You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sebastian Reitenbach <se...@l00-bugdead-prods.de> on 2011/01/06 15:36:13 UTC

[users@httpd] Problem with ldap authentication against domino server

Hi,

I have LDAP authentication working against openldap. But I have to 
authenticate against an Lotus Domino Server.

below the contents of my .htaccess file:

AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP"
#AuthLDAPURL "ldap://openldapserver:389/ou=people,dc=intern"
AuthLDAPURL "ldap://dominoserver:389/?uid"
AuthzLDAPAuthoritative on
#require valid-user
require ldap-user user
#require ldap-group cn=admin
#require ldap-attribute gidnumber=1011
Satisfy any

Order deny,allow
Deny from all

When I comment the require ldap-user line, and uncomment the require valid-
user line, then I can successfully log in with my credentials.

When I try to restrict the login to a given user or group, then the 
authentication does't work.


here it works using the openldap server:
==> /var/log/apache2/error_log <==
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2013] auth_ldap 
url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host: 
openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib: (null), scope: 
base, filter: (null), connection mode: not using SSL
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2014] auth_ldap 
url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host: 
openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib: (null), scope: 
base, filter: (null), connection mode: not using SSL
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(379): [client 127.0.0.1] 
[2014] auth_ldap authenticate: using URL 
ldap://openldapserver:389/ou=people,dc=intern
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(484): [client 127.0.0.1] 
[2014] auth_ldap authenticate: accepting user
[Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(659): [client 127.0.0.1] 
[2014] auth_ldap authorise: require user: authorisation successful



here it doesn't work, using the domino server:
==> /var/log/apache2/error_log <==
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(982): [2015] auth_ldap 
url parse: `ldap://dominoserver:389/?uid', Host: dominoserver:389, Port: 389, 
DN: , attrib: uid, scope: base, filter: (null), connection mode: not using SSL
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(379): [client 127.0.0.1] 
[2015] auth_ldap authenticate: using URL ldap://dominoserver:389/?uid
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(484): [client 127.0.0.1] 
[2015] auth_ldap authenticate: accepting user
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(665): [client 127.0.0.1] 
[2015] auth_ldap authorise: require user: authorisation failed [Comparison 
complete][Insufficient access]
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(685): [client 127.0.0.1] 
[2015] auth_ldap authorise: require user: authorisation failed [Comparison 
complete][Insufficient access]
[Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(874): [client 127.0.0.1] 
[2015] auth_ldap authorise: authorisation denied

Well, it states about the insufficient access, but I wonder what kind of 
access migth be missing?

I can run
ldapsearch -x -h dominoserver -b "" -D "CN=Test User,O=MyCompany" -W

And I successfully get stuff back from the Domino Server, the Test User has 
uid=user.
However, what I noticed is I have to specify the empty baseDN -b "", without 
it, I don't get any search results back. I don't have to do it against the 
OpenLDAP server, don't know whether this could be the cause of my problem?

Sebastian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with ldap authentication against domino server

Posted by Sebastian Reitenbach <se...@l00-bugdead-prods.de>.

On Thursday, January 13, 2011 01:38:54 pm Eric Covener wrote:
> On Thu, Jan 13, 2011 at 3:16 AM, Sebastian Reitenbach
> 
> <se...@l00-bugdead-prods.de> wrote:
> > On Tuesday, January 11, 2011 02:38:31 pm Eric Covener wrote:
> >> > Or on the other hand, is it possible to tell mod_authnz_ldap to bind
> >> > as the user instead of anonymous to make the compare request?
> >> 
> >> The manual tells you how to use a userid/password.
> > 
> > I rechecked the documentation, and I found the following directives in
> > the apache-trunk documentation:
> > AuthLDAPSearchAsUser
> > AuthLDAPCompareAsUser
> > 
> > which is probably what I want, since I don't really want to hardcode a
> > BindDN and BindPassword in the apache configuration..
> > 
> > I have apache-2.2.15, and checked the changelog of up to apache-2.2.17,
> > and as it seems, those directives are not yet there. The docs says, its
> > only available since 2.3.6.
> > 
> > Or did you have other configuration directives in mind?
> 
> I meant the bind DN and password, not the trunk features.
> 
Ah, OK, yes, with the bindDN I also found it working, and its fine for my 
testing purposes, I don't want to put username/passwords into configuration 
files on the server. In the meantime I opened a service request at IBM so that 
they may hopefully tell me how to enable anonymous compare on the LDAP 
service, since I haven't found a hint on it in the IBM documentation. Even the 
guy on the phone was a bit unsure about the issue ;)
Its not a too urgent issue for me, either I get a sufficient answer from IBM, 
or I'll wait for future apache. Just wanted to make sure I don't overlook 
something.

