Autologin not prompting for login

This forum was archived to /woltlab and is now in read-only mode.
  • Hello all

    I am running into an issue with my icingaweb2 where when I try to use the external autologin, I never actually get prompted for a password.

    System: CentOS 7

    Apahce: 2.4.6

    IcingaWeb About Page:

    Version 2.4.2

    Git commit 7cec28a31fdff0feb470ec001838bc1dec9c4b69

    Git commit date 2017-09-28



    I originally am trying to use LDAP without requiring a bind account. I can create a test web page in my Apache following these instructions. This web page works fine. I get prompted for login, I get authenticated, and I can see my empty little page.


    So this block of code, dropped directly into the icingaweb2.conf, is not working.



    I try to do this to the icingaweb2.conf file, and I get straight to the blue login page, with a red error telling me that I have failed to authenticate within Apache. Then I go to the icingaweb2 auth tutorial for autologin, and try to set it up without using LDAP.


    For me, even these instructions still fail. I still get to the blue page, with the error saying I failed to authenticate in Apache. Side note: You only get this failure error if your only authentication option is the autologin.


    So, I am looking for any input at all as to why a the login prompt refuses to show for icingaweb2, but works for a little test page. If I can maybe solve the local access with a file, maybe I can work from there and fix the LDAP



    I could go back to my LDAP guys and ask for a service account for the LDAP bind backend, but would rather try to fix it on the Apache side. And so here I am.


    Alternatively, if there is a way to configure the LDAP resource in icingaweb2 to run without a BIND, I would take that.


    Thanks for your advice

    Matthew

  • /etc/httpd/conf.d/icingaweb2.conf



    /etc/icingaweb2/authentication.ini

    Code
    1. [autologin]
    2. backend = "external"
    3. #[icingaweb2_psql]
    4. #backend = "db"
    5. #resource = "icingaweb_db"


    I am happy to admit that my Icinga2 check coding is more advanced than my Apache knowledge, at roughly 2 weeks old. So it is entirely possible I screwed something up.

  • Hm, but this configuration does not let you through, right? I read that you got the login mask from Icinga Web 2, but that cannot be true.


    How does that configuration look like in your browser, as well as what is logged into apache's log for that?


    PS: Try manually querying the LDAP server with the given credentials. I fairly doubt that it will work without binddn (anonymous bind) if the server does not allow it.

  • Yes, I do get to the login page.


    It is a perfectly normal login. It is identical as if i swap away from autologin and place the database back in.


    And I can use that exact same LDAP setup on a VERY generic interface (the one linked on that tutorial actually). It prompts for my login, I log in and see my page.


    So I know that I am queried against the LDAP without a BIND, and authenticated.


    On the same note, even without LDAP, using the HTPASSWD commands and a local file, I should have been prompted to log in for the icingaweb2 page correct?


    Sorry for the delay. Dinner and commute.

  • Hurray! I solved it.


    in the /etc/httpd/conf.d/icingaweb2.conf file:

    Code
    1. <IfModule mod_authz_core.c>
    2. # Apache 2.4
    3. <RequireAll>
    4. Require all granted
    5. </RequireAll>
    6. </IfModule>


    The "require all granted" basically says "give access to everything anyway" and so it seems that Apache skips requiring authentication.

    If I comment it out, I get prompted for login properly.


    With this fixed by requiring a valid user, I can log in. Now to learn how to grant internal permissions to see my monitoring.