You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sebastian Reitenbach <se...@l00-bugdead-prods.de> on 2011/01/06 15:36:13 UTC
[users@httpd] Problem with ldap authentication against domino server
Hi,
I have LDAP authentication working against openldap. But I have to
authenticate against an Lotus Domino Server.
below the contents of my .htaccess file:
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP"
#AuthLDAPURL "ldap://openldapserver:389/ou=people,dc=intern"
AuthLDAPURL "ldap://dominoserver:389/?uid"
AuthzLDAPAuthoritative on
#require valid-user
require ldap-user user
#require ldap-group cn=admin
#require ldap-attribute gidnumber=1011
Satisfy any
Order deny,allow
Deny from all
When I comment the require ldap-user line, and uncomment the require valid-
user line, then I can successfully log in with my credentials.
When I try to restrict the login to a given user or group, then the
authentication does't work.
here it works using the openldap server:
==> /var/log/apache2/error_log <==
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2013] auth_ldap
url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host:
openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib: (null), scope:
base, filter: (null), connection mode: not using SSL
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2014] auth_ldap
url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host:
openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib: (null), scope:
base, filter: (null), connection mode: not using SSL
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(379): [client 127.0.0.1]
[2014] auth_ldap authenticate: using URL
ldap://openldapserver:389/ou=people,dc=intern
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(484): [client 127.0.0.1]
[2014] auth_ldap authenticate: accepting user
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(659): [client 127.0.0.1]
[2014] auth_ldap authorise: require user: authorisation successful
here it doesn't work, using the domino server:
==> /var/log/apache2/error_log <==
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(982): [2015] auth_ldap
url parse: `ldap://dominoserver:389/?uid', Host: dominoserver:389, Port: 389,
DN: , attrib: uid, scope: base, filter: (null), connection mode: not using SSL
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(379): [client 127.0.0.1]
[2015] auth_ldap authenticate: using URL ldap://dominoserver:389/?uid
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(484): [client 127.0.0.1]
[2015] auth_ldap authenticate: accepting user
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(665): [client 127.0.0.1]
[2015] auth_ldap authorise: require user: authorisation failed [Comparison
complete][Insufficient access]
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(685): [client 127.0.0.1]
[2015] auth_ldap authorise: require user: authorisation failed [Comparison
complete][Insufficient access]
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(874): [client 127.0.0.1]
[2015] auth_ldap authorise: authorisation denied
Well, it states about the insufficient access, but I wonder what kind of
access migth be missing?
I can run
ldapsearch -x -h dominoserver -b "" -D "CN=Test User,O=MyCompany" -W
And I successfully get stuff back from the Domino Server, the Test User has
uid=user.
However, what I noticed is I have to specify the empty baseDN -b "", without
it, I don't get any search results back. I don't have to do it against the
OpenLDAP server, don't know whether this could be the cause of my problem?
Sebastian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with ldap authentication against domino server
Posted by Sebastian Reitenbach <se...@l00-bugdead-prods.de>.
On Thursday, January 13, 2011 01:38:54 pm Eric Covener wrote:
> On Thu, Jan 13, 2011 at 3:16 AM, Sebastian Reitenbach
>
> <se...@l00-bugdead-prods.de> wrote:
> > On Tuesday, January 11, 2011 02:38:31 pm Eric Covener wrote:
> >> > Or on the other hand, is it possible to tell mod_authnz_ldap to bind
> >> > as the user instead of anonymous to make the compare request?
> >>
> >> The manual tells you how to use a userid/password.
> >
> > I rechecked the documentation, and I found the following directives in
> > the apache-trunk documentation:
> > AuthLDAPSearchAsUser
> > AuthLDAPCompareAsUser
> >
> > which is probably what I want, since I don't really want to hardcode a
> > BindDN and BindPassword in the apache configuration..
> >
> > I have apache-2.2.15, and checked the changelog of up to apache-2.2.17,
> > and as it seems, those directives are not yet there. The docs says, its
> > only available since 2.3.6.
