История изменений
Исправление atrus, (текущая версия) :
Нужен debug log
Стоит уже. Толку от него. Даже trace8 мало что даёт.
Тем не менее я сделал ещё шаг в квесте. Обнаружил, что хотя apache полностью игнорирует записи AuthnProviderAlias, AuthBasicProvider для AuthType Kerberos, можно использовать «AuthzProviderAlias ldap-group» для проверки пользователя по группам.
К сожалению, это оставило одну не приятную проблему, которая не проявлялась, когда AuthLDAPURL был в Location.
Теперь в режиме KrbMethodNegotiate on, KrbMethodK5Passwd on при входе с недоменного компа после ввода логина пароля соединение просто умирает. Но по нажатию в баузере «обновить страницу» всё начинает работать.
Автовход для доменных клиентов работает. Если оставить только KrbMethodNegotiate on для автовхода - работает. Только KrbMethodK5Passwd on - работает. Но они вместе для случай ввод пароля получают сбой на первой попытке...
В логах мало что (даже на trace8):
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of Require ldap-group-1 : denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of Require ldap-group-2 : denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of Require ldap-group CN=***,OU=***,OU=***,OU=***,OU=***,DC=***,DC=***: denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_kerb:debug] [pid 19783] src/mod_auth_kerb.c(1954): [client 192.168.1.6:50398] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[core:trace3] [pid 19783] request.c(119): [client 192.168.1.6:50398] auth phase 'check user' gave status 401: /
[http:trace3] [pid 19783] http_filters.c(1129): [client 192.168.1.6:50398] Response sent with status 401, headers:
[http:trace5] [pid 19783] http_filters.c(1136): [client 192.168.1.6:50398] Date: Thu, 20 Jul 2017 13:59:21 GMT
[http:trace5] [pid 19783] http_filters.c(1139): [client 192.168.1.6:50398] Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/7.1.6
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] WWW-Authenticate: Negotiate
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] WWW-Authenticate: Basic realm=\\"Test Private Zone\\"
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] Content-Length: 381
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] Keep-Alive: timeout=5, max=100
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] Connection: Keep-Alive
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] Content-Type: text/html; charset=iso-8859-1
[ssl:trace4] [pid 19783] ssl_engine_io.c(1514): [client 192.168.1.6:50398] coalesce: have 0 bytes, adding 346 more
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[ssl:trace4] [pid 19783] ssl_engine_io.c(2078): [client 192.168.1.6:50398] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f7c13125d40 [mem: 7f7c1315fe93]
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[ssl:trace4] [pid 19783] ssl_engine_io.c(2078): [client 192.168.1.6:50398] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f7c13125d40 [mem: 7f7c1315fe93]
[ssl:info] [pid 19783] (70007)The timeout specified has expired: [client 192.168.1.6:50398] AH01991: SSL input filter read failed.
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[ssl:trace3] [pid 19783] ssl_engine_kernel.c(1778): [client 192.168.1.6:50398] OpenSSL: Write: SSL negotiation finished successfully
[ssl:debug] [pid 19783] ssl_engine_io.c(992): [client 192.168.1.6:50398] AH02001: Connection closed to child 1 with standard shutdown (server test.site.local:443)
Исходная версия atrus, :
Нужен debug log
Стоит уже. Толку от него. Даже trace8 мало что даёт.
Тем не менее я сделал ещё шаг в квесте. Обнаружил, что хотя apache полностью игнорирует записи AuthnProviderAlias, AuthBasicProvider для AuthType Kerberos, можно использовать «AuthzProviderAlias ldap-group» для проверки пользователя по группам.
К сожалению, это оставило одну не приятную проблему, которая не проявлялась, когда AuthLDAPURL был в Location.
Теперь в режиме KrbMethodNegotiate on, KrbMethodK5Passwd on при входе с недоменного компа после ввода логина пароля соединение просто умирает. Но по нажатию в баузере «обновить страницу» всё начинает работать.
Автовход для доменных клиентов работает. Если оставить только KrbMethodNegotiate on для автовхода - работает. Только KrbMethodK5Passwd on - работает. Но они вместе для случай ввод пароля получают сбой на первой попытке...
В логах мало что (даже на trace8):
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of Require ldap-group-1 : denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of Require ldap-group-2 : denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of Require ldap-group CN=***,OU=***,OU=***,OU=***,OU=***,DC=***,DC=***: denied (no authenticated user yet)
[authz_core:debug] [pid 19783] mod_authz_core.c(809): [client 192.168.1.6:50398] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_kerb:debug] [pid 19783] src/mod_auth_kerb.c(1954): [client 192.168.1.6:50398] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[core:trace3] [pid 19783] request.c(119): [client 192.168.1.6:50398] auth phase 'check user' gave status 401: /
[http:trace3] [pid 19783] http_filters.c(1129): [client 192.168.1.6:50398] Response sent with status 401, headers:
[http:trace5] [pid 19783] http_filters.c(1136): [client 192.168.1.6:50398] Date: Thu, 20 Jul 2017 13:59:21 GMT
[http:trace5] [pid 19783] http_filters.c(1139): [client 192.168.1.6:50398] Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/7.1.6
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] WWW-Authenticate: Negotiate
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] WWW-Authenticate: Basic realm=\\"IEC Private Zone\\"
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] Content-Length: 381
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] Keep-Alive: timeout=5, max=100
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] Connection: Keep-Alive
[http:trace4] [pid 19783] http_filters.c(958): [client 192.168.1.6:50398] Content-Type: text/html; charset=iso-8859-1
[ssl:trace4] [pid 19783] ssl_engine_io.c(1514): [client 192.168.1.6:50398] coalesce: have 0 bytes, adding 346 more
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[ssl:trace4] [pid 19783] ssl_engine_io.c(2078): [client 192.168.1.6:50398] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f7c13125d40 [mem: 7f7c1315fe93]
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[ssl:trace4] [pid 19783] ssl_engine_io.c(2078): [client 192.168.1.6:50398] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f7c13125d40 [mem: 7f7c1315fe93]
[ssl:info] [pid 19783] (70007)The timeout specified has expired: [client 192.168.1.6:50398] AH01991: SSL input filter read failed.
[core:trace6] [pid 19783] core_filters.c(525): [client 192.168.1.6:50398] core_output_filter: flushing because of FLUSH bucket
[ssl:trace3] [pid 19783] ssl_engine_kernel.c(1778): [client 192.168.1.6:50398] OpenSSL: Write: SSL negotiation finished successfully
[ssl:debug] [pid 19783] ssl_engine_io.c(992): [client 192.168.1.6:50398] AH02001: Connection closed to child 1 with standard shutdown (server test.site.local:443)