Hi again,

my problem was that Apache tried to forward the Authentication to the proxied application.
So it was not even an LDAP Problem.

This line in the VirtualHost section solved it:

RequestHeader unset Authorization
Kudos to https://serverfault.com/questions/875604/how-to-correctly-configure-httpd-basic-auth-for-pass-through-proxy

Cheers,
Thorsten


On 25.09.21 18:49, Thorsten Johannsen via FreeIPA-users wrote:
Hi,

I'm pulling my hair with FreeIPA and Apache BasicAuth LDAP.

I have an application behind an Apache reverse Proxy that I want to
"protect" with LDAP Authentification.


This is the (redacted) apache configuration:

--------------------------------------------------------------------------------------

<VirtualHost *:443>

    ServerName acme.server.org

    ProxyRequests Off
    ProxyPreserveHost On

    # Auth changes in 2.4 - see
http://httpd.apache.org/docs/2.4/upgrading.html#run-time
    <Proxy *>
        #Require all granted
    </Proxy>


    <Location /admin>
      Order Deny,Allow
      Deny from all
      Allow from 10.66.38.0/24
    </Location>




    ProxyPass / http://INTSERVER:1234/
    ProxyPassReverse / http://INTSERVER:1234/

Loglevel ldap_module:debug
Loglevel auth_basic:debug
Loglevel authz_core:debug

    <Location />

        Options Indexes FollowSymlinks

        AuthType Basic
        AuthBasicProvider ldap
        AuthName "ACME AUTHENTICATION"

        AuthLDAPURL
ldap://ipa2.internal.lan/cn=users,cn=accounts,dc=internal,dc=lan?uid?sub
        AuthLDAPBindDN
uid=s_ldapquery,cn=sysaccounts,cn=etc,dc=internal,dc=lan
        AuthLDAPBindPassword XXXXXXXXXXXXXXXXXXXXX



        Require valid-user


    </Location>

SSLCertificateFile /etc/letsencrypt/live/XXXX/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/XXXX/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/XXXX/chain.pem
</VirtualHost>

--------------------------------------------------------------------------------------

The Bind-User "s_ldapquery" is working fine, passwords tripple checked
and used with other LDAP integrations.


When authenticating, apache logs show:


[Sat Sep 25 18:40:25.891588 2021] [authz_core:debug] [pid 414]
mod_authz_core.c(809): [client 1.2.3.4:52628] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)
[Sat Sep 25 18:40:25.891683 2021] [authz_core:debug] [pid 414]
mod_authz_core.c(809): [client 1.2.3.4:52628] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet)
[Sat Sep 25 18:40:35.786942 2021] [authz_core:debug] [pid 413]
mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)
[Sat Sep 25 18:40:35.787025 2021] [authz_core:debug] [pid 413]
mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet)
[Sat Sep 25 18:40:36.028473 2021] [ldap:debug] [pid 413]
util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Sat Sep 25 18:40:36.210906 2021] [authz_core:debug] [pid 413]
mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization
result of Require valid-user : granted
[Sat Sep 25 18:40:36.210987 2021] [authz_core:debug] [pid 413]
mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization
result of <RequireAny>: granted
[Sat Sep 25 18:40:36.300669 2021] [authz_core:debug] [pid 413]
mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet),
referer: https://acme.server.org/
[Sat Sep 25 18:40:36.300749 2021] [authz_core:debug] [pid 413]
mod_authz_core.c(809): [client 1.2.3.4:52629] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet), referer:
https://acme.server.org/


There is a "granted" in between, but it does not work. Then
authentication itself seems to work, though, because if I specify the
wrong password, the logs lines change to:


[Sat Sep 25 18:43:43.542566 2021] [authz_core:debug] [pid 432]
mod_authz_core.c(809): [client 1.2.3.4:52678] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)
[Sat Sep 25 18:43:43.542639 2021] [authz_core:debug] [pid 432]
mod_authz_core.c(809): [client 1.2.3.4:52678] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet)
[Sat Sep 25 18:43:45.956792 2021] [ldap:debug] [pid 432]
util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Sat Sep 25 18:43:46.139978 2021] [auth_basic:error] [pid 432] [client
1.2.3.4:52678] AH01617: user u_test: authentication failure for "/":
Password Mismatch


I tried various examples found online on how to setup Apache BasicAuth
LDAP Integration with FreeIPA but none worked.

What I don't understand in the first place is the "denied (no
authenticated user yet)" repeating and then in the midle a "require
valid-user: granted". What am I doing wrong here or am I missing the
point entirely?


Any help would be appreciated!


best regards,

Thorsten



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure