First time trying to do this and I'm completely lost.
I have a Oracle Linux 7.9 server that has a directory that needs to be shared to users via HTTP so that they can download files to send out to third parties.
I have been easily able to make it visible and open to all, but I have so far been unable to get LDAP to work - it won't even prompt me for credentials.
I have done a yum install for: httpd, openldap, openldap-clients, nss_ldap and mod_ldap (as per instructions found in assorted articles over the web).
I have edited /etc/httpd/conf/httpd.conf and added
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
(httpd log shows that these are already loaded and it skips it anyway).
In /etc/httpd/conf.d/interfaces.conf I have the following (edited for security):
<VirtualHost *:80>
ServerAdmin user@mycompany.com
ServerName mywebserer
ServerAlias x.x.x.x
DocumentRoot /
LogLevel warn
ErrorLog "logs/interfaces_prd_webdav_error_log"
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/webdav_access_log.%Y-%m-%d-%H_%M_%S 5M" "%t %h \"%r\" %>s %b"
LimitXMLRequestBody 131072
DavLockDB /var/lib/dav/lockdb
# ************************************************************
<Directory "/directory/to/export">
AuthType Basic
AuthName "Use Your App Login"
AuthBasicProvider ldap
AuthLDAPURL "ldap://mydomain.local:389/ou=OU1,ou=MyBusiness,dc=mycompany,dc=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttributeIsDN on
AuthLDAPBindDN "ldapsearchuser"
AuthLDAPBindPassword "secret_password"
# Require group cn=group,ou=Groups,dc=mycompany,dc=local
Require valid-user
</Directory>
Alias /files /directory/to/export
<Location /files>
Dav on
Order allow,deny
Allow from all
Require all granted
Options +Indexes
</Location>
</VirtualHost>
"Require group" is commented out because at this stage I'm just trying to get the initial credentials challenge made and validated.
If it matters the server I'm connecting to is a Linux OpenLDAP server, not a Microsoft AD.
When I go to http://x.x.x.x/files - It just gives me the contents of the directory, no challenge for credentials.
I checked /var/log/httpd folder after the most recent access (after removing existing logs) and nothing had been added to any log files.
When restarting httpd the error_log shows:
[Tue Jul 13 17:07:00.277230 2021] [mpm_prefork:notice] [pid 11681] AH00170: caught SIGWINCH, shutting down gracefully
[Tue Jul 13 17:07:01.345552 2021] [suexec:notice] [pid 15751] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jul 13 17:07:01.357475 2021] [so:warn] [pid 15751] AH01574: module ldap_module is already loaded, skipping
[Tue Jul 13 17:07:01.357497 2021] [so:warn] [pid 15751] AH01574: module authnz_ldap_module is already loaded, skipping
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::221:f6ff:fe6e:9c69. Set the 'ServerName' directive globally to suppress this message
[Tue Jul 13 17:07:01.383713 2021] [lbmethod_heartbeat:notice] [pid 15751] AH02282: No slotmem from mod_heartmonitor
[Tue Jul 13 17:07:01.387200 2021] [mpm_prefork:notice] [pid 15751] AH00163: Apache/2.4.6 () configured -- resuming normal operations
[Tue Jul 13 17:07:01.387228 2021] [core:notice] [pid 15751] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
When attempting to access the directory via a browser I get:
In interfaces_prd_webdav_error_log (not overly concerned about this atm I don't think):
[Tue Jul 13 17:07:20.015412 2021] [authz_core:error] [pid 15754] [client 10.1.7.44:55820] AH01630: client denied by server configuration: /favicon.ico, referer: http://172.17.9.21/files/
In webdav_access_log:
[13/Jul/2021:17:07:19 -0400] 10.1.7.44 "GET /files/ HTTP/1.1" 200 1303
[13/Jul/2021:17:07:20 -0400] 10.1.7.44 "GET /favicon.ico HTTP/1.1" 403 213
Anyone able to offer any suggestions ?
Thanks in advance.
