weixin_39878401
weixin_39878401
2020-12-09 14:08

mod_ldap and http basic auth

What version of Cloud Foundry are you using? cf version 6.12.3

What version of the buildpack you are using? v4.3.21

If you were attempting to accomplish a task, what was it you were attempting to do?

I'm trying to enable HTTP Basic Auth via LDAP using this buildpack. For this i need mod_ldap.so, mod_auth_basic.so, mod_authnz_ldap.so and mod_authz_user.so.

I noticed that in the modules folder these modules exist, but in the defaults file some of them are not present. In my .bp-config override folder I use the following modules: LoadModule authn_core_module modules/mod_authn_core.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule ldap_module modules/mod_ldap.so LoadModule ssl_module modules/mod_ssl.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule authz_user_module modules/mod_authz_user.so

In my vhost configuration I use this: Options SymLinksIfOwnerMatch AllowOverride All Options Indexes FollowSymLinks
AuthName myauth AuthType basic AuthBasicProvider ldap AuthLDAPURL ldaps://xxx.xxx.xxxx:686/ou=xxxo=xxxx?mail NONE require valid-user

(LDAP server is hidden due to NDA)

What did you expect to happen? Upon visiting the website and fill in the credentials in the browser popup window, i can get authorized.

What was the actual behavior? Popup was present, inputed valid credentials but in the logs i can see: [authnz_ldap:info] [pid 88:tid 140137641551616] [client 169.53.20.57:14929] AH01695: auth_ldap authenticate: user xxxx.xxx authentication failed; URI / [LDAP: ldap initialization failed][Unknown (private extension) error]

Upon research I stumbled upon this: https://access.redhat.com/solutions/162973 but as far as i can tell, in the http/lib folder, there is libaprutil-1.so.0 that should work fine.

Please confirm where necessary: - [x] I have included a log output - [x] My log includes an error message - [x ] I have included steps for reproduction

该提问来源于开源项目:cloudfoundry/php-buildpack

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

11条回答

  • weixin_39615956 weixin_39615956 4月前

    I'm seeing the following at application start when I try to load mod_ldap & mod_ssl.

    
    2016-10-21T09:21:44.62-0400 [APP/PROC/WEB/0]OUT 13:21:44 httpd   | [Fri Oct 21 13:21:44.614079 2016] [ldap:info] [pid 46:tid 140418520225664] AH01320: LDAP: SSL support unavailable
    
    • Are you seeing that in your logs as well? Try running cf logs while you push the app. This message was logged as HTTPD started up. This might account for what you're seeing, just want to make sure it matches with what you're seeing.
    点赞 评论 复制链接分享
  • weixin_39876002 weixin_39876002 4月前

    We have created an issue in Pivotal Tracker to manage this:

    https://www.pivotaltracker.com/story/show/132910743

    The labels on this github issue will be updated when the story is started.

    点赞 评论 复制链接分享
  • weixin_39878401 weixin_39878401 4月前

    -pivotal yes, I have it as well

    
    2016-10-21T15:40:49.68+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.672749 2016] [ssl:info] [pid 35:tid 140022518650752] AH01887: Init: Initializing (virtual) servers for SSL
    2016-10-21T15:40:49.68+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.672883 2016] [ssl:info] [pid 35:tid 140022518650752] AH01876: mod_ssl/2.4.23 compiled against Server: Apache/2.4.23, Library: OpenSSL/1.0.1f
    2016-10-21T15:40:49.75+0200 [App/0]      OUT 13:40:49 php-fpm | [21-Oct-2016 13:40:49] NOTICE: fpm is running, pid 39
    2016-10-21T15:40:49.75+0200 [App/0]      OUT 13:40:49 php-fpm | [21-Oct-2016 13:40:49] NOTICE: ready to handle connections
    2016-10-21T15:40:49.75+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.748631 2016] [ldap:info] [pid 35:tid 140022518650752] AH01320: LDAP: SSL support unavailable
    2016-10-21T15:40:49.75+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.748874 2016] [ssl:warn] [pid 35:tid 140022518650752] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
    2016-10-21T15:40:49.75+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.748884 2016] [ssl:info] [pid 35:tid 140022518650752] AH01887: Init: Initializing (virtual) servers for SSL
    2016-10-21T15:40:49.75+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.748893 2016] [ssl:info] [pid 35:tid 140022518650752] AH01876: mod_ssl/2.4.23 compiled against Server: Apache/2.4.23, Library: OpenSSL/1.0.1f
    2016-10-21T15:40:49.75+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.757133 2016] [mpm_event:notice] [pid 35:tid 140022518650752] AH00489: Apache/2.4.23 (Unix) OpenSSL/1.0.1f configured -- resuming normal operations
    2016-10-21T15:40:49.75+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.757237 2016] [mpm_event:info] [pid 35:tid 140022518650752] AH00490: Server built: Jul 18 2016 19:31:07
    2016-10-21T15:40:49.76+0200 [App/0]      OUT 13:40:49 httpd   | [Fri Oct 21 13:40:49.757333 2016] [core:notice] [pid 35:tid 140022518650752] AH00094: Command line: '/app/httpd/bin/httpd -f /home/vcap/app/httpd/conf/httpd.conf -D FOREGROUND'
    

    Could there be a connection with that? I'm running the application on Bluemix with a wildcard certificate already configured.

