You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by HATJIEVGENIADU AMALIA <a....@abcol.ac.uk> on 2003/07/31 18:31:26 UTC
[users@httpd] Problem with mod_auth_ldap on Apache2
I am running Apache 2.0.47 on a Solaris 8 box.
I need to perform user authentication for our intranet, and so built
mod_auth_ldap into Apache as a DSO. I downloaded the module from
<http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.h
tml, and installed OpenLDAP 2.1.22 as well, in order to use its LDAP C SDK.
My LDAP server is Active Directory running on a Windows box. If I target it
with LDAPsearch, I bind to it, no problem. Then I edited the httpd.conf
following directions from M.A.Muquit's page. Here's the relavant section:
...
<Directory "../intranet">
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "Aberdeen College Staff Only"
AuthType Basic
LDAP_Debug On
LDAP_Server <Win2000 box IP addess>
LDAP_Port 389
Base_DN "dc=mydomain,dc=ac,dc=uk"
Bind_DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk"
Bind_Pass ******
UID_Attr cn
require filter "(&(objectclass=person)(cn=oneuser))"
</Directory>
...
When I type the URL to my browser, I am prompted for a username and
password. I expect that, provided I supply username oneuser and the correct
password, the credentials will be authenticated on the LDAP server and I
will gain access to ../intranet. However, it doesn't work. In the error_log
file I have:
...
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1039)
]- mod_auth_ldap v2.11 (compiled with OpenLDAP TLS) url: http://muquit.com/
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1052)]
- LDAP server=<Windows LDAP server IP address>,Port=389
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] (1160)
- MAKING NEW CONNECTION, try# 1, pid=1025
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] (1165)
- cr->ld: 0x217fc0, pid=1025
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1206)]
- you didn't compile with iPlanet C SDK, connect timeout will not be
available
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (705) ]
- Using LDAP filter: (cn=user1)
[Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] -
trying to bind with bind DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk" and
password(not shown)
[Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
- Bound successfully with DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk" and
password (not shown)
[Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
- ldap_search_s() failed
[Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
- Error: Can't contact LDAP server
[Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c
(1242)] - Bind attempt# 1, cound not find DN for user "oneuser" with attr
"cn"
...
It seems not to like my "require" (or something before it). I read the
RFC1960 directions for the filter syntax, but I am not sure I should be
using a filter in the first place. I tried a combination of things but get
similar error messages. I am replicating the Directory structure of the
ActiveDirectory server, as it's returned from the LDAPSEARCH command.
I would appreciate any help with this. Short of upgrading to Solaris 9 and
trying with Iplanet C SDK instead, I think I have tried everything.
Thanks, Amalia
-----------------------
Analyst Programmer
Aberdeen College
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with mod_auth_ldap on Apache2
Posted by Jason Martens <jm...@cityofevanston.org>.
To connect to our active directory, I use the object sAMAccountName
instead of objectclass=person like you are using. I am using a
different version of the auth_ldap module, but my connection url looks
like this:
ldap://x.x.x.x:389/DC=some,DC=domain,DC=org?sAMAccountName?sub?
This works to find the user's login name in the active directory.
It looks like the problem is in the searching and not in the filter.
Jason
On Thu, 2003-07-31 at 11:31, HATJIEVGENIADU AMALIA wrote:
> I am running Apache 2.0.47 on a Solaris 8 box.
> I need to perform user authentication for our intranet, and so built
> mod_auth_ldap into Apache as a DSO. I downloaded the module from
> <http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.h
> tml, and installed OpenLDAP 2.1.22 as well, in order to use its LDAP C SDK.
> My LDAP server is Active Directory running on a Windows box. If I target it
> with LDAPsearch, I bind to it, no problem. Then I edited the httpd.conf
> following directions from M.A.Muquit's page. Here's the relavant section:
> ...
> <Directory "../intranet">
> Options Indexes FollowSymLinks
> AllowOverride None
> order allow,deny
> allow from all
> AuthName "Aberdeen College Staff Only"
> AuthType Basic
> LDAP_Debug On
> LDAP_Server <Win2000 box IP addess>
> LDAP_Port 389
> Base_DN "dc=mydomain,dc=ac,dc=uk"
> Bind_DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk"
> Bind_Pass ******
> UID_Attr cn
> require filter "(&(objectclass=person)(cn=oneuser))"
> </Directory>
> ...
> When I type the URL to my browser, I am prompted for a username and
> password. I expect that, provided I supply username oneuser and the correct
> password, the credentials will be authenticated on the LDAP server and I
> will gain access to ../intranet. However, it doesn't work. In the error_log
> file I have:
> ...
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1039)
> ]- mod_auth_ldap v2.11 (compiled with OpenLDAP TLS) url: http://muquit.com/
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1052)]
> - LDAP server=<Windows LDAP server IP address>,Port=389
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] (1160)
> - MAKING NEW CONNECTION, try# 1, pid=1025
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] (1165)
> - cr->ld: 0x217fc0, pid=1025
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (1206)]
> - you didn't compile with iPlanet C SDK, connect timeout will not be
> available
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (705) ]
> - Using LDAP filter: (cn=user1)
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] -
> trying to bind with bind DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk" and
> password(not shown)
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
> - Bound successfully with DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk" and
> password (not shown)
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
> - ldap_search_s() failed
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c]
> - Error: Can't contact LDAP server
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c
> (1242)] - Bind attempt# 1, cound not find DN for user "oneuser" with attr
> "cn"
> ...
>
> It seems not to like my "require" (or something before it). I read the
> RFC1960 directions for the filter syntax, but I am not sure I should be
> using a filter in the first place. I tried a combination of things but get
> similar error messages. I am replicating the Directory structure of the
> ActiveDirectory server, as it's returned from the LDAPSEARCH command.
>
> I would appreciate any help with this. Short of upgrading to Solaris 9 and
> trying with Iplanet C SDK instead, I think I have tried everything.
>
> Thanks, Amalia
> -----------------------
> Analyst Programmer
> Aberdeen College
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org