You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Anton Yakimov <an...@gmail.com> on 2009/02/26 15:13:55 UTC
[users@httpd] authnz_ldap_module: [Bad search filter] error
Hi everyone,
I have a strange error with authnz_ldap_module.
I have searched the web and tried a lot of combinations, but nothing helps.
This list is my only hope (ok, not the only, I cab also try svnserve+sasl+ldap).
Here is my subversion.conf:
LoadModule dav_svn_module modules/mod_dav_svn.so
<Location /repos>
DAV svn
SVNPath /var/www/svn/repos
AuthName "Test repository"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl "ldap://server.three.two.one:389/dc=three, dc=two,
dc=one?sAMAccountName?sub?(objectClass=*) NONE"
AuthLDAPBindDN "admin@three.two.one"
AuthLDAPBindPassword "password"
Require valid-user
</Location>
And here are related error.log strings:
...
[Thu Feb 26 16:47:11 2009] [debug] mod_authnz_ldap.c(373): [client
192.168.12.138] [11270] auth_ldap authenticate: using URL
ldap://server.three.two.one:389/dc=three, dc=two,
dc=one?sAMAccountName?sub?(objectClass=*) NONE
[Thu Feb 26 16:47:11 2009] [warn] [client 192.168.12.138] [11270]
auth_ldap authenticate: user authentication failed; URI /repos
[ldap_search_ext_s() for user failed][Bad search filter]
Brawser show 500 Internal Server Error.
Please help me!
Thanks in advance and good luck!
--
Best Regards,
Anton Yakimov
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Anton Yakimov <an...@gmail.com>.
Oh, it's not the cause also.
If AuthLDAPBindDN or AuthLDAPBindPassword is incorrect, such message
should be logged:
[LDAP: ldap_simple_bind_s() failed][Invalid credentials]
2009/2/26 Sascha Kersken <sk...@lingoworld.de>:
> Think I found it:
>
>> AuthLDAPBindDN "admin@three.two.one"
>
> The value of AuthLDAPBindDN must be a valid LDAP DN (something like
> cn=username,dc=mydomainname...), but you are using something that looks like
> an email address. Consequently, your log entry complains about user
> authentication (on the LDAP server).
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Best Regards,
Anton Yakimov
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Sascha Kersken <sk...@lingoworld.de>.
Think I found it:
> AuthLDAPBindDN "admin@three.two.one"
The value of AuthLDAPBindDN must be a valid LDAP DN (something like
cn=username,dc=mydomainname...), but you are using something that looks
like an email address. Consequently, your log entry complains about user
authentication (on the LDAP server).
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Anton Yakimov <an...@gmail.com>.
Oh, I will create a report, thanks for support!
ps removed NONE - same error..
2009/2/27 Eric Covener <co...@gmail.com>:
> On Thu, Feb 26, 2009 at 9:13 AM, Anton Yakimov
> <an...@gmail.com> wrote:
>
>> AuthLDAPUrl "ldap://server.three.two.one:389/dc=three, dc=two,
>> dc=one?sAMAccountName?sub?(objectClass=*) NONE"
>
> Why is "NONE" inside the quotes?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Best Regards,
Anton Yakimov
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Eric Covener <co...@gmail.com>.
On Thu, Feb 26, 2009 at 9:13 AM, Anton Yakimov
<an...@gmail.com> wrote:
> AuthLDAPUrl "ldap://server.three.two.one:389/dc=three, dc=two,
> dc=one?sAMAccountName?sub?(objectClass=*) NONE"
Why is "NONE" inside the quotes?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Anton Yakimov <an...@gmail.com>.
Thanks again, Sascha.
I must say, that this problem is really strange, only few pages in the web..
2009/2/26 Sascha Kersken <sk...@lingoworld.de>:
>> But unfortunately it's not the cause..
>
> No, and I've got to correct my previous answer: RFC 2253 states that
> "Implementations MUST allow for space (' ' ASCII 32) characters to be
> present between name-component and ',', between attributeTypeAndValue and
> '+', between attributeType and '=', and between '=' and attributeValue.
> These space characters are ignored when parsing."
>
> I'm going to have a closer look at the filter later; I'm a bit busy right
> now.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Best Regards,
Anton Yakimov
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Sascha Kersken <sk...@lingoworld.de>.
> But unfortunately it's not the cause..
No, and I've got to correct my previous answer: RFC 2253 states that
"Implementations MUST allow for space (' ' ASCII 32) characters to be
present between name-component and ',', between attributeTypeAndValue
and '+', between attributeType and '=', and between '=' and
attributeValue. These space characters are ignored when parsing."
I'm going to have a closer look at the filter later; I'm a bit busy
right now.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Anton Yakimov <an...@gmail.com>.