Thanks to everyone.
Sebastian 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with ldap authentication against domino server

Posted by Eric Covener <co...@gmail.com>.

On Thu, Jan 13, 2011 at 3:16 AM, Sebastian Reitenbach
<se...@l00-bugdead-prods.de> wrote:
> On Tuesday, January 11, 2011 02:38:31 pm Eric Covener wrote:
>> > Or on the other hand, is it possible to tell mod_authnz_ldap to bind as
>> > the user instead of anonymous to make the compare request?
>>
>> The manual tells you how to use a userid/password.
>
> I rechecked the documentation, and I found the following directives in the
> apache-trunk documentation:
> AuthLDAPSearchAsUser
> AuthLDAPCompareAsUser
>
> which is probably what I want, since I don't really want to hardcode a BindDN
> and BindPassword in the apache configuration..
>
> I have apache-2.2.15, and checked the changelog of up to apache-2.2.17, and as
> it seems, those directives are not yet there. The docs says, its only
> available since 2.3.6.
>
> Or did you have other configuration directives in mind?

I meant the bind DN and password, not the trunk features.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with ldap authentication against domino server

Posted by Sebastian Reitenbach <se...@l00-bugdead-prods.de>.

On Tuesday, January 11, 2011 02:38:31 pm Eric Covener wrote:
> > Or on the other hand, is it possible to tell mod_authnz_ldap to bind as
> > the user instead of anonymous to make the compare request?
> 
> The manual tells you how to use a userid/password.

I rechecked the documentation, and I found the following directives in the 
apache-trunk documentation:
AuthLDAPSearchAsUser
AuthLDAPCompareAsUser

which is probably what I want, since I don't really want to hardcode a BindDN 
and BindPassword in the apache configuration..

I have apache-2.2.15, and checked the changelog of up to apache-2.2.17, and as 
it seems, those directives are not yet there. The docs says, its only 
available since 2.3.6.

Or did you have other configuration directives in mind?

cheers,
Sebastian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with ldap authentication against domino server

Posted by Eric Covener <co...@gmail.com>.

> Or on the other hand, is it possible to tell mod_authnz_ldap to bind as the
> user instead of anonymous to make the compare request?

The manual tells you how to use a userid/password.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with ldap authentication against domino server

Posted by Sebastian Reitenbach <se...@l00-bugdead-prods.de>.

Hi,

On Thursday, January 06, 2011 03:36:13 pm Sebastian Reitenbach wrote:
> Hi,
> 
> I have LDAP authentication working against openldap. But I have to
> authenticate against an Lotus Domino Server.
> 
> below the contents of my .htaccess file:
> 
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "LDAP"
> #AuthLDAPURL "ldap://openldapserver:389/ou=people,dc=intern"
> AuthLDAPURL "ldap://dominoserver:389/?uid"
> AuthzLDAPAuthoritative on
> #require valid-user
> require ldap-user user
> #require ldap-group cn=admin
> #require ldap-attribute gidnumber=1011
> Satisfy any
> 
Sorry for my late reply, and thanks for your answers. I haven't found them in 
my inbox/trash/spam folder/..., just by googling, I found them accidently in 
the mailing list archives, so answering myself here.

To Eric:
Analyzing the network traffic with wireshark, and enabling activity logging on 
the domino server, I found that the module connects to the domino server 
anonymously, and then issues the compare request. The domino server then 
returns ldap response 50: Insufficient access rights.

Huh, now I need to find out whether I can tell the domino server to allow 
anonymous compare requests.