    点赞 评论 复制链接分享
  • weixin_39615956 weixin_39615956 4月前

    Kind of looks like there might be something wrong with the APR Util build. The code that generates this message is asking APR UTIL if it supports LDAP & TLS and it's getting an error (hence why we see this message). The options indicates to build with LDAP. Need to investigate / test more.

    点赞 评论 复制链接分享
  • weixin_39990029 weixin_39990029 4月前

    hey -pivotal, what were your findings here? Is something broken/does the buildpacks team need to investigate further?

    点赞 评论 复制链接分享
  • weixin_39615956 weixin_39615956 4月前
    • I haven't had a chance to look into this. No time. If the build packs team has time, I would appreciate it.
    点赞 评论 复制链接分享
  • weixin_39806413 weixin_39806413 4月前

    Hi ,

    We poked at this problem a bit at this end.

    We built a local example based on your snippets and saw the same log error:

    
    OUT 21:02:17 httpd   | [Mon Nov 14 21:02:17.066588 2016] [authnz_ldap:info] [pid 49:tid 140376157443840] [client 192.168.11.1:42542] AH01695: auth_ldap authenticate: user example authentication failed; URI / [LDAP: ldap initialization failed][Unknown (private extension) error]
    

    Some googling suggested setting AuthLDAPBindAuthoritative off. In our local example, this resolves the AH01695 error. Instead we get a "user not found" error (AH01618).

    This suggests that LDAP is wired up (and that we don't know how the heck to configure it).

    Can you try setting AuthLDAPBindAuthoritative off and reporting back?

    点赞 评论 复制链接分享
  • weixin_39615956 weixin_39615956 4月前

    I think I might have tracked this down. There are some libraries that are a part of apr-util that are not being copied into the binary we build of HTTPD.

    
    httpd/lib/libapr-1.so.0
    httpd/lib/apr-util-1/
    httpd/lib/apr-util-1/apr_dbd_sqlite2.so
    httpd/lib/apr-util-1/apr_ldap.so
    httpd/lib/apr-util-1/apr_dbd_sqlite3.so
    httpd/lib/apr-util-1/apr_dbd_sqlite3-1.so
    httpd/lib/apr-util-1/apr_dbd_sqlite2-1.so
    httpd/lib/apr-util-1/apr_dbd_pgsql-1.so
    httpd/lib/apr-util-1/apr_crypto_openssl.so
    httpd/lib/apr-util-1/apr_ldap-1.so
    httpd/lib/apr-util-1/apr_dbd_mysql.so
    httpd/lib/apr-util-1/apr_dbd_mysql-1.so
    httpd/lib/apr-util-1/apr_crypto_openssl-1.so
    httpd/lib/apr-util-1/apr_dbd_pgsql.so
    

    I made a test build with them and things are looking better.

    
    2016-11-18T09:14:50.27-0500 [APP/PROC/WEB/0]OUT 14:14:50 httpd   | [Fri Nov 18 14:14:50.263169 2016] [ldap:info] [pid 45:tid 139662899435392] AH01318: APR LDAP: Built with OpenLDAP LDAP SDK
    2016-11-18T09:14:50.27-0500 [APP/PROC/WEB/0]OUT 14:14:50 httpd   | [Fri Nov 18 14:14:50.263196 2016] [ldap:info] [pid 45:tid 139662899435392] AH01319: LDAP: SSL support available
    
    • I will submit a PR against binary-builder to fix.

    • Can you test with this build pack fork and see if your app works?

    https://github.com/dmikusa-pivotal/php-buildpack

    Thanks!

    点赞 评论 复制链接分享
  • weixin_39878401 weixin_39878401 4月前

    Hi -pivotal ,

    With the missing libs included I can confirm that everything seems to work fine.

    Thanks for the time spent investigating that!

    点赞 评论 复制链接分享
  • weixin_39615956 weixin_39615956 4月前

    Great, thanks for checking!

    & - Here's the PR: https://github.com/cloudfoundry/binary-builder/pull/22

    点赞 评论 复制链接分享
  • weixin_39743369 weixin_39743369 4月前

    PR has been merged. Closing

    点赞 评论 复制链接分享