LDAP authentication failure

It’s unclear how this got solved, you can see in the mailing list that was the last message in the thread. I guess next time it comes up we’ll have to specify was the problem/solution was a little better.

Hello!
I am trying to get an instance of ood up and running and am running into what I believe are a number of problems. One in particular matches the behavior mentioned here. I have not been able to login to this instance using either the apache passwd file or ldap. I’m not sure if the problem is the actual authentication process, or if the problem is a lack of pun/sys directories. I am installing to CentOS 7 with yum. I have the errors from the /var/log/httpd24 directory:

[root@ondemand httpd24]# tail -n 50 ondemand.grid.wayne.edu_*
==> ondemand.grid.wayne.edu_access_ssl.log <==
141.217.136.24 - - [31/Jul/2019:16:28:50 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:16:28:50 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - at8036 [31/Jul/2019:16:29:10 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - at8036 [31/Jul/2019:16:29:35 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:16:29:44 -0400] “GET /favicon.ico HTTP/1.1” 404 209 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:16:46:26 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:16:46:26 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - zz9992 [31/Jul/2019:16:46:38 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - zz9992 [31/Jul/2019:16:47:10 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:16:47:16 -0400] “GET /favicon.ico HTTP/1.1” 404 209 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:16:47:45 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:16:47:45 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - zz9992 [31/Jul/2019:16:48:39 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - zz9991 [31/Jul/2019:16:48:46 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
192.170.254.110 - - [31/Jul/2019:17:01:53 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:01:53 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:02:57 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:02:57 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:04:17 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:04:17 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:16:47 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:16:47 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:16:52 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:16:52 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:17:01 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:17:01 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36”
192.170.254.110 - - [31/Jul/2019:17:17:21 -0400] “-” 408 - “-” “-”
141.217.136.24 - - [31/Jul/2019:17:17:36 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:17:17:36 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - zz9992 [31/Jul/2019:17:18:07 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
141.217.136.24 - - [31/Jul/2019:17:18:14 -0400] “GET /favicon.ico HTTP/1.1” 404 209 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”

==> ondemand.grid.wayne.edu_error_ssl.log <==
[Wed Jul 31 16:29:35.427290 2019] [auth_basic:error] [pid 39790] [client 141.217.136.24:42192] AH01618: user at8036 not found: /pun/sys/dashboard
[Wed Jul 31 16:48:46.858503 2019] [auth_basic:error] [pid 38765] [client 141.217.136.24:42366] AH01618: user zz9991 not found: /pun/sys/dashboard
[Wed Jul 31 17:18:07.693195 2019] [auth_basic:error] [pid 51394] [client 141.217.136.24:42586] AH01618: user zz9992 not found: /pun/sys/dashboard

The yaml for ldap looks like:
auth:

  • ‘AuthType Basic’
  • ‘AuthName “private”’
  • ‘AuthBasicProvider ldap’
  • ‘AuthLDAPURL “ldaps://ldap.wayne.edu:636/ou=People,dc=wayne,dc=edu?uid”’
  • ‘AuthLDAPGroupAttribute memberUid’
  • ‘AuthLDAPGroupAttributeIsDN off’
  • ‘RequestHeader unset Authorization’
  • ‘Require valid-user’

I’ve been poking at things for a while and am a bit stuck at the moment. Currently I can only attempt to login when accessing via localhost, and then when I try from localhost I just get prompted for credentials again.

I appreciate any suggestions!!! Thanks!
Aragorn.

I don’t know much about LDAPs, but here we go.

I would first enhance the log level of the ldap module that may give you more insight into what’s going wrong.

Here are some other questions I would try to answer.

  1. Do you need a username/password to search your ldap? I.e., do you need to be an authenticated user to even search the LDAP? That configuration does it anonymously, which means anyone could.
  2. Is that search query correct. I mean, do you actually have an ou named ‘People’ and a ‘dc’ named wayne, etc. I would confirm through the command ldapsearch that these are the actual OUs and DCs.

My guess (out of thin air) is that you need to be an authenticated user to search your ldap.

FWIW here are relevant portions of our /etc/ood/config/ood_portal.yml:

auth:
- AuthType basic
- AuthName "Private"
- AuthBasicProvider ldap
- AuthLDAPURL "ldaps://ldap1.****.edu:636 ldap2.****.edu:636 ldap3.****.edu:636/ou=People,dc=osc,dc=edu?uid"
  SSL
- AuthLDAPGroupAttribute member
- AuthLDAPGroupAttributeIsDN on
- Require valid-user
- RequestHeader unset Authorization

Of course if you change the yaml file you have to regenerate the corresponding ood-portal.conf file as a result.

