You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Dan Nawrocki <dn...@prologic-inc.com> on 2006/12/19 23:42:03 UTC

[users@httpd] Apache 2.2.3 + Active Directory

I am attempting to use authentication over LDAP (actually Active
Directory), but it's not working and I'm going crazy!  Here's my
configuration file:

<Directory />
  SSLOptions +StdEnvVars
  Options FollowSymLinks
  AllowOverride None

  AuthType Basic
  AuthBasicProvider ldap
  AuthName "auth me!"
  AuthLDAPBindDN "bind_username"
  AuthLDAPBindPassword bind_password
  AuthLDAPURL ldap://host:389/dn?sAMAccountName

  Require valid-user
</Directory>


I'm getting two types of errors, depending on which username and
password I provide:

auth_ldap_authenticate: user xxx authentication failed ...
[ldap_simple_bind_s() to check user credentials failed][Invalid
credentials]

Or

auth_ldap_authenticate: user yyy authentication failed ... [User not
found][No such object]

My first reaction was that this is a problem binding to the AD server,
but when I use ldapsearch with the bind_username and bind_password using
simple authentication, my queries work as expected.

Note that I am trying to serve this page over SSL in a VirtualHost; I
haven't tried basic HTTP.  If this is a problem, I can try again.

Does anyone have any ideas?

Thanks,
Dan Nawrocki



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Apache 2.2.3 + Active Directory

Posted by Dan Nawrocki <dn...@prologic-inc.com>.

> If the initial bind is working then it's probably your LDAP search
> criteria which depends on how your AD is layed out.
> 
> This is what I use (I use the AD global catalog (GC)):
> 
> 
> AuthLDAPURL
>
"ldap://ad.nos.com:3268/OU=Accounts,DC=nos,DC=com?sAMAccountName?sub?(ob
jectClass=*)"
> 
> You probably also need:
> 
> AuthzLDAPAuthoritative Off

Turning AuthzLDAPAuthoritative off worked.  It was in the configuration
before (I just upgraded from 2.0), so I should have known it's supposed
to do something!
 
Thanks,
Dan



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache 2.2.3 + Active Directory

Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.

On Tue, 19 Dec 2006, Dan Nawrocki wrote:

> <Directory />
>   SSLOptions +StdEnvVars
>   Options FollowSymLinks
>   AllowOverride None
>
>   AuthType Basic
>   AuthBasicProvider ldap
>   AuthName "auth me!"
>   AuthLDAPBindDN "bind_username"
>   AuthLDAPBindPassword bind_password
>   AuthLDAPURL ldap://host:389/dn?sAMAccountName
>
>   Require valid-user
> </Directory>
>
> I'm getting two types of errors, depending on which username and
> password I provide:
>
> auth_ldap_authenticate: user xxx authentication failed ...
> [ldap_simple_bind_s() to check user credentials failed][Invalid
> credentials]
>
> auth_ldap_authenticate: user yyy authentication failed ... [User not
> found][No such object]
>
>
> Thanks,
> Dan Nawrocki
>
>
If the initial bind is working then it's probably your LDAP search
criteria which depends on how your AD is layed out.

This is what I use (I use the AD global catalog (GC)):


AuthLDAPURL
"ldap://ad.nos.com:3268/OU=Accounts,DC=nos,DC=com?sAMAccountName?sub?(objectClass=*)"

You probably also need:

AuthzLDAPAuthoritative Off


----------------------------------------
"Mon aéroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org