Thanks for reply, Sascha!
But unfortunately it's not the cause..
2009/2/26 Sascha Kersken <sk...@lingoworld.de>:
> Hi,
>
>> I have a strange error with authnz_ldap_module.
>> I have searched the web and tried a lot of combinations, but nothing
>> helps.
>> AuthLDAPUrl "ldap://server.three.two.one:389/dc=three,
>> dc=two,
>> dc=one?sAMAccountName?sub?(objectClass=*) NONE"
>
> There must not be blanks between the DN components (i.e. write
> dc=three,dc=two,dc=one instead of what you've got above). Not sure whether
> this is the only mistake, but at least it's one you need to fix.
>
>
> Sascha
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Best Regards,
Anton Yakimov
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Sascha Kersken <sk...@lingoworld.de>.
Hi,
> I have a strange error with authnz_ldap_module.
> I have searched the web and tried a lot of combinations, but nothing helps.
> AuthLDAPUrl "ldap://server.three.two.one:389/dc=three, dc=two,
> dc=one?sAMAccountName?sub?(objectClass=*) NONE"
There must not be blanks between the DN components (i.e. write
dc=three,dc=two,dc=one instead of what you've got above). Not sure
whether this is the only mistake, but at least it's one you need to fix.
Sascha
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Eric Covener <co...@gmail.com>.
On Fri, Feb 27, 2009 at 6:45 AM, Anton Yakimov
<an...@gmail.com> wrote:
> Hi all,
>
> I have also tried apache+ldap on other network host and result is the same:
> [ldap_search_ext_s() for user failed][Bad search filter]
>
> Maybe I can contact authnz_ldap module developer/maintainer?
> Can you help me to find his|her contacts?
Open a bug report, but include info for the LDAP client library you've
linked to.
If you know how to get debugging info out of the LDAP library, attach
it to the bug report.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Anton Yakimov <an...@gmail.com>.
Hi all,
I have also tried apache+ldap on other network host and result is the same:
[ldap_search_ext_s() for user failed][Bad search filter]
Maybe I can contact authnz_ldap module developer/maintainer?
Can you help me to find his|her contacts?
Thanks in advance!
2009/2/27 Anton Yakimov <an...@gmail.com>:
> Hello Marc!
>
> Thanks for reply!
> Yes, I have ldapsearch, and have already tried it:
>
> # extended LDIF
> #
> # LDAPv3
> # base <dc=three,dc=two,dc=one> with scope subtree
> # filter: sAMAccountName=UsernameToTry
> # requesting: ALL
> #
>
> ... UsernameToTry info here ...
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 1
> # numReferences: 3
>
> So it works OK.
>
> I must say, that other LDAP connections work fine:
> KnowledgeTree, Mantis, VisualSVN's ldap...
>
> 2009/2/26 Marc Patermann <ha...@ofd-sth.niedersachsen.de>:
>> Hi,
>>
>> Anton Yakimov schrieb:
>>>
>>> Hi everyone,
>>>
>>> I have a strange error with authnz_ldap_module.
>>> I have searched the web and tried a lot of combinations, but nothing
>>> helps.
>>>
>>> This list is my only hope (ok, not the only, I cab also try
>>> svnserve+sasl+ldap).
>>>
>>> Here is my subversion.conf:
>>>
>>> LoadModule dav_svn_module modules/mod_dav_svn.so
>>> <Location /repos>
>>> DAV svn
>>> SVNPath /var/www/svn/repos
>>> AuthName "Test repository"
>>> AuthType Basic
>>> AuthBasicProvider ldap
>>> AuthLDAPUrl "ldap://server.three.two.one:389/dc=three,
>>> dc=two,
>>> dc=one?sAMAccountName?sub?(objectClass=*) NONE"
>>> AuthLDAPBindDN "admin@three.two.one"
>>> AuthLDAPBindPassword "password"
>>> Require valid-user
>>> </Location>
>>>
>>> And here are related error.log strings:
>>> ...
>>> [Thu Feb 26 16:47:11 2009] [debug] mod_authnz_ldap.c(373): [client
>>> 192.168.12.138] [11270] auth_ldap authenticate: using URL
>>> ldap://server.three.two.one:389/dc=three, dc=two,
>>> dc=one?sAMAccountName?sub?(objectClass=*) NONE
>>> [Thu Feb 26 16:47:11 2009] [warn] [client 192.168.12.138] [11270]
>>> auth_ldap authenticate: user authentication failed; URI /repos
>>> [ldap_search_ext_s() for user failed][Bad search filter]
>>
>> Do you have ldapsearch installed?
>> try
>> # ldapsearch -x -h server.three.two.one -D admin@three.two.one -w password
>> -b dc=three,dc=two,dc=one sAMAccountName=UsernameToTry
>>
>> What does it say?