@at8036 were you able to find out anything more through debug logs?

Sorry, been pretty busy since getting back from PEARC! I will look into it. I am not so certain it is an LDAP issue though since the problem is the same even when trying to use the Apache password file. Quick question beforehand, the nginx config file I noticed is completely commented out. Am I supposed to do something to set that up?

Cool, just let us know.

About the nginx config, no you don’t need to modify that because you get a Per User Nginx instance that ondemand sets up and configures for you when you login. Like mine below was configured for specifically for me.

/var/lib/ondemand-nginx/config/puns/johrstrom.conf

Hello,
I’ve tried raising the log levels but I’m not seeing anything pertaining to whether ldap is trying to authenticate or not, what I do see though is a GET request and an error:

141.217.136.24 - at8036 [26/Aug/2019:16:26:32 -0400] “GET /pun/sys/dashboard HTTP/1.1” 401 381 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”

[Mon Aug 26 16:26:32.553325 2019] [auth_basic:error] [pid 78804] [client 141.217.136.24:41544] AH01618: user at8036 not found: /pun/sys/dashboard

I can reach ldap and have no problems with ldapsearch. Also, I don’t see any sign of an LDAP query when capturing all traffic in and out of the server with tcpdump. Any other thoughts? As far as I can tell I type in credentials, it checks to see if the account exists and when failing that just pops up a new window asking for credentials again.

I appreciate any suggestions!!!
Thanks,
Aragorn.

That’s worrisome, but perhaps a clue to this issue.

what happens when you just run ldapsearch uid=at8036. For me, on our systems, I can’t even run ldapsearch using myself (I mean my authenticated ldapuser johrstrom), I need a bind user and password from my administrators. I guess my question is, can you run ldapsearch anonymously?

Otherwise you’ll have to specify a username/password with these directives.
https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapbinddn

Hello,

This is what I get when running your simple command:
[root@ondemand ~]# ldapsearch uid=at8036
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:

That fails, however this passes with no problem:
[root@ondemand ~]# ldapsearch -x -h ldap.wayne.edu -b “ou=people,dc=wayne,dc=edu” uid=at8036
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=wayne,dc=edu> with scope subtree
# filter: uid=at8036
# requesting: ALL
#

It is possible to query LDAP anonymously. It isn’t possible to modify LDAP records without a password. The results are the same for my user btw/:

[at8036@ondemand ~] ldapsearch uid=at8036 SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: [at8036@ondemand ~] ldapsearch -x -h ldap.wayne.edu -b “ou=people,dc=wayne,dc=edu” uid=at8036
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=wayne,dc=edu> with scope subtree
# filter: uid=at8036
# requesting: ALL
#

OK, your config seems correct, maybe it’s not being added to the actual httpd config? You say you’re not generating any outbound ldap traffic and that may be our only clue.

Look in /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf to see what’s configured there. Does what you configure in /etc/ood/config/ood_portal.yml get correctly populated (after you run /opt/ood/ood-portal-generator/sbin/update_ood_portal)?

Any news @at8036? You may need to try upping the log level of that particular module with something like LogLevel info mod_authnz_ldap:trace5.

Sanity check: what browser are you using?

@efranz from the Apache access log it looks like FireFox v60 for 64bit Linux:

31/Jul/2019:16:28:50 -0400] “GET / HTTP/1.1” 302 233 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Ok, mystery has been resolved. It looks like the main problem was that the yum install adds a file, “ood”, to the sudoers.d directory to give apache sudo for the nginx setup script. I’m using a vm that did not check that directory, hence, nginx wasn’t creating the pun directories. :slight_smile: I had a number of other problems here and there but that is the primary one to resolve this problem.

Thanks for everyone’s assistance!!!

Thanks,
Aragorn.

That’s awesome that you got it fixed! I’m surprised to hear it wasn’t apache directly but some secondary issue.

To be clear, this line wasn’t configured in your /etc/sudoers file?

# /etc/sudoers
# ...
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Correct, I had to add that. The VMs are highly controlled by the VM team and they don’t really like people adding random sudoers. Ha ha.

Gotcha, Thanks again for the update!