multiple ldap authn sources

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

multiple ldap authn sources

McIntyre, Vincent (CASS, Marsfield)
Hi

this has come up a few times in the past and I've tried to use the
list archives to check my config. I'm still not able to get the
behaviour I think should be supported, perhaps someone can explain.

The server is apache-2.4.38 (debian buster) with prefork mtm.
I have two ldap sources, where many of the usernames are the same
but the DN trees are quite different, as are the passwords.

In the global config I defined these AuthN aliases

<AuthnProviderAlias ldap ldap-blue>
    AuthLDAPURL "ldap://<some url>" TLS
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-red>
    AuthLDAPURL "ldap://<another url>" NONE
    AuthLDAPBindDN "<redacted>"
    AuthLDAPBindPassword "<redacted>"
</AuthnProviderAlias>

Then I try to use these in a virtual host.
I can use either of ldap-red or ldap-blue individually, they work.
Also combining a 'file' source with either of them works fine.

The problem comes when I try to use them together

    AuthType Basic
    AuthBasicProvider ldap-blue ldap-red

    AuthName "Red or Blue credentials"

    Require all denied
    <RequireAny>
         Require valid-user
    </RequireAny>

The only one that works is ldap-blue.
If I swap them so that ldap-red appears first in the list,
then it is the only one that works.

My understanding is that the password is checked by trying to bind
and if it finds the user but fails to bind, it considers that
a wrong password. That's fine. The issue is that it seems not
to try the next ldap source that has been configured.

If this is not supported, can somebody please explain why?
Can we also document that in [1]? The example there with
multiple file sources suggests that multiple ldap sources
should be supported as well. The ldap example doesn't really
contradict that idea.

From my reading it seems that if the user is one that is not found
in the first ldap source, the next source is indeed checked.

Further, my understanding was that if I set

    AuthLDAPBindAuthoritative off

then if the first ldap source fails, the next would be tried.
This doesn't happen in my experience. Rather, it seems that it only
tries another _type_ of authn source, for example a file source.

Kind regards
Vince

[1] http://httpd.apache.org/docs/2.4/mod/mod_authn_core.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: multiple ldap authn sources

sebb-2-2
On Mon, 24 Feb 2020 at 06:30, McIntyre, Vincent (CASS, Marsfield)
<[hidden email]> wrote:

>
> Hi
>
> this has come up a few times in the past and I've tried to use the
> list archives to check my config. I'm still not able to get the
> behaviour I think should be supported, perhaps someone can explain.
>
> The server is apache-2.4.38 (debian buster) with prefork mtm.
> I have two ldap sources, where many of the usernames are the same
> but the DN trees are quite different, as are the passwords.
>
> In the global config I defined these AuthN aliases
>
> <AuthnProviderAlias ldap ldap-blue>
>     AuthLDAPURL "ldap://<some url>" TLS
> </AuthnProviderAlias>

Just a thought - I've no experience with this setup:
Maybe you need to provide the Bind details above?

> <AuthnProviderAlias ldap ldap-red>
>     AuthLDAPURL "ldap://<another url>" NONE
>     AuthLDAPBindDN "<redacted>"
>     AuthLDAPBindPassword "<redacted>"
> </AuthnProviderAlias>
>
> Then I try to use these in a virtual host.
> I can use either of ldap-red or ldap-blue individually, they work.
> Also combining a 'file' source with either of them works fine.
>
> The problem comes when I try to use them together
>
>     AuthType Basic
>     AuthBasicProvider ldap-blue ldap-red
>
>     AuthName "Red or Blue credentials"
>
>     Require all denied
>     <RequireAny>
>          Require valid-user
>     </RequireAny>
>
> The only one that works is ldap-blue.
> If I swap them so that ldap-red appears first in the list,
> then it is the only one that works.
>
> My understanding is that the password is checked by trying to bind
> and if it finds the user but fails to bind, it considers that
> a wrong password. That's fine. The issue is that it seems not
> to try the next ldap source that has been configured.
>
> If this is not supported, can somebody please explain why?
> Can we also document that in [1]? The example there with
> multiple file sources suggests that multiple ldap sources
> should be supported as well. The ldap example doesn't really
> contradict that idea.
>
> From my reading it seems that if the user is one that is not found
> in the first ldap source, the next source is indeed checked.
>
> Further, my understanding was that if I set
>
>     AuthLDAPBindAuthoritative off
>
> then if the first ldap source fails, the next would be tried.
> This doesn't happen in my experience. Rather, it seems that it only
> tries another _type_ of authn source, for example a file source.
>
> Kind regards
> Vince
>
> [1] http://httpd.apache.org/docs/2.4/mod/mod_authn_core.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: multiple ldap authn sources

