Como Chris S mencionou que meu AuthLDAPBindDN estava errado
Estou tentando autenticar administradores de domínio por meio do apache e não está funcionando. Erro que recebo é o seguinte
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(1432): [client 172.16.0.85] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(915): [client 172.16.0.85] Using HTTP/[email protected] as server principal for password verification
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(655): [client 172.16.0.85] Trying to get TGT for user [email protected]
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(569): [client 172.16.0.85] Trying to verify authenticity of KDC using principal HTTP/[email protected]
[Mon Sep 24 14:54:45 2012] [debug] src/mod_auth_kerb.c(994): [client 172.16.0.85] kerb_authenticate_user_krb5pwd ret=0 [email protected] authtype=Basic
[Mon Sep 24 14:54:45 2012] [debug] mod_authnz_ldap.c(561): [client 172.16.0.85] ldap authorize: Creating LDAP req structure
[Mon Sep 24 14:54:45 2012] [debug] mod_authnz_ldap.c(573): [client 172.16.0.85] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed
Abaixo está o que eu tenho no meu arquivo httpd
Alias /compass "/data/intranet/html/compass"
<Directory "/data/intranet/html/compass">
AuthType Kerberos
AuthName KerberosLogin
KrbServiceName HTTP/intranet.xxx.com
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms xxx.COM
Krb5KeyTab /etc/httpd/conf/intranet.keytab
# require valid-user
# Options Indexes MultiViews FollowSymLinks
# AllowOverride All
# Order allow,deny
# Allow from all
# SetOutputFilter DEFLATE
# taken from http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/
# download extra module and install
# Strip the kerberos realm from the principle.
# MapUsernameRule (.*)@(.*) "$1"
AuthLDAPURL "ldap://echo.uk.xxx.com akhutan.usa.xxx.com/dc=xxx,dc=com?sAMAccountName"
AuthLDAPBindDN cn=Administrator,ou=Users,dc=xxx,dc=com
AuthLDAPBindPassword ***
Require ldap-group cn=Domain Admins,ou=Users,dc=xxx,dc=com
</Directory>
Eu segui este guia . Eu baixei e instalei o tarball. quando tento remover o comentário de MapUsernameRule i erro com falha ao reiniciar o apache
Reloading httpd: not reloading due to configuration syntax error
Estou usando o centos 5 64bit.
Eu adicionei a seguinte linha, mas ainda recebo erro de sintaxe
LoadModule mod_map_user modules/mod_map_user.so
httpd: Syntax error on line 199 of /etc/httpd/conf/httpd.conf: Can't locate API module structure 'mod_map_user' in file /etc/httpd/modules/mod_map_user.so: /etc/httpd/modules/mod_map_user.so: undefined symbol: mod_map_user
[root@hero mod_map_user]# ll /etc/httpd/modules/mod_map_user.so
-rwxr-xr-x 1 root root 39444 Sep 24 16:23 /etc/httpd/modules/mod_map_user.so
Atualizei a parte load module e ela funciona agora, como ainda não funciona para mim. Erro que recebo é o seguinte
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(1432): [client 172.16.0.85] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(915): [client 172.16.0.85] Using HTTP/[email protected] as server principal for password verification
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(655): [client 172.16.0.85] Trying to get TGT for user [email protected]
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(569): [client 172.16.0.85] Trying to verify authenticity of KDC using principal HTTP/[email protected]
[Mon Sep 24 17:19:05 2012] [debug] src/mod_auth_kerb.c(994): [client 172.16.0.85] kerb_authenticate_user_krb5pwd ret=0 [email protected] authtype=Basic
[Mon Sep 24 17:19:05 2012] [info] [client 172.16.0.85] Applying pattern '^(.*)@(.*)$' to user '[email protected]', mech:'Any'
[Mon Sep 24 17:19:05 2012] [info] [client 172.16.0.85] Pattern matched
[Mon Sep 24 17:19:05 2012] [notice] [client 172.16.0.85] User name '[email protected]' rewritten to 'sharifu'
[Mon Sep 24 17:19:05 2012] [debug] mod_authnz_ldap.c(561): [client 172.16.0.85] ldap authorize: Creating LDAP req structure
[Mon Sep 24 17:19:05 2012] [debug] mod_authnz_ldap.c(573): [client 172.16.0.85] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed
httdp conf ffile agora tem:
Alias /compass "/data/intranet/html/compass"
<Directory "/data/intranet/html/compass">
AuthType Kerberos
AuthName KerberosLogin
KrbServiceName HTTP/intranet.xxx.com
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms xxx.COM
Krb5KeyTab /etc/httpd/conf/intranet.keytab
# require valid-user
# Options Indexes MultiViews FollowSymLinks
# AllowOverride All
# Order allow,deny
# Allow from all
# SetOutputFilter DEFLATE
# taken from http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/
# download extra module and install
# Strip the kerberos realm from the principle.
MapUsernameRule (.*)@(.*) "$1"
AuthLDAPURL "ldap://echo.uk.xxx.com akhutan.usa.xxx.com/cn=users,dc=xxx,dc=com?sAMAccountName"
AuthLDAPBindDN cn=Administrator,ou=users,dc=xxx,dc=com
AuthLDAPBindPassword xxx
Require ldap-group cn=Domain Admins,ou=users,dc=xxx,dc=com
</Directory>
Tags ldap apache-2.2 centos5