我一直在尝试将 Windows 服务器上的 apache 绑定到我们的活动目录服务器以进行身份验证和授权。
为了测试它,我一直在尝试使用以下参数的“ldap-status”处理程序
<Location "/ldap-status">
SetHandler ldap-status
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Status"
LDAPReferrals off
AuthLDAPBindAuthoritative on
AuthLDAPURL "ldap://1.2.3.4:389/cn=Users,dc=XXX,dc=example,dc=com?sAMAccountName?sub?(objectClass=person)" NONE
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
AuthLDAPMaxSubGroupDepth 0
AuthLDAPBindDN xxx
AuthLDAPBindPassword xxx
Require ldap-group "cn=TEST GROUP,cn=Users,dc=XXX,dc=example,dc=com"
</Location>
到目前为止,如果我将其删除Require ldap-group并替换为Require valid-user,它可以正常工作,但如果我恢复组要求则无法正常工作。
从我使用 powershell 从 AD 服务器中可以看到,该组存在并且它具有member列出所有成员的 DN 的属性;基于此,我设置AuthLDAPGroupAttribute为member和。AuthLDAPGroupAttributeIsDNon
我确定我的用户在我需要检查的组中,但是在 apache 错误日志中只有这条记录,这并不能真正帮助理解原因:
[Mon Apr 27 14:52:08.023952 2020] [authz_core:error] [pid 13168:tid 2072] [client 10.0.1.45:59690] AH01631: user mtassinari: authorization failure for "/ldap-status":
What can I do to correct the configuration in order to understand why "require ldap-group" fails?
In the end I have been able to make it work by splitting authentication and authorization with alias, like this:
I think the key difference here is the
AuthLDAPURL, which in the authorization provider is without any filter, it just doesn't feel right to have to repeat common configuration parameters to make it work.当我遇到这个问题时,我特别认为我应该引用可分辨的组名(因为它包含空格),但是当涉及到 Require ldap-group 时,你特别不应该使用引号,请参阅参考: https://httpd .apache.org/docs/2.4/mod/mod_authnz_ldap.html#reqgroup
一旦我删除了引号,我就可以毫无问题地使用 ldap-group 并且不使用别名。