Or on the other hand, is it possible to tell mod_authnz_ldap to bind as the 
user instead of anonymous to make the compare request?

To Igor:
its in .htaccess only for testing, too lazy to restart the apache every time I 
make a change ;)

Sebastian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with ldap authentication against domino server

Posted by Eric Covener <co...@gmail.com>.

> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(665): [client 127.0.0.1]
> [2015] auth_ldap authorise: require user: authorisation failed [Comparison
> complete][Insufficient access]

I think this means the user you're authenticating as doesn't have the
right permissions to run the authorization comparison?

TBH I'm not even sure what search is occuring with which credentials
-- a packet capture would tell for sure.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with ldap authentication against domino server

Posted by Igor Galić <i....@brainsware.org>.

----- "Sebastian Reitenbach" <se...@l00-bugdead-prods.de> wrote:

> Hi,
> 
> I have LDAP authentication working against openldap. But I have to 
> authenticate against an Lotus Domino Server.
> 
> below the contents of my .htaccess file:

Why, Oh, Why are you putting it in .htaccess?

> AuthType Basic
> AuthBasicProvider ldap
> AuthName "LDAP"
> #AuthLDAPURL "ldap://openldapserver:389/ou=people,dc=intern"
> AuthLDAPURL "ldap://dominoserver:389/?uid"
> AuthzLDAPAuthoritative on
> #require valid-user
> require ldap-user user
> #require ldap-group cn=admin
> #require ldap-attribute gidnumber=1011
> Satisfy any
> 
> Order deny,allow
> Deny from all
> 
> When I comment the require ldap-user line, and uncomment the require
> valid-
> user line, then I can successfully log in with my credentials.
> 
> When I try to restrict the login to a given user or group, then the 
> authentication does't work.
> 
> 
> here it works using the openldap server:
> ==> /var/log/apache2/error_log <==
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2013]
> auth_ldap 
> url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host: 
> openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib:
> (null), scope: 
> base, filter: (null), connection mode: not using SSL
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2014]
> auth_ldap 
> url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host: 
> openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib:
> (null), scope: 
> base, filter: (null), connection mode: not using SSL
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(379): [client
> 127.0.0.1] 
> [2014] auth_ldap authenticate: using URL 
> ldap://openldapserver:389/ou=people,dc=intern
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(484): [client
> 127.0.0.1] 
> [2014] auth_ldap authenticate: accepting user
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(659): [client
> 127.0.0.1] 
> [2014] auth_ldap authorise: require user: authorisation successful
> 
> 
> 
> here it doesn't work, using the domino server:
> ==> /var/log/apache2/error_log <==
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(982): [2015]
> auth_ldap 
> url parse: `ldap://dominoserver:389/?uid', Host: dominoserver:389,
> Port: 389, 
> DN: , attrib: uid, scope: base, filter: (null), connection mode: not
> using SSL
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(379): [client
> 127.0.0.1] 
> [2015] auth_ldap authenticate: using URL ldap://dominoserver:389/?uid
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(484): [client
> 127.0.0.1] 
> [2015] auth_ldap authenticate: accepting user
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(665): [client
> 127.0.0.1] 
> [2015] auth_ldap authorise: require user: authorisation failed
> [Comparison 
> complete][Insufficient access]
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(685): [client
> 127.0.0.1] 
> [2015] auth_ldap authorise: require user: authorisation failed
> [Comparison 
> complete][Insufficient access]
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(874): [client
> 127.0.0.1] 
> [2015] auth_ldap authorise: authorisation denied
> 
> Well, it states about the insufficient access, but I wonder what kind
> of 
> access migth be missing?
> 
> I can run
> ldapsearch -x -h dominoserver -b "" -D "CN=Test User,O=MyCompany" -W
> 
> And I successfully get stuff back from the Domino Server, the Test
> User has 
> uid=user.
> However, what I noticed is I have to specify the empty baseDN -b "",
> without 
> it, I don't get any search results back. I don't have to do it against
> the 
> OpenLDAP server, don't know whether this could be the cause of my
> problem?
> 
> Sebastian
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org