You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sohail Somani <s....@fincad.com> on 2006/11/10 02:30:52 UTC

[users@httpd] Apache 2 + LDAP - valid user/pw not authenticated?

Hi,

I'm trying to set up ldap authentication. I am pretty sure that it
authenticates because if I get the following results from the error logs
in specific situations:

Invalid user: auth_ldap authenticate: user <bad_user> authentication
failed; URI /mypaty [User not found][No such object]
Valid user/invalid pw: user <good_user>: authentication failure for
"/mypath": Password Mismatch
Valid user/valid pw: No output from error log

So I assume that it works and is set up correctly. Additionally, I have
used ldapsearch to verify that the ldap strings are doing the right
dance.

However, in the last case, when it appears that I have authenticated,
Firefox/IE keep popping up the authorization box even when the user/pw
are correct! Here is my relevant (I hope) config:

<Location /mypath>
   AuthType basic
   AuthName "Authentication domain"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
   AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
   AuthLDAPBindPassword "<password>"
   SSLRequireSSL
   require valid-user
</Location>

Any assistance would be great!

TIA

Sohail


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache 2 + LDAP - valid user/pw not authenticated?

Posted by Christophe Gravier <ch...@univ-st-etienne.fr>.

Sohail Somani a écrit :
> Hi,
>
> I'm trying to set up ldap authentication. I am pretty sure that it
> authenticates because if I get the following results from the error logs
> in specific situations:
>
> Invalid user: auth_ldap authenticate: user <bad_user> authentication
> failed; URI /mypaty [User not found][No such object]
> Valid user/invalid pw: user <good_user>: authentication failure for
> "/mypath": Password Mismatch
> Valid user/valid pw: No output from error log
>
> So I assume that it works and is set up correctly. Additionally, I have
> used ldapsearch to verify that the ldap strings are doing the right
> dance.
>
> However, in the last case, when it appears that I have authenticated,
> Firefox/IE keep popping up the authorization box even when the user/pw
> are correct! Here is my relevant (I hope) config:
>
> <Location /mypath>
>    AuthType basic
>    AuthName "Authentication domain"
>    AuthBasicProvider ldap
>    AuthzLDAPAuthoritative on
>    AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
> Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
>    AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
> Users,dc=financialcad,dc=com"
>    AuthLDAPBindPassword "<password>"
>    SSLRequireSSL
>    require valid-user
> </Location>
>
> Any assistance would be great!
>   
Are you using Apache >= 2.2 ?

If yes, the "require valid-user" is not the directive for authnz_ldap 
module/
If you're using apache >= 2.2 and you want to:

1/ allow "any" authenticated user to enter (whatever his group 
membership is (i.e. no authorization control), you must "bypass" the 
authz_ldap authorization module by setting "AuthzLDAPAuthoritative" to 
off (else apache searches for require ldap-user or ldap-group directives)

<Location /mypath>
   AuthType basic
   AuthName "Authentication domain"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative off
   AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
   AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
   AuthLDAPBindPassword "<password>"
   SSLRequireSSL
   require valid-user
</Location>


2/ allow a limited list of known users of the directory (need require 
ldap-user directive and not require ldap-user)

<Location /mypath>
   AuthType basic
   AuthName "Authentication domain"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative *on*
   AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
   AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
   AuthLDAPBindPassword "<password>"
   SSLRequireSSL
   require *ldap-user* myuser_uid
</Location>

3/ allow a group of user (authorization based on group membership).

<Location /mypath>
   AuthType basic
   AuthName "Authentication domain"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative *on*
   AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
   AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
   AuthLDAPBindPassword "<password>"
   SSLRequireSSL
   require *ldap-group* my_group_full_dn
</Location>

HTH
Christophe
> TIA
>
> Sohail
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>   


-- 
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache 2 + LDAP - valid user/pw not authenticated?

Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.

On Thu, 9 Nov 2006, Sohail Somani wrote:

> Hi,
>
> Invalid user: auth_ldap authenticate: user <bad_user> authentication
> failed; URI /mypaty [User not found][No such object]
> Valid user/invalid pw: user <good_user>: authentication failure for
> "/mypath": Password Mismatch
> Valid user/valid pw: No output from error log
>
> <Location /mypath>
>    AuthType basic
>    AuthName "Authentication domain"
>    AuthBasicProvider ldap
>    AuthzLDAPAuthoritative on
>    AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
> Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
>    AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
> Users,dc=financialcad,dc=com"
>    AuthLDAPBindPassword "<password>"
>    SSLRequireSSL
>    require valid-user
> </Location>
>
Try:

    AuthzLDAPAuthoritative off

This is the required setting when using "require valid-user"

----------------------------------------
"Mon aéroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org