LDAP query translation from 2.2 to 2.4

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP query translation from 2.2 to 2.4

Darryl Philip Baker

I am trying to port a configuration from Apache 2.2 to Apache 2.4 that is used for LDAP authentication, but I have little knowledge of LDAP. I can translate “Order deny,allow” and “Deny from All” I have found that “AuthzLDAPAuthoritative off” has been removed from Apache 2.4. I am getting a syntax error on the AuthLDAPUrl line. From one of the examples I found, do I need to change from a Directory block to a Location block?

 

Here is what the stanza is in Apache 2.2

 

<Directory "/usr/local/www/docs/it/snaps">

         Options -Indexes +FollowSymLinks +ExecCGI +Includes

         Order deny,allow

         Deny from All

         AuthName "Enter Your Netid and Password"

         AuthType basic

         AuthBasicProvider ldap

         AuthzLDAPAuthoritative off

         AuthLDAPBindDN "cn=sanitycheck, ou=Service, dc=example, dc=com"

         AuthLDAPBindPassword "tmd+pkx"

         AuthLDAPUrl     "ldaps://evregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://evregistryprdb.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprdb.cyber.example.com.cyber.example.com:1636/dc=example,dc=com?uid?sub?(objectclass=*)"

         Require valid-user

         Satisfy any

   </Directory>

 

 

Darryl Baker, GSEC  (he/him/his)

Sr. System Administrator

Distributed Application Platform Services

Northwestern University

1800 Sherman Ave.

Suite 6-600 – Box #39

Evanston, IL  60201-3715

[hidden email]

(847) 467-6674

 

Reply | Threaded
Open this post in threaded view
|

Re: LDAP query translation from 2.2 to 2.4

Eric Covener
On Wed, Aug 26, 2020 at 11:34 AM Darryl Philip Baker
<[hidden email]> wrote:

>
> I am trying to port a configuration from Apache 2.2 to Apache 2.4 that is used for LDAP authentication, but I have little knowledge of LDAP. I can translate “Order deny,allow” and “Deny from All” I have found that “AuthzLDAPAuthoritative off” has been removed from Apache 2.4. I am getting a syntax error on the AuthLDAPUrl line. From one of the examples I found, do I need to change from a Directory block to a Location block?
>
>
>
> Here is what the stanza is in Apache 2.2
>
>
>
> <Directory "/usr/local/www/docs/it/snaps">
>
>          Options -Indexes +FollowSymLinks +ExecCGI +Includes
>
>          Order deny,allow
>
>          Deny from All
>
>          AuthName "Enter Your Netid and Password"
>
>          AuthType basic
>
>          AuthBasicProvider ldap
>
>          AuthzLDAPAuthoritative off
>
>          AuthLDAPBindDN "cn=sanitycheck, ou=Service, dc=example, dc=com"
>
>          AuthLDAPBindPassword "tmd+pkx"
>
>          AuthLDAPUrl     "ldaps://evregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://evregistryprdb.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprdb.cyber.example.com.cyber.example.com:1636/dc=example,dc=com?uid?sub?(objectclass=*)"
>
>          Require valid-user
>
>          Satisfy any
>
>    </Directory>
>
>

Should be no difference. Can you share the verbatim error message you
get from `apachectl -t`?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: LDAP query translation from 2.2 to 2.4

Darryl Philip Baker
All I get is:
AH00526: Syntax error on line 131 of /opt/rh/httpd24/root/etc/httpd/conf.d/ldapdir.conf:
Bad LDAP URL while parsing.

Darryl Baker, GSEC  (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL  60201-3715
[hidden email]
(847) 467-6674
 

On 8/26/20, 10:36 AM, "Eric Covener" <[hidden email]> wrote:

