0

我在服务器 2019 AD 环境中使用 Centos 8,通过 reamld 进行 AD 集成,这对于登录机器来说工作得很好。

我设置了 httpd,希望它也能与 AD 对话,这样我就可以限制对 AD 用户的访问。

我可以从 httpd 日志中看到正在发送 LDAP 查询,但它从不返回任何结果。

我已使用 ldapsearch 确认了 AD 连接详细信息,如下所示

ldapsearch -x -LLL -h company.local -D test -w password -b "OU=Users,OU=COMPANY,dc=Company,dc=local" -s sub "(ObjectClass=user)" sAMAccountName'

结果:

dn: CN=test,OU=Users,OU=COMPANY,DC=Company,DC=local
sAMAccountName: test

我运行了与 apache 用户相同的查询,以验证那里没有发生任何有趣的事情。相同的结果 - 一切都很好。

现在排队 httpd。配置如下:

<Directory "/home/test">
AuthType Basic
AuthName "login to continue"
AuthBasicProvider ldap
LDAPReferrals Off
AuthLDAPBindAuthoritative off
AuthLDAPURL "ldap://company-dc-02.company.local:389/OU=Users,OU=COMPANY,DC=Company,DC=local?SAMAaccountName?sub?(objectClass=*)"
AuthLDAPBindDN test
AuthLDAPBindPassword password
require valid-user
</Directory>

我尝试了权威、推荐等的各种组合。我总是得到登录提示,但它从未成功验证过。结果总是一样的。httpd 日志显示以下内容:

584] mod_authz_core.c(820): [client 192.168.1.171:51660] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Dec 30 17:54:05.960367 2019] [authnz_ldap:debug] [pid 14207:tid 140664675235584] mod_authnz_ldap.c(523): [client 192.168.1.171:51660] AH01691: auth_ldap authenticate: using URL ldap://company-dc-02.company.local:389/OU=Users,OU=COMPNAY,DC=Company,DC=local?SAMAaccountName?sub?(objectClass=*)
ldap_create
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP company-dc-02.company.local:389
ldap_new_socket: 27
ldap_prepare_socket: 27
ldap_connect_to_host: Trying 192.168.1.7:389
ldap_pvt_connect: fd: 27 tm: 10 async: 0
ldap_ndelay_on: 27
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 27 tm: 10
ldap_is_sock_ready: 27
ldap_ndelay_off: 27
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7fef04008b80 msgid 1
wait4msg ld 0x7fef04008b80 msgid 1 (timeout 60000000 usec)
wait4msg continue ld 0x7fef04008b80 msgid 1 all 0
** ld 0x7fef04008b80 Connections:
* host: company-dc-02.company.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Dec 30 17:54:05 2019


** ld 0x7fef04008b80 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fef04008b80 request count 1 (abandoned 0)
** ld 0x7fef04008b80 Response Queue:
   Empty
  ld 0x7fef04008b80 response count 0
ldap_chkResponseList ld 0x7fef04008b80 msgid 1 all 0
ldap_chkResponseList returns ld 0x7fef04008b80 NULL
ldap_int_select
read1msg: ld 0x7fef04008b80 msgid 1 all 0
read1msg: ld 0x7fef04008b80 msgid 1 message type bind
read1msg: ld 0x7fef04008b80 0 new referrals
read1msg:  mark request completed, ld 0x7fef04008b80 msgid 1
request done: ld 0x7fef04008b80 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(&(objectClass=*)(SAMAaccountName=test))"
put_filter: AND
put_filter_list "(objectClass=*)(SAMAaccountName=test)"
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
put_filter: "(SAMAaccountName=test)"
put_filter: simple
put_simple_filter: "SAMAaccountName=test"
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x7fef04008b80 msgid 2
wait4msg ld 0x7fef04008b80 msgid 2 (timeout 60000000 usec)
wait4msg continue ld 0x7fef04008b80 msgid 2 all 1
** ld 0x7fef04008b80 Connections:
* host: company-dc-02.company.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Dec 30 17:54:05 2019


** ld 0x7fef04008b80 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fef04008b80 request count 1 (abandoned 0)
** ld 0x7fef04008b80 Response Queue:
   Empty
  ld 0x7fef04008b80 response count 0
ldap_chkResponseList ld 0x7fef04008b80 msgid 2 all 1
ldap_chkResponseList returns ld 0x7fef04008b80 NULL
ldap_int_select
read1msg: ld 0x7fef04008b80 msgid 2 all 1
read1msg: ld 0x7fef04008b80 msgid 2 message type search-result
read1msg: ld 0x7fef04008b80 0 new referrals
read1msg:  mark request completed, ld 0x7fef04008b80 msgid 2
request done: ld 0x7fef04008b80 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
ldap_err2string
[Mon Dec 30 17:54:05.968539 2019] [authnz_ldap:debug] [pid 14207:tid 140664675235584] mod_authnz_ldap.c(561): [client 192.168.1.171:51660] AH01694: auth_ldap authenticate: user test authentication failed; URI / [User not found][No such object] (not authoritative)
[Mon Dec 30 17:54:05.968558 2019] [auth_basic:error] [pid 14207:tid 140664675235584] [client 192.168.1.171:51660] AH01618: user test not found: /

什么可能是错的?这可能是一个简单的配置问题,但我只是没有看到它。

谢谢

4

1 回答 1

0

看起来 apache 中的 ldap 模块无法处理两个 OU 条目(尽管 openldap 返回正确的结果并且用户位于指定的 OU 中)。

我将连接字符串更改为

AuthLDAPURL "ldap://company-dc-02.company.local:389/DC=Company,DC=local?SAMAaccountName?sub?(objectClass=user)"

它现在似乎按预期工作。希望这可以在将来对其他人有所帮助。

于 2019-12-31T01:37:32.800 回答