Reverse proxy with LDAP authentication ?

Hello.

I have a Virtual Host just used to do "reverse-proxyfication", with
many rules in it. I would want to put a basic authentication banner
against a LDAP server for this very VirtualHost. I'm stuck attempting
to achieve this aim. I would appreciate very much any clue. Many
thanks in advance.

Best regards,

Al

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Reverse proxy with LDAP authentication ?

* Alan AZZERA [2009-09-24 15:21]:
> I have a Virtual Host just used to do "reverse-proxyfication", with
> many rules in it. I would want to put a basic authentication banner
> against a LDAP server for this very VirtualHost. I'm stuck
> attempting to achieve this aim. I would appreciate very much any
> clue. Many thanks in advance.

Describe which part of the documentation you have read and what is
unclear. Describe error messages or other ways you failed.

Other than that: configure a reverse proxy and get it working.
Then protect the where the proxy lives, e.g. by
IP-address. Then get authentication working,
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Reverse proxy with LDAP authentication ?

> Describe which part of the documentation you have read and what is
> unclear. Describe error messages or other ways you failed.

I've read various tutos on the net. I also read the official doc
(http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html). I got no
error, or I do'n't know where to find errors (nothing in
/var/log/apache2/"vh".access or .error). And it seems that there's no
way so set verbosity level...

Anyway, I'm now just trying to authenticate on a single directory.
Here is the relevant part of my config file :

AuthType basic
AuthName "blabla"
AuthBasicProvider ldap
AuthLDAPUrl
"ldap://ldap.server:port/ou=structure,c=country?uid" NONE
AuthLDAPBindDN uid=...,etc
AuthLDAPBindPassword pass
#Require ldap-filter &(uid=*)
Require valid-user


When connecting to the url, nothing happens. I checked with tcpdump,
servers are talking to each other. What are they saying ? No idea...

Thanks for answering sooo quickly.

Best regards,

Al

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Reverse proxy with LDAP authentication ?

> Describe which part of the documentation you have read and what is
> unclear. Describe error messages or other ways you failed.

I've read various tutos on the net. I also read the official doc
(http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html). I got no
error, or I do'n't know where to find errors (nothing in
/var/log/apache2/"vh".access or .error). And it seems that there's no
way so set verbosity level...

Anyway, I'm now just trying to authenticate on a single directory.
Here is the relevant part of my config file :

AuthType basic
AuthName "blabla"
AuthBasicProvider ldap
AuthLDAPUrl
"ldap://ldap.server:port/ou=structure,c=country?uid" NONE
AuthLDAPBindDN uid=...,etc
AuthLDAPBindPassword pass
#Require ldap-filter &(uid=*)
Require valid-user


When connecting to the url, nothing happens. I checked with tcpdump,
servers are talking to each other. What are they saying ? No idea...

Thanks for answering sooo quickly.

Best regards,

Al

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Reverse proxy with LDAP authentication ?

Sorry for multi-posting. Gmail said it couldn't send my message, I
send it again before thinking to verify if it was so...

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Reverse proxy with LDAP authentication ?

* azzera.alan [2009-09-24 16:55]:
> Anyway, I'm now just trying to authenticate on a single directory.
> Here is the relevant part of my config file :
[...]
> When connecting to the url, nothing happens. I checked with tcpdump,
> servers are talking to each other. What are they saying ? No idea...

So what happend to the proxy? You're securing a directory...

Other than that I'd make sure an openldap command line client
(e.g. ldapsearch binding with the DN given in AuthLDAPBindDN) is able
to connect from your webserver to your DSA (that assumes you have
shell access to the webserver, of course).

If you capture traffic from the webserver to the DSA you could also
feed the capture file to wireshark (or something similar). Looking in
the DSAs logfile is a bit easier (which assumes you have access to the
logs, of course).

From your config I take it that the DSA does not require
confidentiality (no STARTTLS or -- deprecated -- LDAPS)?
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Reverse proxy with LDAP authentication ?

> So what happend to the proxy? You're securing a directory...

Well, I decided to check things step by step. It was rather a good
idea, since even authenticate a single directory does not work !

> Other than that I'd make sure an openldap command line client
> (e.g. ldapsearch binding with the DN given in AuthLDAPBindDN) is able
> to connect from your webserver to your DSA (that assumes you have
> shell access to the webserver, of course).

I did this at first. I believe it works, since I'm able to retrieve
information that concerns me. I don't need to authenticate myself on
the OpenLDAP server to get most information. But I need to do so if I
want to retrieve, for example, the hash of my password. To be honest,
I essentially know nothing about LDAP. I believed that RTFM would be
sufficient...

> If you capture traffic from the webserver to the DSA you could also
> feed the capture file to wireshark (or something similar). Looking in
> the DSAs logfile is a bit easier (which assumes you have access to the
> logs, of course).

The web server is under my control, the LDAP server is not. Thus I
certainly can do a pcap capture (ngrep/tshark) and view it with
WireShark...

> From your config I take it that the DSA does not require
> confidentiality (no STARTTLS or -- deprecated -- LDAPS)?

Well, the server can undoubtly support SSL/TLS connections, but my
ldapsearch command is straightforward, on port 389, without any
refinement...

I wrote in a quick and dirty manner a small Python script which is
able to authenticate an user against the LDAP server. I really don't
understand why Apache can't ! Is there a possible issue on the LDAP
server side ?

Regards,

Al

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Reverse proxy with LDAP authentication ?

* Alan AZZERA [2009-09-24 20:56]:
> I did this at first. I believe it works, since I'm able to retrieve
> information that concerns me. I don't need to authenticate myself on
> the OpenLDAP server to get most information. But I need to do so if I
> want to retrieve, for example, the hash of my password. To be honest,
> I essentially know nothing about LDAP. I believed that RTFM would be
> sufficient...

Note that usually you don't retrieve the password (hashed or not; and a
properly configured DSA also shouln't let you have it) and compare the
value yourself, but use an LDAP bind operation and let the DSA verify
the password via whatever means (e.g. via Kerberos, i.e. the DSA might
not even have the password).

> The web server is under my control, the LDAP server is not. Thus I
> certainly can do a pcap capture (ngrep/tshark) and view it with
> WireShark...

Asking what the log has for connections from your webserver's IP also
works if the DSA is not under control.

Other than that the dump in conjunction with a protocol analyzer
should at least give you an LDAP status code, which you can look up in
the RFC (currently 4511).
http://tools.ietf.org/html/rfc4511#section-4.1.9

> I wrote in a quick and dirty manner a small Python script which is
> able to authenticate an user against the LDAP server. I really don't
> understand why Apache can't ! Is there a possible issue on the LDAP
> server side ?

When command line clients (and your python script work; but this
depends on how you're donig the authentication, see above) I'd say
this is rather unlikely.
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org