Apache使用的LDAP过滤器始终不返回任何条目

时间:2018-06-18 04:10:21

标签: apache ldap openldap ldap-query

我使用LDAP进行LDAP身份验证,但我一直在使用401,而且我不确定我在过渡期间的变化。我甚至根据组成员身份对特定URL进行了身份验证。我试图尽可能地简化,但仍然得到401。

Apache配置:

Order deny,allow
AuthName "Authentication Required"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://localhost:389/ou=people,dc=mysite,dc=com?uid
Require valid-user
Satisfy all

Apache日志:

[Sun Jun 17 23:47:51.454443 2018] [auth_basic:error] [pid 10801] [client 98.113.59.60:52870] AH01618: user myusername not found: /

OpenLDAP日志:

[17-06-2018 23:47:51] slapd debug  conn=1150 fd=24 ACCEPT from IP=127.0.0.1:38178 (IP=0.0.0.0:389)
[17-06-2018 23:47:51] slapd debug  conn=1150 op=0 BIND dn="" method=128
[17-06-2018 23:47:51] slapd debug  conn=1150 op=0 RESULT tag=97 err=0 text=
[17-06-2018 23:47:51] slapd debug  conn=1150 op=1 SRCH base="ou=people,dc=mysite,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=myusername))"
[17-06-2018 23:47:51] slapd debug  conn=1150 op=1 SRCH attr=uid
[17-06-2018 23:47:51] slapd debug  conn=1150 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

我想我会尝试在OpenLDAP日志中复制过滤器。首先,进行一点健全检查,检查people实际存在:

$ ldapsearch -x -b "dc=mysite,dc=com" -s one
# extended LDIF
#
# LDAPv3
# base <dc=mysite,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#

# ... stuff

# people, mysite.com
dn: ou=people,dc=mysite,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

# ... stuff

现在检查用户是否确实存在:

$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" -s one
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#

# ... stuff

# My User, people, mysite.com
dn: cn=My User,ou=people,dc=mysite,dc=com
givenName: My
gidNumber: 500
homeDirectory: /home/users/myusername
sn: User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: myusername
cn: My User
loginShell: /bin/bash
uidNumber: 2000

纯!这个人存在。现在,当我将过滤器从OpenLDAP日志复制到命令行时,我没有输入任何条目:

$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" "(&(objectClass=*)(uid=myusername))" uid
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope subtree
# filter: (&(objectClass=*)(uid=myusername))
# requesting: uid 
#

# search result
search: 2
result: 0 Success

# numResponses: 1

现在,如果我在过滤器的uid部分插入至少一个星号,它将返回请求的条目。我可以把星号放在末尾或开头或中间。我可以根据需要添加尽可能多的。没关系。

$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" "(&(objectClass=*)(uid=my*user*name))" uid
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope subtree
# filter: (&(objectClass=*)(uid=my*user*name))
# requesting: uid 
#

# My User, people, mysite.com
dn: cn=My User,ou=people,dc=mysite,dc=com
uid: myusername

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

我正在运行Ubuntu 16.04。我该如何解决这个问题,以便我可以使用UID对Apache进行身份验证?

edit:我还发现我无法再使用LDAP uids进行SSH。

1 个答案:

答案 0 :(得分:1)

由于过滤器(&(objectClass = *)(uid = my * user * name))命中子串匹配规则确实有效((objectClass = *)始终为true)我怀疑您添加了一个等式添加用户条目后,无需重新索引数据库即可对您的slapd配置进行索引。

另请参阅:OpenLDAP FAQ: How do I add an index after populating the database?

相关问题
最新问题