McIntyre, Vincent (CASS, Marsfield)
On Sat, Feb 29, 2020 at 11:07:30PM +0000, sebb wrote:

>On Mon, 24 Feb 2020 at 06:30, McIntyre, Vincent (CASS, Marsfield)
><[hidden email]> wrote:
>>
>> Hi
>>
>> this has come up a few times in the past and I've tried to use the
>> list archives to check my config. I'm still not able to get the
>> behaviour I think should be supported, perhaps someone can explain.
>>
>> The server is apache-2.4.38 (debian buster) with prefork mtm.
>> I have two ldap sources, where many of the usernames are the same
>> but the DN trees are quite different, as are the passwords.
>>
>> In the global config I defined these AuthN aliases
>>
>> <AuthnProviderAlias ldap ldap-blue>
>>     AuthLDAPURL "ldap://<some url>" TLS
>> </AuthnProviderAlias>
>
>Just a thought - I've no experience with this setup:
>Maybe you need to provide the Bind details above?

I don't think that should be needed as this provider
works fine when it is used on its own or in combination
with a file type provider.

Regards
Vince
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ExternalEmail] Re: [users@httpd] multiple ldap authn sources

McIntyre, Vincent (CASS, Marsfield)
On Sun, Mar 01, 2020 at 09:20:01PM +0000, McIntyre, Vincent (CASS, Marsfield) wrote:

>On Sat, Feb 29, 2020 at 11:07:30PM +0000, sebb wrote:
>>On Mon, 24 Feb 2020 at 06:30, McIntyre, Vincent (CASS, Marsfield)
>><[hidden email]> wrote:
>>>
>>> Hi
>>>
>>> this has come up a few times in the past and I've tried to use the
>>> list archives to check my config. I'm still not able to get the
>>> behaviour I think should be supported, perhaps someone can explain.
>>>
>>> The server is apache-2.4.38 (debian buster) with prefork mtm.
>>> I have two ldap sources, where many of the usernames are the same
>>> but the DN trees are quite different, as are the passwords.
>>>
>>> In the global config I defined these AuthN aliases
>>>
>>> <AuthnProviderAlias ldap ldap-blue>
>>>     AuthLDAPURL "ldap://<some url>" TLS
>>> </AuthnProviderAlias>
>>
>>Just a thought - I've no experience with this setup:
>>Maybe you need to provide the Bind details above?
>
>I don't think that should be needed as this provider
>works fine when it is used on its own or in combination
>with a file type provider.


For my use case the magic turns out to be:

  AuthLDAPBindAuthoritative off

Revisiting the example I gave
(where many of the usernames are the same between the ldap sources
 but the DN trees are quite different, as are the passwords.)

<AuthnProviderAlias ldap ldap-blue>
    AuthLDAPURL "ldap://<some url>" TLS
    AuthLDAPBindAuthoritative off
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-red>
    AuthLDAPURL "ldap://<another url>" NONE
    AuthLDAPBindDN "<redacted>"
    AuthLDAPBindPassword "<redacted>"
    AuthLDAPBindAuthoritative off
</AuthnProviderAlias>

<Location /private>
    AuthType Basic
    AuthBasicProvider ldap-blue ldap-red

    AuthName "Red or Blue credentials"

    Require all denied
    <RequireAny>
         Require valid-user
    </RequireAny>
</Location>

This lets an authentication attempt with credentials meant for
the 'red' system try and fail with the first ldap source,
and then try with the second source, returning success in the end.

Unfortunately the wording of [1] does not really lead one to this
understanding because it is focused on using different auth modules
(file vs ldap). Suggested wording tweak:

   This allows users present in both LDAP and AuthUserFile to
   authenticate when the LDAP server is available but the user's
   account is locked or password is otherwise unusable.
 + It also allows a given set of user credentials to be checked
 + against multiple LDAP sources.

[1]
https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapbindauth=

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]