You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Arkadiy Goykhberg <ar...@infosecadvisers.com> on 2008/12/23 20:49:33 UTC
[users@httpd] LDAP authentication question
Our LDAP Active Directory tree looks like this:
DC=mycompany,DC=COM
-OU=Accounts
-OU=Usernames
-OU=Finance&Administration
-OU=Generic accounts
-OU=Security
-....
-DC=sng,DC=mycompany,DC=com
-OU=Singapore Users
-DC=uk,DC=mycompany,DC=com
-OU=Accounts
-OU=Users
If I use the following configuration, everything works, except I am not able
to
authenticate UK and SNG users because the base of the search does not
include
UK ans SNG domains.
AuthBasicProvider ldap
AuthLDAPURL
"ldap://
nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
"
AuthLDAPBindDN "CN=ldap connector,OU=Generic
accounts,OU=Accounts,DC=mycompany,DC=com"
AuthLDAPBindPassword ******
AuthType Basic
AuthName "mycompany Domain"
Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
DC=mycompany,DC=com
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(373): [client
192.168.2.75] [3718] auth_ldap authenticate: using URL
ldap://
nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(454): [client
192.168.2.75] [3718] auth_ldap authenticate: accepting testuser
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(691): [client
192.168.2.75] [3718] auth_ldap authorise: require group: testing for group
membership in "CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
DC=mycompany,DC=com"
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(697): [client
192.168.2.75] [3718] auth_ldap authorise: require group: testing for member:
CN=Test
User,OU=Finance&Administration,OU=Usernames,OU=Accounts,DC=mycompany,DC=com
(CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
DC=mycompany,DC=com)
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(706): [client
192.168.2.75] [3718] auth_ldap authorise: require group: authorisation
successful (attribute member) [Comparison true (adding to cache)][Compare
True]
However, if I use the following configuration (point to the base of AD
tree), mod_authnz_ldap.c produces a seg
fault.
AuthBasicProvider ldap
AuthLDAPURL
"ldap://
nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=ldap connector,OU=Generic
accounts,OU=Accounts,DC=mycompany,DC=com"
AuthLDAPBindPassword ******
AuthType Basic
AuthName "mycompany Domain"
Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
DC=mycompany,DC=com
[Wed Nov 26 20:24:31 2008] [debug] mod_authnz_ldap.c(373): [client
192.168.2.75] [3110] auth_ldap authenticate: using URL
ldap://
nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
[Wed Nov 26 20:24:42 2008] [notice] child pid 3110 exit signal Segmentation
fault (11)
# rpm -qi httpd
Name : httpd Relocations: (not relocatable)
Version : 2.2.3 Vendor: CentOS
Release : 11.el5_2.centos.4 Build Date: Wed 12 Nov 2008
10:44:43 AM EST
Install Date: Fri 14 Nov 2008 07:42:56 AM EST Build Host:
builder16.centos.org
Group : System Environment/Daemons Source RPM:
httpd-2.2.3-11.el5_2.centos.4.src.rpm
Size : 2899288 License: Apache Software
License
Signature : DSA/SHA1, Wed 12 Nov 2008 05:54:31 PM EST, Key
IDa8a447dce8562897
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description : The Apache HTTP Server is a powerful, efficient, and
extensible
web server.
Is there a way to make mod_authnz_ldap to search across 3 LDAP branches
where the user information is stored?
Re: [users@httpd] LDAP authentication question
Posted by Tony Stevenson <to...@pc-tony.com>.
Arkadiy,
Take a look at this
http://httpd.apache.org/docs/trunk/mod/mod_authn_core.html
You can create multiple authentication mechanisms, one for each sub-tree
perhaps, and then alias them.
Cheers,
Tony
On 23/12/2008 19:49, Arkadiy Goykhberg wrote:
> Our LDAP Active Directory tree looks like this:
>
> DC=mycompany,DC=COM
>
> -OU=Accounts
>
> -OU=Usernames
>
> -OU=Finance&Administration
>
> -OU=Generic accounts
>
> -OU=Security
>
> -....
