You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by James Massara <ja...@digitalinsight.com> on 2004/12/20 18:31:14 UTC
[users@httpd] OpenLDAP to Active Directory Authentication
Hello,
I'm trying to get OpenLDAP based Apache2 modules to authenticate against an
Windows 2000 Active Directory Server. Software used:
Operating System Gentoo Linux (kernel v2.6.8)
OpenLDAP v2.1.30
Apache HTTPD v2.0.52
Apache Module ModAuthLDAP from muquit.com v2.12
I've also tried the bundled version of mod_auth_ldap that comes with apache2
with the exact same results (described below).
Here is my .htaccess file settings for authenticating a user:
LDAP_Server ad.company.com
LDAP_Port 389
Bind_DN "cn=jmassara,ou=users,dc=ad,dc=company,dc=com"
Bind_Pass "mypasswd"
Base_DN "dc=corp,dc=ad,dc=company,dc=com"
UID_Attr sAMAccountName
When trying to authenticate I get the following error message:
[Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] [mod_auth_ldap.c] -
Error: Operations error
ldap_search_s: Operations error (1)
additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece
Also, the jmassara user in the Bind_DN setting has full read access
throughout the AD tree. If I change the Base_DN setting to
"cn=users,dc=corp,dc=ad,dc=company,dc=com", it works fine. However, our
user accounts are being move out of "cn=users" to something like
"ou=users,ou=city,dc=corp,dc=ad,dc=company,dc=com" so this isn't a viable
solution for me.
The function the muquit.com apache2 module is using is "ldap_search_s".
When I run the same query that the apache2 module uses via ldapsearch it
works fine. I see that the ldapsearch binary uses "ldap_search_ext" to do
its searching. The filter being used is "(sAMAccountName=userid)" -- where
userid is the person trying to authenticate.
Why does one ldap_search function work fine but the other fail (unless
explicitly defining the path to the user accounts)?
Any help is greatly appreciated. Thanks for your time,
-James
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OpenLDAP to Active Directory Authentication
Posted by Michael Mattsson <ap...@phrenetic.to>.
Hi!
If you use the bundled LDAP authentication module you specify in AuthLDAPURL to
explictly search recursive.
Example:
AuthLDAPURL
ldap://ad.company.com:389/dc=corp,dc=ad,dc=company,dc=com?sAMAccountName?sub?(objectClass=user)
require valid-user
It's the "sub" keyword that specifies the scope of the search. Please see:
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for more examples and
further documentation.
//Dri
Quoting James Massara <ja...@digitalinsight.com>:
> Hello,
>
> I'm trying to get OpenLDAP based Apache2 modules to authenticate against an
> Windows 2000 Active Directory Server. Software used:
>
> Operating System Gentoo Linux (kernel v2.6.8)
> OpenLDAP v2.1.30
> Apache HTTPD v2.0.52
> Apache Module ModAuthLDAP from muquit.com v2.12
> I've also tried the bundled version of mod_auth_ldap that comes with apache2
> with the exact same results (described below).
>
> Here is my .htaccess file settings for authenticating a user:
>
> LDAP_Server ad.company.com
> LDAP_Port 389
> Bind_DN "cn=jmassara,ou=users,dc=ad,dc=company,dc=com"
> Bind_Pass "mypasswd"
> Base_DN "dc=corp,dc=ad,dc=company,dc=com"
> UID_Attr sAMAccountName
>
> When trying to authenticate I get the following error message:
>
> [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] [mod_auth_ldap.c] -
> Error: Operations error
> ldap_search_s: Operations error (1)
> additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
>
> Also, the jmassara user in the Bind_DN setting has full read access
> throughout the AD tree. If I change the Base_DN setting to
> "cn=users,dc=corp,dc=ad,dc=company,dc=com", it works fine. However, our
> user accounts are being move out of "cn=users" to something like
> "ou=users,ou=city,dc=corp,dc=ad,dc=company,dc=com" so this isn't a viable
> solution for me.
>
> The function the muquit.com apache2 module is using is "ldap_search_s".
> When I run the same query that the apache2 module uses via ldapsearch it
> works fine. I see that the ldapsearch binary uses "ldap_search_ext" to do
> its searching. The filter being used is "(sAMAccountName=userid)" -- where
> userid is the person trying to authenticate.
>
> Why does one ldap_search function work fine but the other fail (unless
> explicitly defining the path to the user accounts)?
>
> Any help is greatly appreciated. Thanks for your time,
> -James
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org