> >
> > Or did you have other configuration directives in mind?
>
> I meant the bind DN and password, not the trunk features.
>
Ah, OK, yes, with the bindDN I also found it working, and its fine for my
testing purposes, I don't want to put username/passwords into configuration
files on the server. In the meantime I opened a service request at IBM so that
they may hopefully tell me how to enable anonymous compare on the LDAP
service, since I haven't found a hint on it in the IBM documentation. Even the
guy on the phone was a bit unsure about the issue ;)
Its not a too urgent issue for me, either I get a sufficient answer from IBM,
or I'll wait for future apache. Just wanted to make sure I don't overlook
something.
Thanks to everyone.
Sebastian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with ldap authentication against domino server
Posted by Eric Covener <co...@gmail.com>.
On Thu, Jan 13, 2011 at 3:16 AM, Sebastian Reitenbach
<se...@l00-bugdead-prods.de> wrote:
> On Tuesday, January 11, 2011 02:38:31 pm Eric Covener wrote:
>> > Or on the other hand, is it possible to tell mod_authnz_ldap to bind as
>> > the user instead of anonymous to make the compare request?
>>
>> The manual tells you how to use a userid/password.
>
> I rechecked the documentation, and I found the following directives in the
> apache-trunk documentation:
> AuthLDAPSearchAsUser
> AuthLDAPCompareAsUser
>
> which is probably what I want, since I don't really want to hardcode a BindDN
> and BindPassword in the apache configuration..
>
> I have apache-2.2.15, and checked the changelog of up to apache-2.2.17, and as
> it seems, those directives are not yet there. The docs says, its only
> available since 2.3.6.
>
> Or did you have other configuration directives in mind?
I meant the bind DN and password, not the trunk features.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with ldap authentication against domino server
Posted by Sebastian Reitenbach <se...@l00-bugdead-prods.de>.
On Tuesday, January 11, 2011 02:38:31 pm Eric Covener wrote:
> > Or on the other hand, is it possible to tell mod_authnz_ldap to bind as
> > the user instead of anonymous to make the compare request?
>
> The manual tells you how to use a userid/password.
I rechecked the documentation, and I found the following directives in the
apache-trunk documentation:
AuthLDAPSearchAsUser
AuthLDAPCompareAsUser
which is probably what I want, since I don't really want to hardcode a BindDN
and BindPassword in the apache configuration..
I have apache-2.2.15, and checked the changelog of up to apache-2.2.17, and as
it seems, those directives are not yet there. The docs says, its only
available since 2.3.6.
Or did you have other configuration directives in mind?
cheers,
Sebastian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with ldap authentication against domino server
Posted by Eric Covener <co...@gmail.com>.
> Or on the other hand, is it possible to tell mod_authnz_ldap to bind as the
> user instead of anonymous to make the compare request?
The manual tells you how to use a userid/password.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with ldap authentication against domino server
Posted by Sebastian Reitenbach <se...@l00-bugdead-prods.de>.
Hi,
On Thursday, January 06, 2011 03:36:13 pm Sebastian Reitenbach wrote:
> Hi,
>
> I have LDAP authentication working against openldap. But I have to
> authenticate against an Lotus Domino Server.
>
> below the contents of my .htaccess file:
>
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "LDAP"
> #AuthLDAPURL "ldap://openldapserver:389/ou=people,dc=intern"
> AuthLDAPURL "ldap://dominoserver:389/?uid"
> AuthzLDAPAuthoritative on
> #require valid-user
> require ldap-user user
> #require ldap-group cn=admin
> #require ldap-attribute gidnumber=1011
> Satisfy any
>
Sorry for my late reply, and thanks for your answers. I haven't found them in
my inbox/trash/spam folder/..., just by googling, I found them accidently in
the mailing list archives, so answering myself here.
To Eric:
Analyzing the network traffic with wireshark, and enabling activity logging on
the domino server, I found that the module connects to the domino server
anonymously, and then issues the compare request. The domino server then
returns ldap response 50: Insufficient access rights.
