Apache 2.4 и LDAP. Проблемы с базовой аутентификацией
Я использую CentOS 8 Stream + Apache 2.4 + Subversion.
Я хочу разрешить доступ к SVN только пользователям, которые принадлежат к определенной группе LDAP (svn-users).
У меня следующие проблемы.
case 1. Введите правильный ID / PW в качестве пользователя LDAP, принадлежащего svn-users
Это работает, как ожидалось.
Этот пользователь может получить доступ к SVN.
case 2. Введите правильный ID / PW в качестве пользователя LDAP, который не принадлежит svn-users
Это не работает должным образом.
Я ожидал, что этот пользователь не может получить доступ к SVN, но на самом деле он может.
case3. Введите неверный ID / пароль LDAP
500 Произошла внутренняя ошибка сервера.
Для браузеров диалоговое окно «Обычная аутентификация» больше не появляется, и пользователь должен перезапустить браузер.
Я хочу решить случаи 2 и 3.
Кто-нибудь может мне помочь?
Моя конфигурация и лог ниже.
/etc/httpd/conf/httpd.conf
[root@my-redmine conf]# cat httpd.conf | egrep -v "^\s*#|^$"
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/subversion.conf
[root@my-redmine conf]#
/etc/httpd/conf,d/subversion.conf
[root@my-redmine conf.d]# cat subversion.conf | egrep -v "^\s*#|^$"
<Location /svn/svn-test>
DAV svn
SVNPath /usr/local/svn/svn-test
LogLevel debug
AuthLDAPBindDN <MyAdmin>
AuthLDAPBindPassword <MyAdminPassword>
LDAPReferrals off
AuthLDAPBindAuthoritative off
AuthType Basic
AuthName "Subversion repository(LDAP)"
AuthBasicAuthoritative off
AuthUserFile /dev/null
AuthBasicProvider ldap
AuthzSVNAccessFile /usr/local/svn/svn-test/authzsvn.conf
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPUrl ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local
</Location>
[root@my-redmine conf.d]#
модуль включает
[root@my-redmine conf.d]]# httpd -t -M | grep auth
auth_basic_module (shared)
auth_digest_module (shared)
authn_anon_module (shared)
authn_core_module (shared)
authn_dbd_module (shared)
authn_dbm_module (shared)
authn_file_module (shared)
authn_socache_module (shared)
authz_core_module (shared)
authz_dbd_module (shared)
authz_dbm_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_owner_module (shared)
authz_user_module (shared)
authnz_ldap_module (shared)
authz_svn_module (shared)
[root@my-redmine conf.d]]#
case 1 error_log
[Tue Jul 20 21:56:43.046463 2021] [authz_svn:info] [pid 195900:tid 140586535274240] [client 192.168.100.120:61050] Access granted: - GET (null)
[Tue Jul 20 21:56:43.046514 2021] [authz_core:debug] [pid 195900:tid 140586535274240] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:43.046519 2021] [authz_core:debug] [pid 195900:tid 140586535274240] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339879 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339918 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.339927 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343581 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343608 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET (null)
[Tue Jul 20 21:56:45.343845 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343852 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343858 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343869 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343876 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343905 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/branches
[Tue Jul 20 21:56:45.343929 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343942 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343946 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343953 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343958 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343961 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/tags
[Tue Jul 20 21:56:45.343974 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343977 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:56:45.343980 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:56:45.343987 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser
[Tue Jul 20 21:56:45.343991 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:56:45.343994 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/trunk
case 2 error_log
[Tue Jul 20 21:57:46.345179 2021] [authz_svn:info] [pid 195900:tid 140586577237760] [client 192.168.100.120:61657] Access granted: - GET (null)
[Tue Jul 20 21:57:46.345227 2021] [authz_core:debug] [pid 195900:tid 140586577237760] mod_authz_core.c(820): [client 192.168.100.120:61657] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:46.345231 2021] [authz_core:debug] [pid 195900:tid 140586577237760] mod_authz_core.c(820): [client 192.168.100.120:61657] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242776 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242818 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.242828 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.242843 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.242854 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET (null)
[Tue Jul 20 21:57:52.243059 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243069 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243074 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243080 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243104 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243190 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/branches
[Tue Jul 20 21:57:52.243215 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243220 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243224 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243231 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243235 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243238 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/tags
[Tue Jul 20 21:57:52.243248 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243251 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:57:52.243254 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:57:52.243261 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser
[Tue Jul 20 21:57:52.243265 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
[Tue Jul 20 21:57:52.243274 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/trunk
case 3 error_log
[Tue Jul 20 21:55:55.187406 2021] [authz_svn:info] [pid 195900:tid 140586669557504] [client 192.168.100.120:56967] Access granted: - GET (null)
[Tue Jul 20 21:55:55.187474 2021] [authz_core:debug] [pid 195900:tid 140586669557504] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:55:55.187484 2021] [authz_core:debug] [pid 195900:tid 140586669557504] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763087 2021] [authz_core:debug] [pid 195900:tid 140586635986688] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763150 2021] [authz_core:debug] [pid 195900:tid 140586635986688] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jul 20 21:55:58.763159 2021] [authnz_ldap:debug] [pid 195900:tid 140586635986688] mod_authnz_ldap.c(523): [client 192.168.100.120:56967] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
[Tue Jul 20 21:55:58.765260 2021] [authnz_ldap:debug] [pid 195900:tid 140586635986688] mod_authnz_ldap.c(561): [client 192.168.100.120:56967] AH01694: auth_ldap authenticate: user svnuser authentication failed; URI /svn/svn-test/ [ldap_simple_bind() to check user credentials failed][Invalid credentials] (not authoritative)
[Tue Jul 20 21:55:58.765297 2021] [authn_core:error] [pid 195900:tid 140586635986688] [client 192.168.100.120:56967] AH01796: AuthType Basic configured without corresponding module
1
задан reghorn
27 July 2021 в 11:49
Ссылка
1 ответ
Попробуйте удалить AuthzBasicAuthoritative и установить AuthzLDAPBindAuthoritative = on.
Таким образом, авторизация должна завершиться ошибкой немедленно, без попыток провалиться через какие-либо другие механизмы аутентификации.
0
ответ дан Liam Gretton
13 August 2021 в 08:22
Ссылка