You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by empty body <em...@gmail.com> on 2006/06/18 16:01:32 UTC
[users@httpd] Re: authentication problem with apache2 + ldap + active directory
to be a bit more specific, what i am not seeing is another bind
request to AD that looks like this:
-----------
Lightweight Directory Access Protocol
LDAP Message, Bind Request
Message Id: 1
Message Type: Bind Request (0x00)
Version: 3
DN: CN=Lastname\,
Firstname,OU=Users-BLAH-BLAH,OU=BLAH2,DC=XYZ,DC=ABC,DC=com
Auth Type: Simple (0x00)
Password: user's password that i provided in the browser
-----------
...followed by a successful response from AD.
it seems that the initial response to a search query that it got back
from AD is unsatisfactory, so it does not even try to bind with the
newly found name. any ideas why this is happening?
i even tried some other products (not apache) where AD auth works, and
their network capture looks just like apache's, except they also do
the second bind.
any pointers/suggestions are appreciated.
thank you.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: authentication problem with apache2 + ldap + active directory
Posted by empty body <em...@gmail.com>.
perfect! it worked (2.0.55, 2.2.2 with bundled SUN LDAP SDK,
OpenLDAP). thank you so much for the tip!
the network trace looks exactly the way it should (no reference record
returned by AD).
reading up on global catalog does not make it obvious that i should
have used it, especially since other apps that rely on AD
authentication work fine against port 389, ignoring the references
(and we only have one domain).
just for the reference, this is my working 2.0.55 config:
-------------
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
<IfModule mod_auth_ldap.c>
<Location /test>
AuthType Basic
AuthName "LDAP test"
AuthLDAPURL
ldap://ad.host.name.com:3268/DC=ABC,DC=DEF,DC=com?sAMAccountName
AuthLDAPBindDN "CN=LDAPBindUsername,OU=Generic IDs,DC=ABC,DC=DEF,DC=com"
AuthLDAPBindPassword BindUserPassword
Require valid-user
</Location>
</IfModule>
-------------
and 2.2.2:
-------------
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
<IfModule mod_authnz_ldap.c>
<Location /test>
AuthType Basic
AuthName "LDAP test"
AuthBasicProvider ldap
AuthLDAPURL
ldap://ad.host.name.com:3268/DC=ABC,DC=DEF,DC=com?sAMAccountName
AuthLDAPBindDN "CN=LDAPBindUsername,OU=Generic IDs,DC=ABC,DC=DEF,DC=com"
AuthLDAPBindPassword BindUserPassword
AuthzLDAPAuthoritative Off
Require valid-user
</Location>
</IfModule>
-------------
thanks again!
it works On 6/19/06, Fenlason, Josh <jf...@ptc.com> wrote:
> Try using port 3268 (or port 3269 for ldaps). It's some stupid thing
> with AD global catalog or something like that. I can't remember all the
> details, but I think that should solve your problem.
> ,
> Josh.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: authentication problem with apache2 + ldap + active directory
Posted by "Fenlason, Josh" <jf...@ptc.com>.
Try using port 3268 (or port 3269 for ldaps). It's some stupid thing
with AD global catalog or something like that. I can't remember all the
details, but I think that should solve your problem.
,
Josh.
> -----Original Message-----
> From: empty body [mailto:emptybody@gmail.com]
> Sent: Sunday, June 18, 2006 1:34 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: authentication problem with
> apache2 + ldap + active directory
>
> trying a few more things:
>
> compiled apache 2.2.2 with Sun Microsystems Inc. LDAP SDK
> that came with solaris:
>
> $ pkginfo -l SUNWlldap
> PKGINST: SUNWlldap
> NAME: LDAP Libraries
> CATEGORY: system
> ARCH: sparc
> VERSION: 11.8.0,REV=2000.01.08.18.12
> BASEDIR: /
> VENDOR: Sun Microsystems, Inc.
> DESC: Ldap libraries in for software development of
> dynamically linked executables
> PSTAMP: on28-patch20040428123135
> INSTDATE: Aug 06 2004 06:00
>
> apache behavior is the same - if i do not bind to the root
> directly, but provide OU, then it works. if i do not provide
> OU, it seems to get into a loop when it searches for the
> sAMAccountName, gets a result with a reference, searches the
> reference, unbinds, and then repeats the whole thing (i have
> network traces to confirm this). changing values of
> AuthLDAPDereferenceAliases has no effect on this behavior.
>
> any suggestions? i think i am about ready to file a
> bug/enhancement report for ldap + active directory.
>
> thank you.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: authentication problem with apache2 + ldap + active directory
Posted by empty body <em...@gmail.com>.
trying a few more things:
compiled apache 2.2.2 with Sun Microsystems Inc. LDAP SDK that came
with solaris:
$ pkginfo -l SUNWlldap
PKGINST: SUNWlldap
NAME: LDAP Libraries
CATEGORY: system
ARCH: sparc
VERSION: 11.8.0,REV=2000.01.08.18.12
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Ldap libraries in for software development of dynamically
linked executables
PSTAMP: on28-patch20040428123135
INSTDATE: Aug 06 2004 06:00
apache behavior is the same - if i do not bind to the root directly,
but provide OU, then it works. if i do not provide OU, it seems to get
into a loop when it searches for the sAMAccountName, gets a result
with a reference, searches the reference, unbinds, and then repeats
the whole thing (i have network traces to confirm this). changing
values of AuthLDAPDereferenceAliases has no effect on this behavior.
any suggestions? i think i am about ready to file a bug/enhancement
report for ldap + active directory.
thank you.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: authentication problem with apache2 + ldap + active directory
Posted by empty body <em...@gmail.com>.
I made some progress:
after reading this post: http://tinyurl.com/rzjzf i have changed my config from
AuthLDAPURL ldap://ad.host.name.com:389/DC=XYZ,DC=ABC,DC=com?sAMAccountName?sub?(objectClass=*)
to
AuthLDAPURL ldap://ad.host.name.com:389/OU=BLAH2,DC=XYZ,DC=ABC,DC=com?sAMAccountName?sub?(objectClass=*)
and that worked, confirming the theory that apache's ldap gets
confused when encountering LDAP search result reference in the LDAP
response from the initial search (see
http://rafb.net/paste/results/9Duquf89.html). once OU has been
provided, apache's LDAP works fine, since reference is not returned
anymore.
however this is not an option for me, since in my case OU=BLAH* is
actually referring to different campuses in multiple cities, so there
is no single all-encompassing entity underneath the root of the AD
that includes all the users.
fiddling with AuthLDAPDereferenceAliases (setting it to all available
options) did not make any difference.
this behavior has been confirmed in 2.0.55 and 2.2.2 using openldap 2.3.21.
any suggestions on making it work while binding to the root of the tree?
thank you
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org