Author Topic: [SOLVED] Apache LDAP authentication for external applications in Zentyal 2.3  (Read 14696 times)

martinique

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +2/-0
    • View Profile
I'm currently migrating some web applications running in an old eBox system to work with the latest Zentyal. PHP authenticates Zentyal users without any problems (just had to connect to port 390 instead of 389), but I'm having trouble with Apache.

This configuration in .htaccess works in the old box, but not in Zentyal 2.3:
Quote
Order deny,allow
Deny from All
AuthName "Protected area"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative  on
AuthLDAPUrl ldap://127.0.0.1:390/ou=Users,dc=zentyal?uid
Require valid-user
Satisfy any

Apache error log reveals the following (critical part in bold):
Quote
[Tue May 08 14:09:21 2012] [debug] mod_authnz_ldap.c(1016): [2730] auth_ldap url parse: `ldap://127.0.0.1:390/ou=Users,dc=zentyal?uid', Host: 127.0.0.1:390, Port: 390, DN: ou=Users,dc=zentyal, attrib: uid, scope: base, filter: (null), connection mode: not using SSL
[Tue May 08 14:09:21 2012] [debug] mod_authnz_ldap.c(403): [client 10.0.0.2] [2730] auth_ldap authenticate: using URL ldap://127.0.0.1:390/ou=Users,dc=zentyal?uid
[Tue May 08 14:09:21 2012] [info] [client 10.0.0.2] [2730] auth_ldap authenticate: user username authentication failed; URI /path/ [ldap_search_ext_s() for user failed][No such object]
[Tue May 08 14:09:21 2012] [error] [client 10.0.0.2] user username not found: /path/


Any idea what I might be missing?
« Last Edit: August 08, 2012, 01:51:12 pm by martinique »

robb

  • Guest
I strongly advise NOT to use ubuntu12.04/Zentyal 2.3 on a production server since the Zentyal2.3 packages are still beta and heavily under  development. Use Zentyal 2.3 only to TEST.

Currently Zentyal 2.2 is the only supported stable version and consists of packages on top of Ubuntu Server 10.04 LTS.

In September Zentyal 3.0 will come out based on Ubuntu Server 12.04 LTS. The Zentyal2.3 packages will then become Zentyal 3.0 packages.
Quote
user username not found: /path/
You are sure the user mentioned in the logs exists?

Looking at your errorlog: It might be because the directory structure has been changed from .../ebox/... to ../zentyal/...
It might be that the user can't be found because the new packages look at another location?
« Last Edit: May 08, 2012, 06:12:40 pm by robb »

martinique

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +2/-0
    • View Profile
Testing is exactly what I'm doing. The old server will keep running until the new Zentyal is ready for production, but the ongoing beta phase gives me time to test and prepare our software environment for 3.0 and Ubuntu 12.04, and at the same time I can help Zentyal developers by locating bugs. I find it hard to believe that Zentyal LDAP would change radically during beta, as the essential bits have remained the same since early eBox versions.

I may have found the problem; On the old server it's possible to do LDAP searches anonymously, but this is not the case with the new one, so I guess Apache tries to perform an anonymous LDAP operation, when instead it should try to bind using the remote user's uid and password.

I could set AuthLDAPBindDN and AuthLDAPBindPassword in .htaccess, but I don't like the idea of passwords laying all over my system.

Another alternative would be to allow anynymous searches on the new server too, but I'd like to keep security as tight as possible.

Any help or suggestions would be greatly appreciated.

christian

  • Guest
 :o  I will have a look too as soon as I can install 3.0 beta
Searching LDAP anonymously is the normal behaviour for state-of-the-art authentication. This doesn't mean that the whole directory must be accessible anonymously but at least attributes used for authentication (i.e. uid) should be available anonymously for search.

martinique

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +2/-0
    • View Profile
Allowing anonymous would be acceptable, as long as most data is not accessible anonymously, but I'm not familiar with the new type of slapd configuration used in Zentyal, so I'm going to need a little help with that.

martinique

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +2/-0
    • View Profile
Looks like AuthLDAPInitialBindAsUser and AuthLDAPInitialBindPattern would do exactly what I need, but unfortunately they're only available from Apache 2.4 onwards, while Ubuntu still sticks with 2.2. :(

martinique

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +2/-0
    • View Profile
Christian, did you manage to try the beta? I'd still like to hear if it's possible to enable anonymous LDAP searches.

I found a ticket ( http://trac.zentyal.org/ticket/4079#comment:9 ) mentioning that anonymous is no longer available in 2.3, unlike previous versions, but it's not said if that's changeable or not.

christian

  • Guest
no sorry.
I'm spending much more time with one of my bikes than Zentyal those days   :-[
anonymous access, if this is the issue you are facing, is most likely due to ACL at LDAP level. Nothing to do with Apache.

martinique

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +2/-0
    • View Profile
Re: Apache LDAP authentication for external applications in Zentyal 2.3
« Reply #8 on: August 08, 2012, 01:50:49 pm »
Using LAT I found there's a "zentyalro" read-only login (along with a plain-text password) in Zentyal LDAP. Feels a bit safer than giving Apache root DN logins. A simple .htaccess LDAP auth thus looks like this:

Code: [Select]
Order deny,allow
Deny from All
AuthName "LDAP authorization"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://127.0.0.1:390/ou=Users,dc=example,dc=com?uid
AuthLDAPBindDN cn=zentyalro,dc=example,dc=com
AuthLDAPBindPassword <zentyalro password>
Require valid-user
Satisfy any

To add some safety, chown and chmod .htaccess to be readable only by Apache.

As there currently seems to be no authorization solution better than the above, I'm marking this solved. Please correct me if I'm wrong.