0

I am working on getting a web app set up behind LDAP. We are running Apache 2.4.6 on CentOS 7.6 (Core). Kerberos is configured and working on the server to provide user access via SSH and SCP.

In my /var/www/html directly, I have three sites: Prod, Test, LDAPTest. Prod and Test are no set up with any LDAP settings and are open to the whole network for access.

I have set up a self signed cert for SSL which appears to be working as expected for all three sites. Additionally, I have updated the SELinux config for allowing Apache to connect through LDAP though I am struggling to remember what that command was. (httpd_can_connect_ldap = 1)

Running httpd -M shows that, bot, ssl_module and ldap_module are loaded (shared).

In my httpd.conf file, I have the following entry:

<Directory "/var/www/html/LDAPTest">
   AuthType Basic
   AuthName "LDAP TEST - Login"
   AuthBasicProvider ldap
   #AuthzLDAPAuthoritative on
   AuthLDAPURL ldaps://DOMAIN.org:389
   #AuthLDAPURL "ldaps://DOMAIN.org:389/DC=DOMAIN,DC=org?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPBindDN "CN=svc_LDAPUSER@DOMAIN.org,OU=Service Accounts,DC=DOMAIN,DC=org"
   AuthLDAPBindPassword LDAPUSERPASSWORD
   require valid-user
</Directory>

No matter what I seem to do, as soon as the directory gets set up with LDAP settings, I receive a pop up requesting authentication information (good...) and the result is an error 500 page.

Though I have httpd.conf set to log level of debug, I see no real information in Apache's error_log file.

What/Where do I need to look in order to find out what the real cause of the issue may be?

Edit: Added SELinux switch | added httpd -M information

Community
  • 1
Wes
  • 111
  • 1
  • 8

1 Answers1

0

After about 8 hours yesterday, and about 3 hours today, I was able to get LDAP working with Apache 2.4 on Centos 7.

LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/ssl/apache_selfSigned.crt
LDAPTrustedMode SSL
LDAPVerifyServerCert Off

<Directory "/var/www/html/LDAPTest">
    Options all
    Order deny,allow
    #Allow from All
    AuthName "Company.com Intranet"
    AuthType Basic
    AuthBasicProvider ldap
    #AuthzLDAPAuthoritative off
    AuthLDAPUrl "ldap://DC.COM/DC=DC,DC=COM?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN ::ACCOUNT::
    AuthLDAPBindPassword ::PASSWORD::
    #Require valid-user
    Require ldap-user :ADUSER1: :ADUSER2: :ADUSER3:
    #Satisfy any
</Directory>

What I think I was missing, all along, was configuring /etc/openldap/ldap.conf... Noob mistake, eh?

I, simply, added my BASE and URI then installed ldapsearch and was instantly able to connect. Shortly thereafter, I nailed down the HTTPD.conf displayed above and everything seems to be in line now.

Thanks, Wes

Wes
  • 111
  • 1
  • 8