文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Apache2忽略“authorization result of <RequireAny>:denied (尚未通过身份验证的用户)”,并允许随机用户登录

Apache2忽略“authorization result of <RequireAny>:denied (尚未通过身份验证的用户)”,并允许随机用户登录
EN

Stack Overflow用户
提问于 2019-08-15 19:33:59
回答 1查看 1.1K关注 0票数 0

我想弄清楚为什么Apache2会忽略“授权结果:拒绝(还没有经过认证的用户)”,而让随机用户登录。

我尝试过使用Require指令,但结果总是一样的-在1次或5次登录尝试中,Apache2只向任何随机用户显示页面,尽管出现了“尚未通过身份验证的用户”。

Apache vhost配置为:

代码语言:javascript
复制
<VirtualHost *:443>
  ServerName vmntopng01.mgmt.local

  ## Vhost docroot
  DocumentRoot "/var/www"

  ## Directories, there should at least be a declaration for /var/www

  <Directory "/var/www">
    ## Options FollowSymlinks
    AllowOverride None
    Require all denied
    Require valid-user granted
    Require ldap-group CN=ACS-ntopng-admin,OU=Groups,OU=Company,DC=berlin-hq,DC=local granted
    AuthType Basic
    AuthName "ntopng"
    AuthBasicProvider ldap
    AuthLDAPURL "ldaps://ldap.coast.local/DC=berlin-hq,DC=local?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=authldap.ntopng,OU=System-User,OU=Company,DC=berlin-hq,DC=local"
    AuthLDAPBindPassword "xxxxxxxxxxxxx"
  </Directory>

  ## Logging
  LogLevel debug
  ErrorLog "/var/log/apache2/ntopng_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/ntopng_access_ssl.log" combined

  ## Server aliases
  ServerAlias ntopng.mgmt.local
  ServerAlias ntopng.coast.local

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/apache2/certs/vmntopng01.mgmt.local.pem"
  SSLCertificateKeyFile   "/etc/apache2/certs/vmntopng01.mgmt.local.key"
  SSLCertificateChainFile "/etc/apache2/certs/ca.pem"
</VirtualHost>

在apache2日志中,我看到了以下事件:

代码语言:javascript
复制
==> /var/log/apache2/ntopng_ssl_redirect_access.log.1 <==
10.128.130.151 - - [15/Aug/2019:11:35:34 +0200] "GET / HTTP/1.1" 301 242 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"

==> /var/log/apache2/ntopng_error_ssl.log <==
[Thu Aug 15 11:35:34.794789 2019] [ssl:info] [pid 14190:tid 140114248333056] [client 10.128.130.151:51305] AH01964: Connection to child 65 established (server vmntopng01.mgmt.local:443)
[Thu Aug 15 11:35:34.795183 2019] [socache_shmcb:debug] [pid 14190:tid 140114248333056] mod_socache_shmcb.c(532): AH00835: socache_shmcb_retrieve (0x7a -> subcache 26)
[Thu Aug 15 11:35:34.795215 2019] [socache_shmcb:debug] [pid 14190:tid 140114248333056] mod_socache_shmcb.c(917): AH00851: shmcb_subcache_retrieve found no match
[Thu Aug 15 11:35:34.795221 2019] [socache_shmcb:debug] [pid 14190:tid 140114248333056] mod_socache_shmcb.c(542): AH00836: leaving socache_shmcb_retrieve successfully
[Thu Aug 15 11:35:34.795247 2019] [ssl:debug] [pid 14190:tid 140114248333056] ssl_engine_kernel.c(2115): [client 10.128.130.151:51305] AH02043: SSL virtual host for servername vmntopng01.mgmt.local found
[Thu Aug 15 11:35:34.795321 2019] [ssl:debug] [pid 14190:tid 140114248333056] ssl_engine_kernel.c(2115): [client 10.128.130.151:51305] AH02043: SSL virtual host for servername vmntopng01.mgmt.local found
[Thu Aug 15 11:35:34.795339 2019] [core:debug] [pid 14190:tid 140114248333056] protocol.c(2219): [client 10.128.130.151:51305] AH03155: select protocol from , choices=h2,http/1.1 for server vmntopng01.mgmt.local
[Thu Aug 15 11:35:34.804699 2019] [ssl:debug] [pid 14190:tid 140114248333056] ssl_engine_kernel.c(2042): [client 10.128.130.151:51305] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Thu Aug 15 11:35:34.805943 2019] [ssl:debug] [pid 14190:tid 140114248333056] ssl_engine_kernel.c(366): [client 10.128.130.151:51305] AH02034: Initial (No.1) HTTPS request received for child 65 (server vmntopng01.mgmt.local:443)
[Thu Aug 15 11:35:34.805993 2019] [authz_core:debug] [pid 14190:tid 140114248333056] mod_authz_core.c(809): [client 10.128.130.151:51305] AH01626: authorization result of Require all denied: denied
[Thu Aug 15 11:35:34.806008 2019] [authz_core:debug] [pid 14190:tid 140114248333056] mod_authz_core.c(809): [client 10.128.130.151:51305] AH01626: authorization result of Require valid-user granted: denied (no authenticated user yet)
[Thu Aug 15 11:35:34.806015 2019] [authz_core:debug] [pid 14190:tid 140114248333056] mod_authz_core.c(809): [client 10.128.130.151:51305] AH01626: authorization result of Require ldap-group CN=ACS-ntopng-admin,OU=Groups,OU=Company,DC=berlin-hq,DC=local granted: denied (no authenticated user yet)
[Thu Aug 15 11:35:34.806020 2019] [authz_core:debug] [pid 14190:tid 140114248333056] mod_authz_core.c(809): [client 10.128.130.151:51305] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

