Reverse proxy authentication using LDAP in WAMP is

2019-07-24 18:06发布

Using reverse proxy I have redirected My PHP application hosted in WAMP to Grafana. Now I am trying to authenticate the reverse proxy user using LDAP. It is giving me an error as auth_ldap authenticate: user yajana authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax] and denied (no authenticated user yet).

How to resolve this error?

Here is my httpd.conf file:

LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule xml2enc_module modules/mod_xml2enc.so


<Directory />
    AllowOverride none
    Require all denied
</Directory>


<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

<VirtualHost *:80>
  ServerName localhost
  RewriteEngine on
  ErrorLog "logs/authproxy-error_log"
  CustomLog "logs/authproxy-access_log" common
  <Location "/grafana/">
        LDAPReferrals off
        AuthType Basic
        AuthName GrafanaAuthProxy
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com"
        AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
        AuthLDAPBindPassword "secret"
        AuthLDAPGroupAttributeIsDN off
        Require ldap-filter ldapsettingshere
        AuthLDAPMaxSubGroupDepth 1
        RequestHeader unset Authorization
        allow from all
        Require valid-user
  </Location>   
  <Proxy *>

        # Require valid-user
        RewriteEngine On
        RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
        RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
  </Proxy>
  RequestHeader unset Authorization
  ProxyRequests Off
  ProxyPass /grafana/ http://localhost:3000/
  ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>

Include "${INSTALL_DIR}/alias/*"

Error Log is

authorization result of Require ldap-filter ldapsettingshere: denied (no authenticated user yet)
authorization result of Require valid-user : denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
authorization result of Require ldap-filter ldapsettingshere: denied (no authenticated user yet)
authorization result of Require valid-user : denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
auth_ldap authenticate: using URL ldap://localhost:389/dc=maxcrc,dc=com
auth_ldap authenticate: user yajana rao authentication failed; URI /grafana/ [User not found][No Such Object]
user yajana rao not found: /grafana/

apache version : 2.4.23

Update: Update bind_dn according to the Answer

2条回答
混吃等死
2楼-- · 2019-07-24 18:38

I have been able to resolve the issue by editing the AuthLDAPURL to

AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"

查看更多
混吃等死
3楼-- · 2019-07-24 18:49

AuthLDAPBindDN "Manager@maxcrc.com"

The bind-DN in a simple bind request must be a full DN. Thus AuthLDAPBindDN must contain a DN string like defined in RFC 4514. A value like "Manager@maxcrc.com" will work only for MS AD and not with any other LDAP server.

AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com"

Furthermore a username has to be mapped to a full bind-DN before checking the user's password. mod_authnz_ldap will by default assume uid being the LDAP attribute to use in a search. But you can tweak this for your LDAP server by setting attribute in AuthLDAPUrl. If you're using MS AD this would be sAMAccountName.

查看更多
登录 后发表回答