de administradores de domínio no apache

1

Estou tentando autenticar administradores de domínio por meio do apache e não está funcionando. Erro que recebo é o seguinte

[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(1432): [client 172.16.0.85] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(915): [client 172.16.0.85] Using HTTP/[email protected] as server principal for password verification
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(655): [client 172.16.0.85] Trying to get TGT for user [email protected]
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(569): [client 172.16.0.85] Trying to verify authenticity of KDC using principal HTTP/[email protected]
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(994): [client 172.16.0.85] kerb_authenticate_user_krb5pwd ret=0 [email protected] authtype=Basic
[Mon Sep 24 14:54:45 2012] [debug] mod_authnz_ldap.c(561): [client 172.16.0.85] ldap authorize: Creating LDAP req structure
[Mon Sep 24 14:54:45 2012] [debug] mod_authnz_ldap.c(573): [client 172.16.0.85] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed

Abaixo está o que eu tenho no meu arquivo httpd

Alias /compass "/data/intranet/html/compass"

<Directory "/data/intranet/html/compass">
        AuthType Kerberos
        AuthName KerberosLogin
        KrbServiceName HTTP/intranet.xxx.com
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms xxx.COM
        Krb5KeyTab /etc/httpd/conf/intranet.keytab
       # require valid-user
       # Options Indexes MultiViews FollowSymLinks
       # AllowOverride All
       # Order allow,deny
       # Allow from all
       #        SetOutputFilter DEFLATE


# taken from http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/
# download extra module and install

        # Strip the kerberos realm from the principle.
#   MapUsernameRule (.*)@(.*) "$1"

        AuthLDAPURL "ldap://echo.uk.xxx.com akhutan.usa.xxx.com/dc=xxx,dc=com?sAMAccountName"
        AuthLDAPBindDN cn=Administrator,ou=Users,dc=xxx,dc=com
        AuthLDAPBindPassword ***
        Require ldap-group cn=Domain Admins,ou=Users,dc=xxx,dc=com
</Directory>

Eu segui este guia . Eu baixei e instalei o tarball. quando tento remover o comentário de MapUsernameRule i erro com falha ao reiniciar o apache

Reloading httpd: not reloading due to configuration syntax error

Estou usando o centos 5 64bit.

Eu adicionei a seguinte linha, mas ainda recebo erro de sintaxe

LoadModule mod_map_user modules/mod_map_user.so

httpd: Syntax error on line 199 of /etc/httpd/conf/httpd.conf: Can't locate API module structure 'mod_map_user' in file /etc/httpd/modules/mod_map_user.so: /etc/httpd/modules/mod_map_user.so: undefined symbol: mod_map_user
[root@hero mod_map_user]# ll /etc/httpd/modules/mod_map_user.so
-rwxr-xr-x 1 root root 39444 Sep 24 16:23 /etc/httpd/modules/mod_map_user.so

Atualizei a parte load module e ela funciona agora, como ainda não funciona para mim. Erro que recebo é o seguinte

[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(1432): [client 172.16.0.85] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(915): [client 172.16.0.85] Using HTTP/[email protected] as server principal for password verification
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(655): [client 172.16.0.85] Trying to get TGT for user [email protected]
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(569): [client 172.16.0.85] Trying to verify authenticity of KDC using principal HTTP/[email protected]
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(994): [client 172.16.0.85] kerb_authenticate_user_krb5pwd ret=0 [email protected] authtype=Basic
[Mon Sep 24 17:19:05 2012] [info] [client 172.16.0.85] Applying pattern '^(.*)@(.*)$' to user '[email protected]', mech:'Any'
[Mon Sep 24 17:19:05 2012] [info] [client 172.16.0.85] Pattern matched
[Mon Sep 24 17:19:05 2012] [notice] [client 172.16.0.85] User name '[email protected]' rewritten to 'sharifu'
[Mon Sep 24 17:19:05 2012] [debug] mod_authnz_ldap.c(561): [client 172.16.0.85] ldap authorize: Creating LDAP req structure
[Mon Sep 24 17:19:05 2012] [debug] mod_authnz_ldap.c(573): [client 172.16.0.85] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed

httdp conf ffile agora tem:

Alias /compass "/data/intranet/html/compass"

<Directory "/data/intranet/html/compass">
        AuthType Kerberos
        AuthName KerberosLogin
        KrbServiceName HTTP/intranet.xxx.com
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms xxx.COM
        Krb5KeyTab /etc/httpd/conf/intranet.keytab
       # require valid-user
       # Options Indexes MultiViews FollowSymLinks
       # AllowOverride All
       # Order allow,deny
       # Allow from all
       #        SetOutputFilter DEFLATE
# taken from http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/
# download extra module and install

        # Strip the kerberos realm from the principle.
        MapUsernameRule (.*)@(.*) "$1"

        AuthLDAPURL "ldap://echo.uk.xxx.com akhutan.usa.xxx.com/cn=users,dc=xxx,dc=com?sAMAccountName"
        AuthLDAPBindDN cn=Administrator,ou=users,dc=xxx,dc=com
        AuthLDAPBindPassword xxx
        Require ldap-group cn=Domain Admins,ou=users,dc=xxx,dc=com
</Directory>
    
por shorif2000 24.09.2012 / 15:59

1 resposta

0

Como Chris S mencionou que meu AuthLDAPBindDN estava errado

    
por 03.12.2012 / 17:49