nginx-auth-ldap icon indicating copy to clipboard operation
nginx-auth-ldap copied to clipboard

Published 20 hours ago verified publisher icon kvspb

Authentication timed out

Open avcherkasov opened this issue 10 years ago • 13 comments

Hello everybody! I'm trying to setup this plugin againt Windows 2008R2 Active Directory server, my nginx.conf: http { ... auth_ldap_cache_enabled on; auth_ldap_cache_expiration_time 3600000; auth_ldap_cache_size 1000;

ldap_server platbox{
    url "ldap://192.168.198.100/dc=int,dc=domain,dc=com?sAMAccountName?sub?";
    binddn "[email protected]";
    binddn_passwd "pass";
    require valid_user;
    satisfy any;
    connections 50;

... }

But I can't authenticate, errors: 2015/05/15 17:28:30 [error] 27034#0: *2 http_auth_ldap: Authentication timed out, client: x.x.x.x, server: xxx.domain.com, request: "GET / HTTP/1.1", host: "192.168.198.200" 2015/05/15 17:30:30 [error] 27068#0: *51 http_auth_ldap: Authentication timed out, client: x.x.x.x, server: xxx.domain.com, request: "GET / HTTP/1.1", host: "192.168.198.200"

I know that there is no firewall beetween hosts, and ldapsearch is working. Please give me some advice. Thanks!

avcherkasov avatar May 15 '15 15:05 avcherkasov

Can you check on the command-line with ldapsearch that your binddn and LDAP URL are valid? See this bug: https://github.com/kvspb/nginx-auth-ldap/issues/80

jbq avatar May 18 '15 11:05 jbq

ldapsearch works fine! ldapsearch -x -LLL -H ldap://192.168.198.100 -D '[email protected]' -W -b 'cn=users,dc=int,dc=domain,dc=com' Enter LDAP Password: dn: CN=Users,DC=int,DC=domain,DC=com objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=int,DC=domain,DC=com instanceType: 4 etc...

avcherkasov avatar May 20 '15 08:05 avcherkasov

Can you try with connections 1? And if possible activate debug with error_log /path/to/log/file debug and paste the output. Thanks!

jbq avatar May 20 '15 09:05 jbq

everything is the same and nothing new in logs with debug option :( 2015/05/20 12:16:13 [error] 5691#0: *4 http_auth_ldap: Authentication timed out, client: x.x.x.x, server: domain.com, request: "GET / HTTP/1.1", host: "domain.com"

avcherkasov avatar May 20 '15 09:05 avcherkasov

oh maybe this can help? 2015/05/20 12:22:55 [info] 5810#0: *2 client closed connection while waiting for request, client: x.x.x.x, server: 0.0.0.0:80

avcherkasov avatar May 20 '15 09:05 avcherkasov

Can you check with nginx -V if the option --with-debug is present? Nginx may be missing debugging support.

See http://nginx.org/en/docs/debugging_log.html

Anyway connection errors should be reported as errors and the debug output should not be necessary, but here the auth_ldap module behaves inconsistently.

jbq avatar May 20 '15 10:05 jbq

yes. your right, nginx was without debug here is debug: http://pastebin.com/ddQfvibT

avcherkasov avatar May 20 '15 11:05 avcherkasov

I made it! Everything works with 3268 or 3269 port! So my last working config: http://pastebin.com/fhaUcRdZ

avcherkasov avatar May 20 '15 11:05 avcherkasov

I submitted a patch for issue #80 if you wish to have proper error messages in the logs. Someone may want to close this issue now that the problem has gone away.

jbq avatar May 21 '15 07:05 jbq

follow this issue: #204 quote:

Port 389. This port is used for requesting information from the local domain controller. LDAP requests sent to port 389 can be used to search for objects only within the global catalog’s home domain. However, the requesting application can obtain all of the attributes for those objects. For example, a request to port 389 could be used to obtain a user’s department. Port 3268. This port is used for queries specifically targeted for the global catalog. LDAP requests sent to port 3268 can be used to search for objects in the entire forest. However, only the attributes marked for replication to the global catalog can be returned. For example, a user’s department could not be returned using port 3268 since this attribute is not replicated to the global catalog. Use 3268 port.

Lnek avatar Dec 27 '19 06:12 Lnek

I ran into the same issue today with below mentioned nginx and nginx-auth-ldap version. But in my case I was not able to authenticate using LDAPS. I have to change my port from 636 to 3269 to make it work.

NGINX_VERSION: 1.19.6 NGINX_AUTH_LDAP_COMMIT: 83c059b73566c2ee9cbda920d91b66657cf120b7

ldap_server ldap_mycompany {
url "ldaps://abc.example.com:3269/dc=example,dc=com?samaccountname?sub?(objectClass=user)";
binddn "[email protected]";
binddn_passwd "XXXXXXXXX";
group_attribute member;
group_attribute_is_dn on;
require valid_user;
satisfy all;
}

adeelahmadch avatar Dec 30 '20 13:12 adeelahmadch

follow this issue: #204 quote:

Port 389. This port is used for requesting information from the local domain controller. LDAP requests sent to port 389 can be used to search for objects only within the global catalog’s home domain. However, the requesting application can obtain all of the attributes for those objects. For example, a request to port 389 could be used to obtain a user’s department. Port 3268. This port is used for queries specifically targeted for the global catalog. LDAP requests sent to port 3268 can be used to search for objects in the entire forest. However, only the attributes marked for replication to the global catalog can be returned. For example, a user’s department could not be returned using port 3268 since this attribute is not replicated to the global catalog. Use 3268 port.

Hell, really works. Thanks so much.

hailin84 avatar Jun 13 '23 06:06 hailin84

I made it! Everything works with 3268 or 3269 port! So my last working config: http://pastebin.com/fhaUcRdZ

It works. Thanks.

hailin84 avatar Jun 13 '23 06:06 hailin84