Huh, now I need to find out whether I can tell the domino server to allow
anonymous compare requests.
Or on the other hand, is it possible to tell mod_authnz_ldap to bind as the
user instead of anonymous to make the compare request?
To Igor:
its in .htaccess only for testing, too lazy to restart the apache every time I
make a change ;)
Sebastian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with ldap authentication against domino server
Posted by Eric Covener <co...@gmail.com>.
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(665): [client 127.0.0.1]
> [2015] auth_ldap authorise: require user: authorisation failed [Comparison
> complete][Insufficient access]
I think this means the user you're authenticating as doesn't have the
right permissions to run the authorization comparison?
TBH I'm not even sure what search is occuring with which credentials
-- a packet capture would tell for sure.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with ldap authentication against domino
server
Posted by Igor Galić <i....@brainsware.org>.
----- "Sebastian Reitenbach" <se...@l00-bugdead-prods.de> wrote:
> Hi,
>
> I have LDAP authentication working against openldap. But I have to
> authenticate against an Lotus Domino Server.
>
> below the contents of my .htaccess file:
Why, Oh, Why are you putting it in .htaccess?
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "LDAP"
> #AuthLDAPURL "ldap://openldapserver:389/ou=people,dc=intern"
> AuthLDAPURL "ldap://dominoserver:389/?uid"
> AuthzLDAPAuthoritative on
> #require valid-user
> require ldap-user user
> #require ldap-group cn=admin
> #require ldap-attribute gidnumber=1011
> Satisfy any
>
> Order deny,allow
> Deny from all
>
> When I comment the require ldap-user line, and uncomment the require
> valid-
> user line, then I can successfully log in with my credentials.
>
> When I try to restrict the login to a given user or group, then the
> authentication does't work.
>
>
> here it works using the openldap server:
> ==> /var/log/apache2/error_log <==
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2013]
> auth_ldap
> url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host:
> openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib:
> (null), scope:
> base, filter: (null), connection mode: not using SSL
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2014]
> auth_ldap
> url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host:
> openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib:
> (null), scope:
> base, filter: (null), connection mode: not using SSL
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(379): [client
> 127.0.0.1]
> [2014] auth_ldap authenticate: using URL
> ldap://openldapserver:389/ou=people,dc=intern
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(484): [client
> 127.0.0.1]
> [2014] auth_ldap authenticate: accepting user
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(659): [client
> 127.0.0.1]
> [2014] auth_ldap authorise: require user: authorisation successful
>
>
>
> here it doesn't work, using the domino server:
> ==> /var/log/apache2/error_log <==
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(982): [2015]
> auth_ldap
> url parse: `ldap://dominoserver:389/?uid', Host: dominoserver:389,
> Port: 389,
> DN: , attrib: uid, scope: base, filter: (null), connection mode: not
> using SSL
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(379): [client
> 127.0.0.1]
> [2015] auth_ldap authenticate: using URL ldap://dominoserver:389/?uid
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(484): [client
> 127.0.0.1]
> [2015] auth_ldap authenticate: accepting user
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(665): [client
> 127.0.0.1]
> [2015] auth_ldap authorise: require user: authorisation failed
> [Comparison
> complete][Insufficient access]
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(685): [client
> 127.0.0.1]
> [2015] auth_ldap authorise: require user: authorisation failed
> [Comparison
> complete][Insufficient access]
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(874): [client
> 127.0.0.1]
> [2015] auth_ldap authorise: authorisation denied
>
> Well, it states about the insufficient access, but I wonder what kind
> of
> access migth be missing?
>
> I can run
> ldapsearch -x -h dominoserver -b "" -D "CN=Test User,O=MyCompany" -W
>
> And I successfully get stuff back from the Domino Server, the Test
> User has
> uid=user.
> However, what I noticed is I have to specify the empty baseDN -b "",
> without
> it, I don't get any search results back. I don't have to do it against
> the
> OpenLDAP server, don't know whether this could be the cause of my
> problem?
>
> Sebastian
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org