You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dan Nawrocki <dn...@prologic-inc.com> on 2006/12/19 23:42:03 UTC
[users@httpd] Apache 2.2.3 + Active Directory
I am attempting to use authentication over LDAP (actually Active
Directory), but it's not working and I'm going crazy! Here's my
configuration file:
<Directory />
SSLOptions +StdEnvVars
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthBasicProvider ldap
AuthName "auth me!"
AuthLDAPBindDN "bind_username"
AuthLDAPBindPassword bind_password
AuthLDAPURL ldap://host:389/dn?sAMAccountName
Require valid-user
</Directory>
I'm getting two types of errors, depending on which username and
password I provide:
auth_ldap_authenticate: user xxx authentication failed ...
[ldap_simple_bind_s() to check user credentials failed][Invalid
credentials]
Or
auth_ldap_authenticate: user yyy authentication failed ... [User not
found][No such object]
My first reaction was that this is a problem binding to the AD server,
but when I use ldapsearch with the bind_username and bind_password using
simple authentication, my queries work as expected.
Note that I am trying to serve this page over SSL in a VirtualHost; I
haven't tried basic HTTP. If this is a problem, I can try again.
Does anyone have any ideas?
Thanks,
Dan Nawrocki
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Apache 2.2.3 + Active Directory
Posted by Dan Nawrocki <dn...@prologic-inc.com>.
> If the initial bind is working then it's probably your LDAP search
> criteria which depends on how your AD is layed out.
>
> This is what I use (I use the AD global catalog (GC)):
>
>
> AuthLDAPURL
>
"ldap://ad.nos.com:3268/OU=Accounts,DC=nos,DC=com?sAMAccountName?sub?(ob
jectClass=*)"
>
> You probably also need:
>
> AuthzLDAPAuthoritative Off
Turning AuthzLDAPAuthoritative off worked. It was in the configuration
before (I just upgraded from 2.0), so I should have known it's supposed
to do something!
Thanks,
Dan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.3 + Active Directory
Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.
On Tue, 19 Dec 2006, Dan Nawrocki wrote:
> <Directory />
> SSLOptions +StdEnvVars
> Options FollowSymLinks
> AllowOverride None
>
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "auth me!"
> AuthLDAPBindDN "bind_username"
> AuthLDAPBindPassword bind_password
> AuthLDAPURL ldap://host:389/dn?sAMAccountName
>
> Require valid-user
> </Directory>
>
> I'm getting two types of errors, depending on which username and
> password I provide:
>
> auth_ldap_authenticate: user xxx authentication failed ...
> [ldap_simple_bind_s() to check user credentials failed][Invalid
> credentials]
>
> auth_ldap_authenticate: user yyy authentication failed ... [User not
> found][No such object]
>
>
> Thanks,
> Dan Nawrocki
>
>
If the initial bind is working then it's probably your LDAP search
criteria which depends on how your AD is layed out.
This is what I use (I use the AD global catalog (GC)):
AuthLDAPURL
"ldap://ad.nos.com:3268/OU=Accounts,DC=nos,DC=com?sAMAccountName?sub?(objectClass=*)"
You probably also need:
AuthzLDAPAuthoritative Off
----------------------------------------
"Mon aƩroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org