You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Keith O'Brien <ke...@rga.com> on 2007/03/06 17:14:23 UTC

[users@httpd] authnz with multiple AD domains and Global Catalog

 

I am trying to get authnz to work with multiple domains via the global
catalog. There is documentation on this under the 2.3 docs on apache. (
http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html ). There are
reports of other people getting this to work. 

I built the latest version of apache2 2.2.4.  

Below is the working authnz config and the one that does not work with
the global catalog and multiply AD domains. The error I get is:
[ldap_search_ext_s() for user failed][Invalid DN syntax] 

### Working ### This searches only one Domain 
<Location /test2> 
AuthType Basic 
AuthBasicProvider ldap 
AuthName "Require Valid User" 
AuthBasicAuthoritative On 
AuthzLDAPAuthoritative off 
AuthLDAPBindDN ldap_browser@xx.xxx.com 
AuthLDAPBindPassword 'xxxxxxxx' 
AuthLDAPURL
ldap://10.xxx.xxx.xxx:389/OU=Systems,DC=xx,DC=xxx,DC=com?sAMAccountName?
sub 
require valid-user 
DAV svn 
SVNPath /usr/local/svn/test2 
SVNAutoversioning on 
</Location> 

### NOT WORKING ### 
<Location /test1> 
AuthType Basic 
AuthBasicProvider ldap 
AuthName "Require Valid User" 
AuthBasicAuthoritative On 
AuthzLDAPAuthoritative off 
AuthLDAPBindDN ldap_browser@xx.xxx.com 
AuthLDAPBindPassword 'xxxxxxx' 
# THe below one works using the global catalog but only searchs one
domain 
#AuthLDAPURL
ldap://10.xxx.xxx.xxx:3268/OU=Systems,DC=xx,DC=xxx,DC=com?sAMAccountName
?sub 
# The below one does not work 
AuthLDAPURL ldap://10.xxx.xxx.xxx:3268/>userPrincipalName?sub
<ldap://10.xxx.xxx.xxx:3268/%3EuserPrincipalName?sub>  
require valid-user 
DAV svn 
SVNPath /usr/local/svn/test1 
SVNAutoversioning on 
</Location> 

Thanks for any light someone can shed on the issue.

Keith O'Brien Sr. Unix Administrator
Phone 212-946-4225 Fax 212-946-4010 keith@rga.com

R/GA 350 West 39th Street New York, NY 10018 www.rga.com

 





This message is the property of R/GA and contains information which may be privileged or confidential. It is meant only for the intended recipients and/or their authorized agents. If you believe you have received this message in error, please notify us immediately by return e-mail or by forwarding this message to postmaster@rga.com, and destroy any printed or electronic copies of the message. Any unauthorized use, dissemination, disclosure, or copying of this message or the information contained in it, is strictly prohibited and may be unlawful. Thank you.

RE: [users@httpd] authnz with multiple AD domains and Global Catalog

Posted by Keith O'Brien <ke...@rga.com>.
Finally got around to working on this again. I found the solution via trial and error. Once I found the solution it seemed so simple but I couldn't find the answer on the web. 

I needed to define the searchbase instead of using the '>'. Once I did this everything worked as expected. Instead of doing the full search base of the domain(s), I left off the first part of the search base. The 2 domains for below were xx.xxx.com yy.xxx.com. The below AUTHLDAP statement now worked for both domains. 
...
AuthLDAPURL  ldap://xxx.xxx.xxx.xxx:3268/DC=xxx,DC=com?userPrincipalName?sub
...

Hope this helps anyone who was having the same problem. 

Thanks,
Keith. 
________________________________________
From: Keith O'Brien [mailto:keith.obrien@rga.com] 
Sent: Tuesday, March 06, 2007 11:14 AM
To: users@httpd.apache.org
Subject: [users@httpd] authnz with multiple AD domains and Global Catalog


I am trying to get authnz to work with multiple domains via the global catalog. There is documentation on this under the 2.3 docs on apache. ( http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html ). There are reports of other people getting this to work. 

I built the latest version of apache2 2.2.4.  

Below is the working authnz config and the one that does not work with the global catalog and multiply AD domains. The error I get is: [ldap_search_ext_s() for user failed][Invalid DN syntax] 

### Working ### This searches only one Domain 
<Location /test2> 
AuthType Basic 
AuthBasicProvider ldap 
AuthName "Require Valid User" 
AuthBasicAuthoritative On 
AuthzLDAPAuthoritative off 
AuthLDAPBindDN ldap_browser@xx.xxx.com 
AuthLDAPBindPassword 'xxxxxxxx' 
AuthLDAPURL ldap://10.xxx.xxx.xxx:389/OU=Systems,DC=xx,DC=xxx,DC=com?sAMAccountName?sub 
require valid-user 
DAV svn 
SVNPath /usr/local/svn/test2 
SVNAutoversioning on 
</Location> 

### NOT WORKING ### 
<Location /test1> 
AuthType Basic 
AuthBasicProvider ldap 
AuthName "Require Valid User" 
AuthBasicAuthoritative On 
AuthzLDAPAuthoritative off 
AuthLDAPBindDN ldap_browser@xx.xxx.com 
AuthLDAPBindPassword 'xxxxxxx' 
# THe below one works using the global catalog but only searchs one domain 
#AuthLDAPURL ldap://10.xxx.xxx.xxx:3268/OU=Systems,DC=xx,DC=xxx,DC=com?sAMAccountName?sub 
# The below one does not work 
AuthLDAPURL ldap://10.xxx.xxx.xxx:3268/>userPrincipalName?sub 
require valid-user 
DAV svn 
SVNPath /usr/local/svn/test1 
SVNAutoversioning on 
</Location> 

Thanks for any light someone can shed on the issue.
Keith O'Brien Sr. Unix Administrator
Phone 212-946-4225 Fax 212-946-4010 keith@rga.com
R/GA 350 West 39th Street New York, NY 10018 www.rga.com





This message is the property of R/GA and contains information which may be privileged or confidential. It is meant only for the intended recipients and/or their authorized agents. If you believe you have received this message in error, please notify us immediately by return e-mail or by forwarding this message to postmaster@rga.com, and destroy any printed or electronic copies of the message. Any unauthorized use, dissemination, disclosure, or copying of this message or the information contained in it, is strictly prohibited and may be unlawful. Thank you.




This message is the property of R/GA and contains information which may be privileged or confidential. It is meant only for the intended recipients and/or their authorized agents. If you believe you have received this message in error, please notify us immediately by return e-mail or by forwarding this message to postmaster@rga.com, and destroy any printed or electronic copies of the message. Any unauthorized use, dissemination, disclosure, or copying of this message or the information contained in it, is strictly prohibited and may be unlawful. Thank you.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] authnz with multiple AD domains and Global Catalog

Posted by Eric Covener <co...@gmail.com>.
On 3/6/07, Keith O'Brien <ke...@rga.com> wrote:
>   [ldap_search_ext_s() for user failed][Invalid DN syntax]

You should capture a packet trace of both configurations and see if
you can spot a bogus string making it into a base/filter.


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org