Apache2 OpenLDAP authorization fails using ldap-user

Question

I have an Apache2 server running in a Docker container (httpd:2.4.54-bullseye), and an LDAP server (OpenLDAP slapd 2.4.57+dfsg-3 on Debian 11.1)

I'm trying to use mod_authnz_ldap Apache module to authenticate certain users from the LDAP.

Here is the config of Apache :

<AuthnProviderAlias ldap org>
  AuthLDAPURL ldap://org.com/dc=org,dc=com?uid
</AuthnProviderAlias>

<VirtualHost _default_:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /usr/local/apache2/htdocs

    <Location "/">
        AuthName "Apache2 LDAP Check"
        AuthType Basic
        AuthBasicProvider org
        Require ldap-user me collegue1 collegue2
    </Location>

</VirtualHost>

According to the docs I should only put uids in Require ldap-user .
The logs show that the authentication is done successfully, but it can't authorize any of the users in Require ldap-user !!

web_auth   | [Tue Aug 30 09:09:13.594015 2022] [authz_core:debug] [pid 10:tid 139920102389504] mod_authz_core.c(815): [client 192.168.103.66:2189] AH01626: authorization result of Require ldap-user me collegue1 collegue2: denied (no authenticated user yet)
web_auth   | [Tue Aug 30 09:09:13.594064 2022] [authz_core:debug] [pid 10:tid 139920102389504] mod_authz_core.c(815): [client 192.168.103.66:2189] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
web_auth   | [Tue Aug 30 09:09:13.594137 2022] [authnz_ldap:debug] [pid 10:tid 139920102389504] mod_authnz_ldap.c(548): [client 192.168.103.66:2189] AH01691: auth_ldap authenticate: using URL ldap://org.com/dc=org,dc=com?uid
web_auth   | [Tue Aug 30 09:09:13.599377 2022] [authnz_ldap:debug] [pid 10:tid 139920102389504] mod_authnz_ldap.c(630): [client 192.168.103.66:2189] AH01697: auth_ldap authenticate: accepting me
web_auth   | [Tue Aug 30 09:09:13.599404 2022] [authz_core:debug] [pid 10:tid 139920102389504] mod_authz_core.c(815): [client 192.168.103.66:2189] AH01626: authorization result of Require ldap-user me collegue1 collegue2: denied
web_auth   | [Tue Aug 30 09:09:13.599411 2022] [authz_core:debug] [pid 10:tid 139920102389504] mod_authz_core.c(815): [client 192.168.103.66:2189] AH01626: authorization result of <RequireAny>: denied
web_auth   | [Tue Aug 30 09:09:13.599417 2022] [authz_core:error] [pid 10:tid 139920102389504] [client 192.168.103.66:2189] AH01631: user me: authorization failure for "/":

Am I missing something ?

PS: When I use Require valid-user everything work just fine!

larsks · Accepted Answer · 2022-08-30T13:31:26.507

Am I missing something ?

Possibly! I was playing with this configuration a bit this morning, and I see exactly the same behavior you've described. First, my test configuration looks like this:

<AuthnProviderAlias ldap example>
  AuthLDAPURL ldap://ldap/ou=users,dc=example,dc=com?cn
  AuthLDAPBindDN uid=authreader,ou=system,dc=example,dc=com
  AuthLDAPBindPassword secret
</AuthnProviderAlias>

<Location "/">
  AuthName "LDAP"
  AuthType Basic
  AuthBasicProvider example
  Require ldap-user user1
</Location>

And I have an LDAP directory for dc=example,dc=com that includes cn=user1,ou=users,dc=example,dc=com and cn=user2,ou=users,dc=example,dc=com.

I enabled debug logging (LogLevel debug) in my server, and watching the logs during an authentication attempt I see:

... AH01697: auth_ldap authenticate: accepting user1
... AH01626: authorization result of Require ldap-user user1: denied

That's interesting, because it shows that mod_authnz_ldap is correctly authenticating the user. On a hunch, I replaced:

Require ldap-user user1

With:

Require user user1

And to my surprise, everything Just Worked. So, that's great, but does that mean all the documentation is wrong? That seems unlikely. As far as I can tell, this has something to do with the use of the AuthnProviderAlias directive.

I tried replacing Require ldap-user user1 with Require example-user user1, thinking that maybe the ldap- part was supposed to be a provider name, but that fails with:

Unknown Authz provider: example-user

So then I tried a configuration that doesn't use a provider alias:

<Location "/">
  AuthLDAPURL ldap://ldap/ou=users,dc=example,dc=com?cn
  AuthLDAPBindDN uid=authreader,ou=system,dc=example,dc=com
  AuthLDAPBindPassword secret

  AuthName "LDAP"
  AuthType Basic
  AuthBasicProvider ldap
  Require ldap-user user1
</Location>

This also works correctly, which I think confirms my theory that the culprit is the provider alias.

Based on the above results, my theory is that there's a bug. It looks like there has been some previous trouble in this area, see e.g. https://stackoverflow.com/questions/18874062/can-authnprovideralias-ldap-work-with-apache2-4-x.

If you need things like Require ldap-group, Require ldap-group to work (in addition to Require ldap-user), it looks like the only solution is to embed the AuthLDAP directives in the same location/directory/etc block as the Require statement. If all you need is Require user ... or Require valid-user, then using an alias should work fine.

I'm going to try to ping some other folks to confirm that we're not both missing something in the documentation.

You can find test environment for all of this here.

Indeed, after moving the AuthLDAP directive inside the Location block, everything worked. Thanks a lot for the explanation! — bondif, Aug 30 '22 at 13:33

Apache2 OpenLDAP authorization fails using ldap-user

1 Answers1