Centos 8 httpd unable to authenticate via LDAP - no results returned

Question

I am using Centos 8 in a server 2019 AD environment with AD integration via reamld which is working just fine for logging in to the machine.

I set up httpd in the hope that it would also talk to AD so I can restrict access to AD users only.

I can see from the httpd log that the LDAP query is being sent but it never returns any results.

I have confirmed the AD connection details using ldapsearch as follows

ldapsearch -x -LLL -h company.local -D test -w password -b "OU=Users,OU=COMPANY,dc=Company,dc=local" -s sub "(ObjectClass=user)" sAMAccountName'

Result:

dn: CN=test,OU=Users,OU=COMPANY,DC=Company,DC=local
sAMAccountName: test

I ran the same query as the apache user to verify there was nothing funny going on there. Same results - all fine.

Now queue httpd. Config is as follows:

<Directory "/home/test">
AuthType Basic
AuthName "login to continue"
AuthBasicProvider ldap
LDAPReferrals Off
AuthLDAPBindAuthoritative off
AuthLDAPURL "ldap://company-dc-02.company.local:389/OU=Users,OU=COMPANY,DC=Company,DC=local?SAMAaccountName?sub?(objectClass=*)"
AuthLDAPBindDN test
AuthLDAPBindPassword password
require valid-user
</Directory>

I have tried various combinations of authoritative, referrals etc. I always get the login prompt, but it never successfully authenticates. The result is always the same. The httpd log shows the following:

584] mod_authz_core.c(820): [client 192.168.1.171:51660] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Dec 30 17:54:05.960367 2019] [authnz_ldap:debug] [pid 14207:tid 140664675235584] mod_authnz_ldap.c(523): [client 192.168.1.171:51660] AH01691: auth_ldap authenticate: using URL ldap://company-dc-02.company.local:389/OU=Users,OU=COMPNAY,DC=Company,DC=local?SAMAaccountName?sub?(objectClass=*)
ldap_create
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP company-dc-02.company.local:389
ldap_new_socket: 27
ldap_prepare_socket: 27
ldap_connect_to_host: Trying 192.168.1.7:389
ldap_pvt_connect: fd: 27 tm: 10 async: 0
ldap_ndelay_on: 27
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 27 tm: 10
ldap_is_sock_ready: 27
ldap_ndelay_off: 27
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7fef04008b80 msgid 1
wait4msg ld 0x7fef04008b80 msgid 1 (timeout 60000000 usec)
wait4msg continue ld 0x7fef04008b80 msgid 1 all 0
** ld 0x7fef04008b80 Connections:
* host: company-dc-02.company.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Dec 30 17:54:05 2019


** ld 0x7fef04008b80 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fef04008b80 request count 1 (abandoned 0)
** ld 0x7fef04008b80 Response Queue:
   Empty
  ld 0x7fef04008b80 response count 0
ldap_chkResponseList ld 0x7fef04008b80 msgid 1 all 0
ldap_chkResponseList returns ld 0x7fef04008b80 NULL
ldap_int_select
read1msg: ld 0x7fef04008b80 msgid 1 all 0
read1msg: ld 0x7fef04008b80 msgid 1 message type bind
read1msg: ld 0x7fef04008b80 0 new referrals
read1msg:  mark request completed, ld 0x7fef04008b80 msgid 1
request done: ld 0x7fef04008b80 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(&(objectClass=*)(SAMAaccountName=test))"
put_filter: AND
put_filter_list "(objectClass=*)(SAMAaccountName=test)"
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
put_filter: "(SAMAaccountName=test)"
put_filter: simple
put_simple_filter: "SAMAaccountName=test"
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x7fef04008b80 msgid 2
wait4msg ld 0x7fef04008b80 msgid 2 (timeout 60000000 usec)
wait4msg continue ld 0x7fef04008b80 msgid 2 all 1
** ld 0x7fef04008b80 Connections:
* host: company-dc-02.company.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Dec 30 17:54:05 2019


** ld 0x7fef04008b80 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fef04008b80 request count 1 (abandoned 0)
** ld 0x7fef04008b80 Response Queue:
   Empty
  ld 0x7fef04008b80 response count 0
ldap_chkResponseList ld 0x7fef04008b80 msgid 2 all 1
ldap_chkResponseList returns ld 0x7fef04008b80 NULL
ldap_int_select
read1msg: ld 0x7fef04008b80 msgid 2 all 1
read1msg: ld 0x7fef04008b80 msgid 2 message type search-result
read1msg: ld 0x7fef04008b80 0 new referrals
read1msg:  mark request completed, ld 0x7fef04008b80 msgid 2
request done: ld 0x7fef04008b80 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
ldap_err2string
[Mon Dec 30 17:54:05.968539 2019] [authnz_ldap:debug] [pid 14207:tid 140664675235584] mod_authnz_ldap.c(561): [client 192.168.1.171:51660] AH01694: auth_ldap authenticate: user test authentication failed; URI / [User not found][No such object] (not authoritative)
[Mon Dec 30 17:54:05.968558 2019] [auth_basic:error] [pid 14207:tid 140664675235584] [client 192.168.1.171:51660] AH01618: user test not found: /

What could possibly be wrong? It is probably a simple configuration issue but I'm just not seeing it.

Thanks

Answer 1

It looks like the ldap module in apache couldn't handle two OU entries (despite openldap returning the right results and the user being in the specified OU).

I changed my connection string to

AuthLDAPURL "ldap://company-dc-02.company.local:389/DC=Company,DC=local?SAMAaccountName?sub?(objectClass=user)"

And it now seems to work as expected. Hopefully this can help someone else in future.