You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Disorder <di...@gmail.com> on 2006/09/07 14:24:39 UTC

[users@httpd] mod_authnz_ldap authentication of users stored in multiple OU's

Hi

Im currently running Apache  2.2 and have loaded Mod_authnz_ldap module to
authenticate users against a microsoft active directory. I can succesfully
bind to the LDAP server and authenticate a user as long as i specify a
specific OU i.e if my AuthLDAPURL directive says

   AuthLDAPURL
ldap://ms-m-dc:389/OU=Region1,DC=ZA,DC=Company,DC=net?sAMAccountName?sub?(objectClass=user)

But if i try

   AuthLDAPURL
ldap://ms-m-dc:389/DC=ZA,DC=Company,DC=net?sAMAccountName?sub?(objectClass=user)

and search from the root i cant authenticate users and get the following
error:

[Thu Sep 07 14:14:33 2006] [warn] [client 10.0.8.254] [480] auth_ldap
authenticate: user testuser authentication failed; URI /bin/configure
[ldap_search_ext_s() for user failed][Operations Error]
[Thu Sep 07 14:14:53 2006] [warn] [client 10.4.126.7] [480] auth_ldap
authenticate: user testuser authentication failed; URI /bin/view/web
[ldap_search_ext_s() for user failed][Operations Error]

Is this an issue with MS implementation of LDAP and the way it returns the
results to Apache? or is it Apache? Or am i missing some config? I have read
up on the mod and havent found any directives that can assist with this. I
have also included a copy of my config related to Ldap Below.

The issue is we do not have all our users stored in the same OU, users are
split according to region. Is there any way to add Multiple AuthLDAPURL
directives? i have tried adding more but it just treats the last directive
as the correct one and ignores anything prior to that. Are there any work
arounds to make this work? Your help would be appreciated.


---Config---
AuthBasicProvider ldap

AuthzLDAPAuthoritative off

AuthType Basic

AuthName "Please Enter Your Network Username/Password"

AuthLDAPBindDN "CN=Your
Name,OU=Users,OU=People,OU=Region1,DC=ZA,DC=Company,DC=net"

AuthLDAPBindPassword mypass

AuthLDAPURL
ldap://ms-m-dc:389/OU=Region1,DC=ZA,DC=Company,DC=net?sAMAccountName?sub?(objectClass=user)

AuthLDAPGroupAttribute department

AuthLDAPGroupAttributeIsDN off

#   AuthLDAPRemoteUserIsDN on

require valid-user
---end---

Thanks