You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrew Struiksma <as...@esd189.org> on 2008/09/19 20:25:31 UTC

[users@httpd] reverse proxy with LDAP authentication

We are trying to setup a company intranet server (apache 2.2.3-4+etch5) so that it is available outside our LAN. However, we want users to be prompted for a username and password when they are coming from the outside. We want the authentication to use our AD LDAP server. We have this configuration running on another nearly identical Debian 4.0 server and it works fine. However when we try this configuration on the new intranet server the LDAP authentication fails. Here is the setup that works on the old server which we are attempting to duplicate on the new server:

<Location "/">
        Allow from 192.168.1.0/24
        Satisfy Any
        Order deny,allow
        Deny from all
        Require valid-user
        AuthType basic
        AuthName "INTRANET"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off
        AuthLDAPBindDN  "cn=apache_user,cn=Users,dc=company,dc=com"
        AuthLDAPBindPassword "abcefg"
        AuthLDAPUrl "ldap://192.168.1.2:389 192.168.1.3:389/dc=company,dc=com?sAMAccountName?sub?(objectClass=*)"
</Location>

We have done a tcpdump and compared the packet dump of a login attempt on both the old and new servers. The communication is nearly identical until the new server starts looking for the user account in the forest and other areas of the directory. If we add cn=Users to the AuthLDAPUrl line on the server then it also works fine. However, not all of our users on in cn=Users.

Is there a way to get around this problem?

What could we have possibly done on the old server so that it works with the above config?

Thank you!

Andrew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] reverse proxy with LDAP authentication

Posted by Andrew Struiksma <as...@esd189.org>.
I tried:

AuthLDAPBindDN  "apache_user@company.com"

But the results are the same. The apache_user is able to bind and complete the lookup but then fails and the browser reports a 500 Internal Server Error.

Andrew


> -----Original Message-----
> From: Chris Covington [mailto:chris.covington@gmail.com]
> Sent: Tuesday, September 23, 2008 4:24 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] reverse proxy with LDAP authentication
>
> On Fri, Sep 19, 2008 at 2:25 PM, Andrew Struiksma
> <as...@esd189.org> wrote:
> >
> > Is there a way to get around this problem?
>
> bind with apache_user@company.com instead (the UPN login) -
> you may have to escape the \@
>
> Chris
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] reverse proxy with LDAP authentication

Posted by Chris Covington <ch...@gmail.com>.
On Fri, Sep 19, 2008 at 2:25 PM, Andrew Struiksma <as...@esd189.org> wrote:
>
> Is there a way to get around this problem?

bind with apache_user@company.com instead (the UPN login) - you may
have to escape the \@

Chris

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org