==> /var/log/apache2/ntopng_access_ssl.log <==
10.128.130.151 - - [15/Aug/2019:11:35:34 +0200] "GET / HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"

==> /var/log/apache2/ntopng_error_ssl.log <==
[Thu Aug 15 11:35:34.806174 2019] [ssl:debug] [pid 14190:tid 140114248333056] ssl_engine_io.c(1044): [client 10.128.130.151:51305] AH02001: Connection closed to child 65 with standard shutdown (server vmntopng01.mgmt.local:443)








==> /var/log/apache2/ntopng_access_ssl.log.1 <==
10.128.130.151 - - [15/Aug/2019:11:35:46 +0200] "GET / HTTP/1.1" 200 626 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"
10.128.130.151 - - [15/Aug/2019:11:35:46 +0200] "GET /favicon.ico HTTP/1.1" 200 2937 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"

因此,您可以看到成功的"GET / HTTP/1.1“200”跟在":denied (尚未通过身份验证的用户)“之后。

更多细节:

代码语言:javascript
复制
$ apt-cache policy apache2
apache2:
  Installed: 2.4.25-3+deb9u7
  Candidate: 2.4.25-3+deb9u7
  Version table:
 *** 2.4.25-3+deb9u7 500
        500 http://ftp.de.debian.org/debian stretch/main amd64 Packages
        500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
        100 /var/lib/dpkg/status

$ ls /etc/apache2/mods-enabled/
access_compat.load  authn_file.load       authz_user.load  dav_fs.conf   dir.conf     mime.conf         reqtimeout.load     ssl.load
alias.conf          authnz_ldap.load      autoindex.conf   dav_fs.load   dir.load     mime.load         setenvif.conf       worker.conf
alias.load          authz_core.load       autoindex.load   dav.load      env.load     negotiation.conf  setenvif.load       worker.load
auth_basic.load     authz_groupfile.load  cgid.conf        deflate.conf  filter.load  negotiation.load  socache_shmcb.load
authn_core.load     authz_host.load       cgid.load        deflate.load  ldap.load    reqtimeout.conf   ssl.conf

任何建议都是非常感谢的。

authentication
ldap
apache2.4
EN

回答 1

Stack Overflow用户

发布于 2019-09-18 17:02:54

这很难解释,但在整个主机重启后,一切都开始正常工作。我看到的唯一解释是,在重新启动之前,系统中的某些内容缓存了不正确的LDAP信息,因此访问控制无法正常工作。

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/57509022

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档