You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Keith O'Brien <ke...@rga.com> on 2007/03/06 17:14:23 UTC
[users@httpd] authnz with multiple AD domains and Global Catalog
I am trying to get authnz to work with multiple domains via the global
catalog. There is documentation on this under the 2.3 docs on apache. (
http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html ). There are
reports of other people getting this to work.
I built the latest version of apache2 2.2.4.
Below is the working authnz config and the one that does not work with
the global catalog and multiply AD domains. The error I get is:
[ldap_search_ext_s() for user failed][Invalid DN syntax]
### Working ### This searches only one Domain
<Location /test2>
AuthType Basic
AuthBasicProvider ldap
AuthName "Require Valid User"
AuthBasicAuthoritative On
AuthzLDAPAuthoritative off
AuthLDAPBindDN ldap_browser@xx.xxx.com
AuthLDAPBindPassword 'xxxxxxxx'
AuthLDAPURL
ldap://10.xxx.xxx.xxx:389/OU=Systems,DC=xx,DC=xxx,DC=com?sAMAccountName?
sub
require valid-user
DAV svn
SVNPath /usr/local/svn/test2
SVNAutoversioning on
</Location>
### NOT WORKING ###
<Location /test1>
AuthType Basic
AuthBasicProvider ldap
AuthName "Require Valid User"
AuthBasicAuthoritative On
AuthzLDAPAuthoritative off
AuthLDAPBindDN ldap_browser@xx.xxx.com
AuthLDAPBindPassword 'xxxxxxx'
# THe below one works using the global catalog but only searchs one
domain
#AuthLDAPURL
ldap://10.xxx.xxx.xxx:3268/OU=Systems,DC=xx,DC=xxx,DC=com?sAMAccountName
?sub
# The below one does not work
AuthLDAPURL ldap://10.xxx.xxx.xxx:3268/>userPrincipalName?sub
<ldap://10.xxx.xxx.xxx:3268/%3EuserPrincipalName?sub>
require valid-user
DAV svn
SVNPath /usr/local/svn/test1
SVNAutoversioning on
</Location>
Thanks for any light someone can shed on the issue.
Keith O'Brien Sr. Unix Administrator
Phone 212-946-4225 Fax 212-946-4010 keith@rga.com
R/GA 350 West 39th Street New York, NY 10018 www.rga.com
This message is the property of R/GA and contains information which may be privileged or confidential. It is meant only for the intended recipients and/or their authorized agents. If you believe you have received this message in error, please notify us immediately by return e-mail or by forwarding this message to postmaster@rga.com, and destroy any printed or electronic copies of the message. Any unauthorized use, dissemination, disclosure, or copying of this message or the information contained in it, is strictly prohibited and may be unlawful. Thank you.
RE: [users@httpd] authnz with multiple AD domains and Global Catalog
Posted by Keith O'Brien <ke...@rga.com>.
Finally got around to working on this again. I found the solution via trial and error. Once I found the solution it seemed so simple but I couldn't find the answer on the web.
I needed to define the searchbase instead of using the '>'. Once I did this everything worked as expected. Instead of doing the full search base of the domain(s), I left off the first part of the search base. The 2 domains for below were xx.xxx.com yy.xxx.com. The below AUTHLDAP statement now worked for both domains.
...
AuthLDAPURL ldap://xxx.xxx.xxx.xxx:3268/DC=xxx,DC=com?userPrincipalName?sub
...
Hope this helps anyone who was having the same problem.
Thanks,
Keith.
________________________________________
From: Keith O'Brien [mailto:keith.obrien@rga.com]
Sent: Tuesday, March 06, 2007 11:14 AM
To: users@httpd.apache.org
Subject: [users@httpd] authnz with multiple AD domains and Global Catalog
I am trying to get authnz to work with multiple domains via the global catalog. There is documentation on this under the 2.3 docs on apache. ( http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html ). There are reports of other people getting this to work.
I built the latest version of apache2 2.2.4.
Below is the working authnz config and the one that does not work with the global catalog and multiply AD domains. The error I get is: [ldap_search_ext_s() for user failed][Invalid DN syntax]
### Working ### This searches only one Domain
<Location /test2>
AuthType Basic
AuthBasicProvider ldap
AuthName "Require Valid User"
AuthBasicAuthoritative On
AuthzLDAPAuthoritative off
AuthLDAPBindDN ldap_browser@xx.xxx.com
AuthLDAPBindPassword 'xxxxxxxx'
AuthLDAPURL ldap://10.xxx.xxx.xxx:389/OU=Systems,DC=xx,DC=xxx,DC=com?sAMAccountName?sub
require valid-user
DAV svn
SVNPath /usr/local/svn/test2
SVNAutoversioning on
</Location>
### NOT WORKING ###
<Location /test1>
AuthType Basic
AuthBasicProvider ldap
AuthName "Require Valid User"
AuthBasicAuthoritative On
AuthzLDAPAuthoritative off
AuthLDAPBindDN ldap_browser@xx.xxx.com
AuthLDAPBindPassword 'xxxxxxx'
# THe below one works using the global catalog but only searchs one domain
#AuthLDAPURL ldap://10.xxx.xxx.xxx:3268/OU=Systems,DC=xx,DC=xxx,DC=com?sAMAccountName?sub
# The below one does not work
AuthLDAPURL ldap://10.xxx.xxx.xxx:3268/>userPrincipalName?sub
require valid-user
DAV svn
SVNPath /usr/local/svn/test1
SVNAutoversioning on
</Location>
Thanks for any light someone can shed on the issue.
Keith O'Brien Sr. Unix Administrator
Phone 212-946-4225 Fax 212-946-4010 keith@rga.com
R/GA 350 West 39th Street New York, NY 10018 www.rga.com
This message is the property of R/GA and contains information which may be privileged or confidential. It is meant only for the intended recipients and/or their authorized agents. If you believe you have received this message in error, please notify us immediately by return e-mail or by forwarding this message to postmaster@rga.com, and destroy any printed or electronic copies of the message. Any unauthorized use, dissemination, disclosure, or copying of this message or the information contained in it, is strictly prohibited and may be unlawful. Thank you.
This message is the property of R/GA and contains information which may be privileged or confidential. It is meant only for the intended recipients and/or their authorized agents. If you believe you have received this message in error, please notify us immediately by return e-mail or by forwarding this message to postmaster@rga.com, and destroy any printed or electronic copies of the message. Any unauthorized use, dissemination, disclosure, or copying of this message or the information contained in it, is strictly prohibited and may be unlawful. Thank you.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz with multiple AD domains and Global Catalog
Posted by Eric Covener <co...@gmail.com>.
On 3/6/07, Keith O'Brien <ke...@rga.com> wrote:
> [ldap_search_ext_s() for user failed][Invalid DN syntax]
You should capture a packet trace of both configurations and see if
you can spot a bogus string making it into a base/filter.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org