Apache AD / LDAP authentication issues.
 

Hi.
Please advise if you can.

I'm trying to configure apache to authenticate to MS AD server 2008R2,
using LDAP.

I have created a user in AD that is member of "Users" and nothing
else. I can log into my workstation using this user with the password
I set.

My Apache configuration as follows :

# Basic authentication with LDAP against MS AD
AuthType Basic
AuthBasicProvider ldap

# AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
# using this format: ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL "ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectCl ass=*)"
NONE

# The LDAP bind username and password
AuthLDAPBindDN "CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC= com"
AuthLDAPBindPassword passwordxyz

# we want to allow authentication only through LDAP, no fallback
AuthzLDAPAuthoritative on
AuthUserFile /dev/null
# make sure REMOTE_USER is set to sAMAccountName
AuthLDAPRemoteUserAttribute sAMAccountName

# The name of this authentication realm
AuthName "Restricted Dir [Domain Account]"
# To authenticate single domain users, list them here
require ldap-user "greg.machin"
# to authenticate a domain group, specify the full DN
# AuthLDAPGroupAttributeIsDN on
#require ldap-group CN=acl_secure_exchange,OU=Global
Groups,OU=User,DC=frank4dd,DC=com
##### end LDAP #####

When I visit the site I get the expected login prompt, authentication
fails with my own account.

[Thu Dec 01 15:32:03 2011] [debug] mod_authnz_ldap.c(403): [client
xxx.xxx.69.196] [3471] auth_ldap authenticate: using URL
ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectCl ass=*)
[Thu Dec 01 15:32:03 2011] [info] [client xxx.xxx.69.196] [3471]
auth_ldap authenticate: user greg authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Invalid credentials]
[Thu Dec 01 15:32:03 2011] [error] [client xxx.xxx.69.196] user greg:
authentication failure for "/": Password Mismatch

This led me to an issue with the binddn configuration .. So I tried ldapseach

root@nzhmlwks0091:~# ldapsearch -h 192.168.32.2 -p 389 -D
"CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC= com" -w
"passwordxyz"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1

So the problem is with the binddn , I configured the new user the same
as another user this is know to be working. A member of User and
"Domain Admins" (I don't want this user to have admin rites if I can
avoid it.)

What have I missed what should I change to get this working ?

Thanks
G
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache AD / LDAP authentication issues.
 

>require ldap-user "greg.machin"

Pretty sure that needs to be a DN... Do you actually have sAMAccountName
Names written as x.x? Strange...

When I visit the site I get the expected login prompt, authentication
fails with my own account.

>root@nzhmlwks0091:~# ldapsearch -h 192.168.32.2 -p 389 -D
>"CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC =com" -w
>"passwordxyz"
>ldap_bind: Invalid credentials (49)

Right, so check the dn and password. Is your domain actually ad.mydom.local
or is your server netbios name 'ad', in which case you don’t put that in the dn.

>So the problem is with the binddn , I configured the new user the same
>as another user this is know to be working. A member of User and
>"Domain Admins" (I don't want this user to have admin rites if I can
>avoid it.)

Certainly shouldn’t be a member of the dom admins.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org