3

I'm using mod_authn_alias and mod_authnz_ldap against an Apache/2.2.14 (Ubuntu) and I'm trying to configure ldap authentication against multiple domains.

My config is:

<AuthnProviderAlias ldap alpha>
  AuthLDAPBindDN "CN=admin-alpha,CN=Users,DC=alpha,DC=local"
  AuthLDAPBindPassword "xxx"
  AuthLDAPURL "ldap://dc01.alpha.local/CN=Users,DC=alpha,DC=local?sAMAccountName?sub?(objectClass=*)"
</AuthnProviderAlias>

<AuthnProviderAlias ldap beta>
  AuthLDAPBindDN "CN=admin-beta,CN=Users,DC=beta,DC=local"
  AuthLDAPBindPassword "xxx"
  AuthLDAPURL "ldap://dc01.beta.local/CN=Users,DC=test,DC=local?sAMAccountName?sub?(objectClass=*)"
</AuthnProviderAlias>

<Directory "/usr/local/nagios/addons/pnp/share">
        AllowOverride None
        Order allow,deny
        Allow from all
        AuthName "Pnp Access"
        AuthType Basic
        AuthBasicProvider alpha beta
        AuthzLDAPAuthoritative off
        #Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
        AuthUserFile /dev/null
        #only members of this group can log in
        Require ldap-group CN=grp_nagiosadmins,DC=beta,DC=local
        Require ldap-group CN=grp_nagiosadmins,DC=alpha,DC=local
        ...
</Directory>

So if the user can't be authenticated to the alpha domain, it should failover to domain beta. However, no user from either domain can be authenticated with this config.

When I try to log in:

[Fri Mar 07 16:13:35 2014] [error] [client 10.100.13.30] access to /pnp failed, reason: require directives present and no Authoritative handler.
[Fri Mar 07 16:13:38 2014] [error] [client 10.100.13.30] access to /pnp failed, reason: require directives present and no Authoritative handler.

Why not put all my users in one domain? That's a long story and it ultimately wasn't my decision.

How do I configure this correctly?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
user211984
  • 31
  • 1
  • 2

3 Answers3

1

I had a similar problem except that I was validating specific LDAP users rather than groups. The solution was to change the parameter of the require directive from ldap-user to just user. This is documented in the comments section of the mod_authn_alias documentation.

My understanding of this is that mod_authn_alias is not specific to LDAP. Its documentation says that it "allows extended authentication providers" and they don't necessarily have to be related to LDAP.

It's probably worth trying replacing your require ldap-group directive with just require group and be careful with the letter case.

LightDye
  • 111
  • 2
1

The error is about the 

AuthzLDAPAuthoritative on

missing. that said, if you want to set multiple rules you must configure:

Satisfy any
Diego Roccia
  • 348
  • 1
  • 6
0

The error message says: require directives present and no Authoritative handler. So does it work if you set AuthzLDAPAuthoritative on?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • From the apache documentation: "Set to off if this module should let other authorization modules attempt to authorize the user, should authorization with this module fail. Control is only passed on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client)." So if I set this to on the authentication won't failover to domain beta. I can only authenticate vs domain alpha and not beta if I set this directive to on. – user211984 Mar 10 '14 at 09:46
  • The documentation says "other modules", not "other domains". Have you tried it? – Andrew Schulman Mar 10 '14 at 10:20