I want my users to login to my Apache web site via Active Directory. I get a login prompt, but then I get Internal Server Error :
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log.
Here is my set up.
"Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
httpd -v
Server version: Apache/2.4.53 (Red Hat Enterprise Linux)
Server built: Apr 28 2023 00:00:00
I followed the Red Hat article, Using LDAP with Apache HTTPD for HTTP basic authentication (https://access.redhat.com/solutions/20284)
It says to add this to httpd.conf
<Directory /directory/ldap_auth_needed>
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthType Basic
AuthName Internal
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
# AuthLDAPURL ldap://<ldap server ip>/<base DN>
AuthLDAPURL ldap://ldap.example.com/dc=example,dc=com
require valid-user
AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword secret
</Directory>
It also says in httpd 2.4.x, the directivesAuthzLDAPAuthoritative, AuthzDBDAuthoritative, AuthzDBMAuthoritative, AuthzGroupFileAuthoritative, AuthzUserAuthoritative, and AuthzOwnerAuthoritative were removed
So for my domain, acme.corp, I will use the account bindAcc, which I actually use on my Rundeck server to AD authenticate. Also I want to test first with /var/www/html/private which contains a file, new.html.
Here's what I added to to my httpd.conf
<Directory /var/www/html/private>
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthType Basic
AuthName "private"
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL ldap://server:389/OU=Users,OU=Management,dc=acme,dc=corp?sAMAccountName?sub?(objectClass=*)
require valid-user
AuthLDAPBindDN "CN=bindACC,OU=Service Accounts,OU=Management,DC=acme,DC=corp"
AuthLDAPBindPassword password##!!
</Directory>
For 'require', I've tried "ldap-user OU=Users,OU=Management,DC=acme,DC=corp" that didn't work.
The Apache linux server is joined to the domain with realm.
I go to http://mywebsite/private/new.html .... and see this in the logs
/var/log/httpd/access_log .
10.120.10.189 - bindACC [06/Oct/2023:11:55:35 -0400] "GET /private/new.html HTTP/1.1" 500 527 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"
/var/log/httpd/error_log .
Fri Oct 06 11:55:35.326078 2023] [authn_core:error] [pid 177338:tid 177378] [client 10.120.10.189:57483] AH01796: AuthType Basic configured without corresponding module
I tried add this to httpd.conf.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
but on httpd restart the error log shows
[so:warn] [pid 176628:tid 176628] AH01574: module authnz_ldap_module is already loaded, skipping.
[so:warn] [pid 176628:tid 176628] AH01574: module ldap_module is already loaded, skipping.
and the output of httpd shows the modules are loaded.
httpd.
[Fri Oct 06 12:01:04.971547 2023] [so:warn] [pid 180550:tid 180550] AH01574: module authnz_ldap_module is already loaded, skipping.
[Fri Oct 06 12:01:04.971620 2023] [so:warn] [pid 180550:tid 180550] AH01574: module ldap_module is already loaded, skipping.
httpd (pid 176628) already running.
What am I doing wrong? thanks
I got it working for now.
<Directory /var/www/html/private>
allow from all
AuthType Basic
AuthName "Internal"
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL "ldap://server:389/OU=Users,OU=Management,dc=acme,dc=corp?sAMAccountName?sub?(objectClass=*)"
Require valid-user
AuthLDAPBindDN bindACC@acme.corp
AuthLDAPBindPassword XXXXXXXXXX
</Directory>