>
> -DC=sng,DC=mycompany,DC=com
>
> -OU=Singapore Users
>
> -DC=uk,DC=mycompany,DC=com
>
> -OU=Accounts
>
> -OU=Users
>
> If I use the following configuration, everything works, except I am not
> able to
>
> authenticate UK and SNG users because the base of the search does not
> include
>
> UK ans SNG domains.
>
> AuthBasicProvider ldap
>
> AuthLDAPURL
>
> "ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
> <http://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>"
>
> AuthLDAPBindDN "CN=ldap connector,OU=Generic
>
> accounts,OU=Accounts,DC=mycompany,DC=com"
>
> AuthLDAPBindPassword ******
>
> AuthType Basic
>
> AuthName "mycompany Domain"
>
> Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames,
> OU=Accounts, DC=mycompany,DC=com
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(373): [client
>
> 192.168.2.75] [3718] auth_ldap authenticate: using URL
>
> ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
> <http://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(454): [client
>
> 192.168.2.75] [3718] auth_ldap authenticate: accepting testuser
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(691): [client
>
> 192.168.2.75] [3718] auth_ldap authorise: require group: testing for group
>
> membership in "CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
>
> DC=mycompany,DC=com"
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(697): [client
>
> 192.168.2.75] [3718] auth_ldap authorise: require group: testing for member:
>
> CN=Test
> User,OU=Finance&Administration,OU=Usernames,OU=Accounts,DC=mycompany,DC=com
>
> (CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
> DC=mycompany,DC=com)
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(706): [client
>
> 192.168.2.75] [3718] auth_ldap authorise: require group: authorisation
>
> successful (attribute member) [Comparison true (adding to
> cache)][Compare True]
>
> However, if I use the following configuration (point to the base of AD
> tree), mod_authnz_ldap.c produces a seg
>
> fault.
>
> AuthBasicProvider ldap
>
> AuthLDAPURL
>
> "ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
> <http://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>"
>
>
> AuthLDAPBindDN "CN=ldap connector,OU=Generic
>
> accounts,OU=Accounts,DC=mycompany,DC=com"
>
> AuthLDAPBindPassword ******
>
> AuthType Basic
>
> AuthName "mycompany Domain"
>
> Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames,
> OU=Accounts, DC=mycompany,DC=com
>
> [Wed Nov 26 20:24:31 2008] [debug] mod_authnz_ldap.c(373): [client
>
> 192.168.2.75] [3110] auth_ldap authenticate: using URL
>
> ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
> <http://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>
>
> [Wed Nov 26 20:24:42 2008] [notice] child pid 3110 exit signal Segmentation
>
> fault (11)
>
> # rpm -qi httpd
>
> Name : httpd Relocations: (not relocatable)
>
> Version : 2.2.3 Vendor: CentOS
>
> Release : 11.el5_2.centos.4 Build Date: Wed 12 Nov 2008
>
> 10:44:43 AM EST
>
> Install Date: Fri 14 Nov 2008 07:42:56 AM EST Build Host:
>
> builder16.centos.org <http://builder16.centos.org>
>
> Group : System Environment/Daemons Source RPM:
>
> httpd-2.2.3-11.el5_2.centos.4.src.rpm
>
> Size : 2899288 License: Apache Software License
>
> Signature : DSA/SHA1, Wed 12 Nov 2008 05:54:31 PM EST, Key
> IDa8a447dce8562897
>
> URL : http://httpd.apache.org/
>
> Summary : Apache HTTP Server
>
> Description : The Apache HTTP Server is a powerful, efficient, and
> extensible
>
> web server.
>
> Is there a way to make mod_authnz_ldap to search across 3 LDAP branches
> where the user information is stored?
>
--
-----------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org
http://www.pc-tony.com/
1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
-----------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org