    On Wed, Aug 26, 2020 at 11:34 AM Darryl Philip Baker
    <[hidden email]> wrote:
    >
    > I am trying to port a configuration from Apache 2.2 to Apache 2.4 that is used for LDAP authentication, but I have little knowledge of LDAP. I can translate “Order deny,allow” and “Deny from All” I have found that “AuthzLDAPAuthoritative off” has been removed from Apache 2.4. I am getting a syntax error on the AuthLDAPUrl line. From one of the examples I found, do I need to change from a Directory block to a Location block?
    >
    >
    >
    > Here is what the stanza is in Apache 2.2
    >
    >
    >
    > <Directory "/usr/local/www/docs/it/snaps">
    >
    >          Options -Indexes +FollowSymLinks +ExecCGI +Includes
    >
    >          Order deny,allow
    >
    >          Deny from All
    >
    >          AuthName "Enter Your Netid and Password"
    >
    >          AuthType basic
    >
    >          AuthBasicProvider ldap
    >
    >          AuthzLDAPAuthoritative off
    >
    >          AuthLDAPBindDN "cn=sanitycheck, ou=Service, dc=example, dc=com"
    >
    >          AuthLDAPBindPassword "tmd+pkx"
    >
    >          AuthLDAPUrl     "ldaps://evregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://evregistryprdb.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprdb.cyber.example.com.cyber.example.com:1636/dc=example,dc=com?uid?sub?(objectclass=*)"
    >
    >          Require valid-user
    >
    >          Satisfy any
    >
    >    </Directory>
    >
    >

    Should be no difference. Can you share the verbatim error message you
    get from `apachectl -t`?

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: [hidden email]
    For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAP query translation from 2.2 to 2.4

Darryl Philip Baker
I have been experimenting and I can get the AuthLDAPURL line to work if I have only one host:port listed. 2 or more fails. Has anyone gotten multiple host:port entries in the AuthLDAPURL argument list?

The documentation says:
host:port
The name/port of the ldap server (defaults to localhost:389 for ldap, and localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. mod_authnz_ldap will try connecting to each server in turn, until it makes a successful connection. If multiple ldap servers are specified, then entire LDAP URL must be encapsulated in double quotes.

Darryl Baker, GSEC  (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL  60201-3715
[hidden email]
(847) 467-6674
 

On 8/26/20, 10:39 AM, "Darryl Philip Baker" <[hidden email]> wrote:

    All I get is:
    AH00526: Syntax error on line 131 of /opt/rh/httpd24/root/etc/httpd/conf.d/ldapdir.conf:
    Bad LDAP URL while parsing.

    Darryl Baker, GSEC  (he/him/his)
    Sr. System Administrator
    Distributed Application Platform Services
    Northwestern University
    1800 Sherman Ave.
    Suite 6-600 – Box #39
    Evanston, IL  60201-3715
    [hidden email]
    (847) 467-6674


    On 8/26/20, 10:36 AM, "Eric Covener" <[hidden email]> wrote:

        On Wed, Aug 26, 2020 at 11:34 AM Darryl Philip Baker
        <[hidden email]> wrote:
        >
        > I am trying to port a configuration from Apache 2.2 to Apache 2.4 that is used for LDAP authentication, but I have little knowledge of LDAP. I can translate “Order deny,allow” and “Deny from All” I have found that “AuthzLDAPAuthoritative off” has been removed from Apache 2.4. I am getting a syntax error on the AuthLDAPUrl line. From one of the examples I found, do I need to change from a Directory block to a Location block?
        >
        >
        >
        > Here is what the stanza is in Apache 2.2
        >
        >
        >
        > <Directory "/usr/local/www/docs/it/snaps">
        >
        >          Options -Indexes +FollowSymLinks +ExecCGI +Includes
        >
        >          Order deny,allow
        >
        >          Deny from All
        >
        >          AuthName "Enter Your Netid and Password"
        >
        >          AuthType basic
        >
        >          AuthBasicProvider ldap
        >
        >          AuthzLDAPAuthoritative off
        >
        >          AuthLDAPBindDN "cn=sanitycheck, ou=Service, dc=example, dc=com"
        >
        >          AuthLDAPBindPassword "tmd+pkx"
        >
        >          AuthLDAPUrl     "ldaps://evregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://evregistryprdb.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprdb.cyber.example.com.cyber.example.com:1636/dc=example,dc=com?uid?sub?(objectclass=*)"
        >
        >          Require valid-user
        >
        >          Satisfy any
        >
        >    </Directory>
        >
        >

        Should be no difference. Can you share the verbatim error message you
        get from `apachectl -t`?

        ---------------------------------------------------------------------
        To unsubscribe, e-mail: [hidden email]
        For additional commands, e-mail: [hidden email]



    ---------------------------------------------------------------------
    To unsubscribe, e-mail: [hidden email]
    For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]