Question posted in
Some documentation to get you started can be found here.

Reverse proxy authentication using LDAP in WAMP is failing – Apache

Using reverse proxy I have redirected My PHP application hosted in WAMP to Grafana. Now I am trying to authenticate the reverse proxy user using LDAP. It is giving me an error as auth_ldap authenticate: user yajana authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax] and denied (no authenticated user yet).

How to resolve this error?

Here is my httpd.conf file:

LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule xml2enc_module modules/mod_xml2enc.so


<Directory />
    AllowOverride none
    Require all denied
</Directory>


<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

<VirtualHost *:80>
  ServerName localhost
  RewriteEngine on
  ErrorLog "logs/authproxy-error_log"
  CustomLog "logs/authproxy-access_log" common
  <Location "/grafana/">
        LDAPReferrals off
        AuthType Basic
        AuthName GrafanaAuthProxy
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com"
        AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
        AuthLDAPBindPassword "secret"
        AuthLDAPGroupAttributeIsDN off
        Require ldap-filter ldapsettingshere
        AuthLDAPMaxSubGroupDepth 1
        RequestHeader unset Authorization
        allow from all
        Require valid-user
  </Location>   
  <Proxy *>

        # Require valid-user
        RewriteEngine On
        RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
        RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
  </Proxy>
  RequestHeader unset Authorization
  ProxyRequests Off
  ProxyPass /grafana/ http://localhost:3000/
  ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>

Include "${INSTALL_DIR}/alias/*"

Error Log is 

authorization result of Require ldap-filter ldapsettingshere: denied (no authenticated user yet)
authorization result of Require valid-user : denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
authorization result of Require ldap-filter ldapsettingshere: denied (no authenticated user yet)
authorization result of Require valid-user : denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
auth_ldap authenticate: using URL ldap://localhost:389/dc=maxcrc,dc=com
auth_ldap authenticate: user yajana rao authentication failed; URI /grafana/ [User not found][No Such Object]
user yajana rao not found: /grafana/

apache version : 2.4.23

Update:
Update bind_dn according to the Answer

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I have been able to resolve the issue by editing the AuthLDAPURL to

    AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"


  2. 0

    AuthLDAPBindDN "[email protected]"

    The bind-DN in a simple bind request must be a full DN. Thus AuthLDAPBindDN must contain a DN string like defined in RFC 4514. A value like "[email protected]" will work only for MS AD and not with any other LDAP server.

    AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com"

    Furthermore a username has to be mapped to a full bind-DN before checking the user’s password. mod_authnz_ldap will by default assume uid being the LDAP attribute to use in a search. But you can tweak this for your LDAP server by setting attribute in AuthLDAPUrl. If you’re using MS AD this would be sAMAccountName.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search