>>
>> "sub" and "objectclass=*" may be the defaults anyway.
>>
>>
>> Marc
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>
> --
> Best Regards,
> Anton Yakimov
>
--
Best Regards,
Anton Yakimov
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Anton Yakimov <an...@gmail.com>.
Hello Marc!
Thanks for reply!
Yes, I have ldapsearch, and have already tried it:
# extended LDIF
#
# LDAPv3
# base <dc=three,dc=two,dc=one> with scope subtree
# filter: sAMAccountName=UsernameToTry
# requesting: ALL
#
... UsernameToTry info here ...
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
So it works OK.
I must say, that other LDAP connections work fine:
KnowledgeTree, Mantis, VisualSVN's ldap...
2009/2/26 Marc Patermann <ha...@ofd-sth.niedersachsen.de>:
> Hi,
>
> Anton Yakimov schrieb:
>>
>> Hi everyone,
>>
>> I have a strange error with authnz_ldap_module.
>> I have searched the web and tried a lot of combinations, but nothing
>> helps.
>>
>> This list is my only hope (ok, not the only, I cab also try
>> svnserve+sasl+ldap).
>>
>> Here is my subversion.conf:
>>
>> LoadModule dav_svn_module modules/mod_dav_svn.so
>> <Location /repos>
>> DAV svn
>> SVNPath /var/www/svn/repos
>> AuthName "Test repository"
>> AuthType Basic
>> AuthBasicProvider ldap
>> AuthLDAPUrl "ldap://server.three.two.one:389/dc=three,
>> dc=two,
>> dc=one?sAMAccountName?sub?(objectClass=*) NONE"
>> AuthLDAPBindDN "admin@three.two.one"
>> AuthLDAPBindPassword "password"
>> Require valid-user
>> </Location>
>>
>> And here are related error.log strings:
>> ...
>> [Thu Feb 26 16:47:11 2009] [debug] mod_authnz_ldap.c(373): [client
>> 192.168.12.138] [11270] auth_ldap authenticate: using URL
>> ldap://server.three.two.one:389/dc=three, dc=two,
>> dc=one?sAMAccountName?sub?(objectClass=*) NONE
>> [Thu Feb 26 16:47:11 2009] [warn] [client 192.168.12.138] [11270]
>> auth_ldap authenticate: user authentication failed; URI /repos
>> [ldap_search_ext_s() for user failed][Bad search filter]
>
> Do you have ldapsearch installed?
> try
> # ldapsearch -x -h server.three.two.one -D admin@three.two.one -w password
> -b dc=three,dc=two,dc=one sAMAccountName=UsernameToTry
>
> What does it say?
>
> "sub" and "objectclass=*" may be the defaults anyway.
>
>
> Marc
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Best Regards,
Anton Yakimov
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap_module: [Bad search filter] error
Posted by Marc Patermann <ha...@ofd-sth.niedersachsen.de>.
Hi,
Anton Yakimov schrieb:
> Hi everyone,
>
> I have a strange error with authnz_ldap_module.
> I have searched the web and tried a lot of combinations, but nothing helps.
>
> This list is my only hope (ok, not the only, I cab also try svnserve+sasl+ldap).
>
> Here is my subversion.conf:
>
> LoadModule dav_svn_module modules/mod_dav_svn.so
> <Location /repos>
> DAV svn
> SVNPath /var/www/svn/repos
> AuthName "Test repository"
> AuthType Basic
> AuthBasicProvider ldap
> AuthLDAPUrl "ldap://server.three.two.one:389/dc=three, dc=two,
> dc=one?sAMAccountName?sub?(objectClass=*) NONE"
> AuthLDAPBindDN "admin@three.two.one"
> AuthLDAPBindPassword "password"
> Require valid-user
> </Location>
>
> And here are related error.log strings:
> ...
> [Thu Feb 26 16:47:11 2009] [debug] mod_authnz_ldap.c(373): [client
> 192.168.12.138] [11270] auth_ldap authenticate: using URL
> ldap://server.three.two.one:389/dc=three, dc=two,
> dc=one?sAMAccountName?sub?(objectClass=*) NONE
> [Thu Feb 26 16:47:11 2009] [warn] [client 192.168.12.138] [11270]
> auth_ldap authenticate: user authentication failed; URI /repos
> [ldap_search_ext_s() for user failed][Bad search filter]
Do you have ldapsearch installed?
try
# ldapsearch -x -h server.three.two.one -D admin@three.two.one -w
password -b dc=three,dc=two,dc=one sAMAccountName=UsernameToTry
What does it say?
"sub" and "objectclass=*" may be the defaults anyway.
Marc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org