Join Log in
Score:1
reghorn avatar Server

Apache 2.4 and LDAP. Basic authentication issues

es flag
reghorn

I'm using CentOS 8 Stream + Apache 2.4 + Subversion.

I want to allow access to SVN only for users who belong to a specific LDAP group (svn-users).

I have the following problems.

case 1. Enter the correct ID / PW as an LDAP user belonging to svn-users

This works as expected.

This user can access SVN.

case 2. Enter the correct ID / PW as an LDAP user that does not belong to svn-users

This does not work as expected.

I expected this user can't access SVN, but in reality it can.

case3. Enter the wrong LDAP ID / PW

500 Internal Server Error occurs.

For browsers, the Basic authentication dialog does not reappear and the user must restart the browser.

I want to solve cases 2 and 3.

Can anyone help me?

My config and log are below.

/etc/httpd/conf/httpd.conf

[root@my-redmine conf]# cat httpd.conf | egrep -v "^\s*#|^$"
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/subversion.conf
[root@my-redmine conf]#

/etc/httpd/conf,d/subversion.conf

[root@my-redmine conf.d]# cat subversion.conf | egrep -v "^\s*#|^$"
<Location /svn/svn-test>
    DAV svn
    SVNPath /usr/local/svn/svn-test
    LogLevel debug

    AuthLDAPBindDN <MyAdmin>
    AuthLDAPBindPassword <MyAdminPassword>
    LDAPReferrals off
    AuthLDAPBindAuthoritative off
    AuthType Basic
    AuthName "Subversion repository(LDAP)"
    AuthBasicAuthoritative off
    AuthUserFile /dev/null
    AuthBasicProvider ldap
    AuthzSVNAccessFile /usr/local/svn/svn-test/authzsvn.conf
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    AuthLDAPUrl ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
    Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local
</Location>
[root@my-redmine conf.d]#

module include

[root@my-redmine conf.d]]# httpd -t -M | grep auth
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 authnz_ldap_module (shared)
 authz_svn_module (shared)
[root@my-redmine conf.d]]#

case 1 error_log

[Tue Jul 20 21:56:43.046463 2021] [authz_svn:info] [pid 195900:tid 140586535274240] [client 192.168.100.120:61050] Access granted: - GET (null)
[Tue Jul 20 21:56:43.046514 2021] [authz_core:debug] [pid 195900:tid 140586535274240] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:43.046519 2021] [authz_core:debug] [pid 195900:tid 140586535274240] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339879 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339918 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339927 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343581 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343608 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET (null)
[Tue Jul 20 21:56:45.343845 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343852 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343858 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343869 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343876 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343905 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/branches
[Tue Jul 20 21:56:45.343929 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343942 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343946 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343953 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343958 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343961 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/tags
[Tue Jul 20 21:56:45.343974 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343977 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343980 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343987 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343991 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343994 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/trunk

case 2 error_log

[Tue Jul 20 21:57:46.345179 2021] [authz_svn:info] [pid 195900:tid 140586577237760] [client 192.168.100.120:61657] Access granted: - GET (null)
[Tue Jul 20 21:57:46.345227 2021] [authz_core:debug] [pid 195900:tid 140586577237760] mod_authz_core.c(820): [client 192.168.100.120:61657] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:46.345231 2021] [authz_core:debug] [pid 195900:tid 140586577237760] mod_authz_core.c(820): [client 192.168.100.120:61657] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242776 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242818 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242828 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.242843 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.242854 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET (null)
[Tue Jul 20 21:57:52.243059 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243069 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243074 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243080 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243104 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243190 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/branches
[Tue Jul 20 21:57:52.243215 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243220 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243224 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243231 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243235 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243238 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/tags
[Tue Jul 20 21:57:52.243248 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243251 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243254 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243261 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243265 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243274 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/trunk

case 3 error_log

[Tue Jul 20 21:55:55.187406 2021] [authz_svn:info] [pid 195900:tid 140586669557504] [client 192.168.100.120:56967] Access granted: - GET (null)
[Tue Jul 20 21:55:55.187474 2021] [authz_core:debug] [pid 195900:tid 140586669557504] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:55:55.187484 2021] [authz_core:debug] [pid 195900:tid 140586669557504] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763087 2021] [authz_core:debug] [pid 195900:tid 140586635986688] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763150 2021] [authz_core:debug] [pid 195900:tid 140586635986688] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763159 2021] [authnz_ldap:debug] [pid 195900:tid 140586635986688] mod_authnz_ldap.c(523): [client 192.168.100.120:56967] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:55:58.765260 2021] [authnz_ldap:debug] [pid 195900:tid 140586635986688] mod_authnz_ldap.c(561): [client 192.168.100.120:56967] AH01694: auth_ldap authenticate: user svnuser authentication failed; URI /svn/svn-test/ [ldap_simple_bind() to check user credentials failed][Invalid credentials] (not authoritative)
[Tue Jul 20 21:55:58.765297 2021] [authn_core:error] [pid 195900:tid 140586635986688] [client 192.168.100.120:56967] AH01796: AuthType Basic configured without corresponding module
797
1 + 0
svn
Score:0
avatar Server
us flag
Liam Gretton

Try removing AuthzBasicAuthoritative and setting AuthzLDAPBindAuthoritative = on.

That way auth should fail immediately without trying to fall through to any other auth mechanisms.

0 + 1
reghorn avatar
es flag
reghorn
Thanks for your help. I removed AuthBasicAuthoritative and add AuthLDAPBindAuthoritative, so case 3 was solved! And I found case 2 solution, I'm trying it. https://stackoverflow.com/questions/38996719/apache-svn-authorize-to-active-directory-group
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.