You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Barham, David" <ba...@ugs.com> on 2005/12/12 11:58:49 UTC
[users@httpd] Apache 2 on Windows authentication against W2003-AD
I'm trying to get Apache running on Windows to authenticate from the
windows AD of the server. (I got Apache on unix to do this using
mod_auth_pam). I was kind of expecting Apache on Windows to be easier
(?) but am stuck with mod_auth_ldap.
Has anyone got a simple example of doing this? Is there something other
than ldap that I've missed?
Thanks
David Barham
UGS
Httpd.conf has
<Directory "C:/temp/dbtest">
AllowOverride None
Order allow,deny
Allow from all
AuthName "DB area"
AuthType "basic"
LDAP_Server {name of Windows DC}
LDAP_Port 389
LDAP_Debug on
Base_DN "mydomainname as DC=foo, DC=bar"
Bind_DN "myuser@mydomain"
Bind_Pass "my password"
UID_Attr UserPrincipalName
#UID_Attr uid
require valid-user
</Directory>
#
In error-log I see
[mod_auth_ldap.c] (1214) - MAKING NEW CONNECTION, try# 10, pid=6100
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] (1219) - cr->ld: 0xdc17e0, pid=6100
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (1243)] - Setting connect timeout to: 4 seconds
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (1256)] - Successfully set connection timeout to 4
seconds
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (760) ] - Using LDAP filter:
(UserPrincipalName={username typed into authentication dialog)
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] - trying to bind with bind DN "{Bind_DN username" and
password (not shown)
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] - Bound successfully with DN "{Bind DN username" and
password (not shown)
[Mon Dec 12 10:44:27 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] - ldap_search_s() failed
[Mon Dec 12 10:44:27 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] - Error: Can't connect to the LDAP server
[Mon Dec 12 10:44:27 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (1298)] - Bind attempt# 10, cound not find DN for user
"{username typed into authentication dialog" with attr
"UserPrincipalName"
[Mon Dec 12 10:44:27 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (1331)] - Tried to bind 10 times. Giving up.
I've tried various UID_Attr and settled on UserPrincipalName after using
LDAP to query AD and search for
>> Dn: CN=Barham\,
David,OU=CBUsers,OU=Cambridge,OU=EMEA,OU=Regions,DC={domain bit}
1> canonicalName: {domain
bit}/Regions/EMEA/Cambridge/CBUsers/Barham, David;
1> cn: Barham, David;
1> distinguishedName: CN=Barham\,
David,OU=CBUsers,OU=Cambridge,OU=EMEA,OU=Regions,DC=net{domain bit};
4> objectClass: top; person; organizationalPerson; user;
1> name: Barham, David;
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Apache 2 on Windows authentication against W2003-AD
Posted by "Tatham Oddie (Fuel Advance)" <ta...@fueladvance.com>.
Check out mod_auth_sspi
Thanks,
Tatham Oddie
Fuel Advance - Ignite Your Idea
www.fueladvance.com
-----Original Message-----
From: Barham, David [mailto:barhamd@ugs.com]
Sent: Monday, 12 December 2005 9:59 PM
To: users@httpd.apache.org
Subject: [users@httpd] Apache 2 on Windows authentication against W2003-AD
I'm trying to get Apache running on Windows to authenticate from the
windows AD of the server. (I got Apache on unix to do this using
mod_auth_pam). I was kind of expecting Apache on Windows to be easier
(?) but am stuck with mod_auth_ldap.
Has anyone got a simple example of doing this? Is there something other
than ldap that I've missed?
Thanks
David Barham
UGS
Httpd.conf has
<Directory "C:/temp/dbtest">
AllowOverride None
Order allow,deny
Allow from all
AuthName "DB area"
AuthType "basic"
LDAP_Server {name of Windows DC}
LDAP_Port 389
LDAP_Debug on
Base_DN "mydomainname as DC=foo, DC=bar"
Bind_DN "myuser@mydomain"
Bind_Pass "my password"
UID_Attr UserPrincipalName
#UID_Attr uid
require valid-user
</Directory>
#
In error-log I see
[mod_auth_ldap.c] (1214) - MAKING NEW CONNECTION, try# 10, pid=6100
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] (1219) - cr->ld: 0xdc17e0, pid=6100
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (1243)] - Setting connect timeout to: 4 seconds
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (1256)] - Successfully set connection timeout to 4
seconds
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (760) ] - Using LDAP filter:
(UserPrincipalName={username typed into authentication dialog)
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] - trying to bind with bind DN "{Bind_DN username" and
password (not shown)
[Mon Dec 12 10:44:26 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] - Bound successfully with DN "{Bind DN username" and
password (not shown)
[Mon Dec 12 10:44:27 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] - ldap_search_s() failed
[Mon Dec 12 10:44:27 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c] - Error: Can't connect to the LDAP server
[Mon Dec 12 10:44:27 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (1298)] - Bind attempt# 10, cound not find DN for user
"{username typed into authentication dialog" with attr
"UserPrincipalName"
[Mon Dec 12 10:44:27 2005] [error] [client 134.244.154.125]
[mod_auth_ldap.c (1331)] - Tried to bind 10 times. Giving up.
I've tried various UID_Attr and settled on UserPrincipalName after using
LDAP to query AD and search for
>> Dn: CN=Barham\,
David,OU=CBUsers,OU=Cambridge,OU=EMEA,OU=Regions,DC={domain bit}
1> canonicalName: {domain
bit}/Regions/EMEA/Cambridge/CBUsers/Barham, David;
1> cn: Barham, David;
1> distinguishedName: CN=Barham\,
David,OU=CBUsers,OU=Cambridge,OU=EMEA,OU=Regions,DC=net{domain bit};
4> objectClass: top; person; organizationalPerson; user;
1> name: Barham, David;
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org