You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by HATJIEVGENIADU AMALIA <a....@abcol.ac.uk> on 2003/07/31 18:31:26 UTC

[users@httpd] Problem with mod_auth_ldap on Apache2

I am running Apache 2.0.47 on a Solaris 8 box.
I need to perform user authentication for our intranet, and so built
mod_auth_ldap into Apache as a DSO. I downloaded the module from
<http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.h
tml, and installed OpenLDAP 2.1.22 as well, in order to use its LDAP C SDK.
My LDAP server is Active Directory running on a Windows box. If I target it
with LDAPsearch, I bind to it, no problem. Then I edited the httpd.conf
following directions from M.A.Muquit's page. Here's the relavant section:
...
<Directory "../intranet">
     Options   Indexes FollowSymLinks
     AllowOverride None
     order allow,deny
     allow from all
     AuthName "Aberdeen College Staff Only"
     AuthType Basic
     LDAP_Debug On
     LDAP_Server <Win2000 box IP addess>
     LDAP_Port 389
     Base_DN "dc=mydomain,dc=ac,dc=uk"
     Bind_DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk"
     Bind_Pass ******
     UID_Attr cn
     require filter "(&(objectclass=person)(cn=oneuser))"
</Directory>
...
When I type the URL to my browser, I am prompted for a username and
password. I expect that, provided I supply username oneuser and the correct
password, the credentials will be authenticated on the LDAP server and I
will gain access to ../intranet. However, it doesn't work. In the error_log
file I have:
...
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1039)
]- mod_auth_ldap v2.11 (compiled with OpenLDAP TLS) url: http://muquit.com/
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1052)]
- LDAP server=<Windows LDAP server IP address>,Port=389
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] (1160)
- MAKING NEW CONNECTION, try# 1, pid=1025
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] (1165)
- cr->ld: 0x217fc0, pid=1025
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1206)]
- you didn't compile with iPlanet C SDK, connect timeout will not be
available
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (705) ]
- Using LDAP filter: (cn=user1)
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] -
trying to bind with bind DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk" and
password(not shown)
[Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
- Bound successfully with DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk" and
password (not shown)
[Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
- ldap_search_s() failed
[Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
- Error: Can't contact LDAP server
[Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c
(1242)] - Bind attempt# 1, cound not find DN for user "oneuser" with attr
"cn"
...

It seems not to like my "require" (or something before it). I read the
RFC1960 directions for the filter syntax, but I am not sure I should be
using a filter in the first place. I tried a combination of things but get
similar error messages. I am replicating the Directory structure of the
ActiveDirectory server, as it's returned from the LDAPSEARCH command. 

I would appreciate any help with this. Short of upgrading to Solaris 9 and
trying with Iplanet C SDK instead, I think I have tried everything.

Thanks, Amalia
-----------------------
Analyst Programmer
Aberdeen College

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with mod_auth_ldap on Apache2

Posted by Jason Martens <jm...@cityofevanston.org>.

To connect to our active directory, I use the object sAMAccountName
instead of objectclass=person like you are using.  I am using a
different version of the auth_ldap module, but my connection url looks
like this:

ldap://x.x.x.x:389/DC=some,DC=domain,DC=org?sAMAccountName?sub?

This works to find the user's login name in the active directory.
It looks like the problem is in the searching and not in the filter.

Jason


On Thu, 2003-07-31 at 11:31, HATJIEVGENIADU AMALIA wrote:
> I am running Apache 2.0.47 on a Solaris 8 box.
> I need to perform user authentication for our intranet, and so built
> mod_auth_ldap into Apache as a DSO. I downloaded the module from
> <http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.h
> tml, and installed OpenLDAP 2.1.22 as well, in order to use its LDAP C SDK.
> My LDAP server is Active Directory running on a Windows box. If I target it
> with LDAPsearch, I bind to it, no problem. Then I edited the httpd.conf
> following directions from M.A.Muquit's page. Here's the relavant section:
> ...
> <Directory "../intranet">
>      Options   Indexes FollowSymLinks
>      AllowOverride None
>      order allow,deny
>      allow from all
>      AuthName "Aberdeen College Staff Only"
>      AuthType Basic
>      LDAP_Debug On
>      LDAP_Server <Win2000 box IP addess>
>      LDAP_Port 389
>      Base_DN "dc=mydomain,dc=ac,dc=uk"
>      Bind_DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk"
>      Bind_Pass ******
>      UID_Attr cn
>      require filter "(&(objectclass=person)(cn=oneuser))"
> </Directory>
> ...
> When I type the URL to my browser, I am prompted for a username and
> password. I expect that, provided I supply username oneuser and the correct
> password, the credentials will be authenticated on the LDAP server and I
> will gain access to ../intranet. However, it doesn't work. In the error_log
> file I have:
> ...
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1039)
> ]- mod_auth_ldap v2.11 (compiled with OpenLDAP TLS) url: http://muquit.com/
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1052)]
> - LDAP server=<Windows LDAP server IP address>,Port=389
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] (1160)
> - MAKING NEW CONNECTION, try# 1, pid=1025
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] (1165)
> - cr->ld: 0x217fc0, pid=1025
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1206)]
> - you didn't compile with iPlanet C SDK, connect timeout will not be
> available
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (705) ]
> - Using LDAP filter: (cn=user1)
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] -
> trying to bind with bind DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk" and
> password(not shown)
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
> - Bound successfully with DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk" and
> password (not shown)
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
> - ldap_search_s() failed
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
> - Error: Can't contact LDAP server
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c
> (1242)] - Bind attempt# 1, cound not find DN for user "oneuser" with attr
> "cn"
> ...
> 
> It seems not to like my "require" (or something before it). I read the
> RFC1960 directions for the filter syntax, but I am not sure I should be
> using a filter in the first place. I tried a combination of things but get
> similar error messages. I am replicating the Directory structure of the
> ActiveDirectory server, as it's returned from the LDAPSEARCH command. 
> 
> I would appreciate any help with this. Short of upgrading to Solaris 9 and
> trying with Iplanet C SDK instead, I think I have tried everything.
> 
> Thanks, Amalia
> -----------------------
> Analyst Programmer
> Aberdeen College
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org