FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-01-2011, 02:42 AM
Gregory Machin
 
Default Apache AD / LDAP authentication issues.

Hi.
Please advise if you can.

I'm trying to configure apache to authenticate to MS AD server 2008R2,
using LDAP.

I have created a user in AD that is member of "Users" and nothing
else. I can log into my workstation using this user with the password
I set.

My Apache configuration as follows :

# Basic authentication with LDAP against MS AD
AuthType Basic
AuthBasicProvider ldap

# AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
# using this format: ldap://hostort/basedn?attribute?scope?filter
AuthLDAPURL "ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectCl ass=*)"
NONE

# The LDAP bind username and password
AuthLDAPBindDN "CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC= com"
AuthLDAPBindPassword passwordxyz

# we want to allow authentication only through LDAP, no fallback
AuthzLDAPAuthoritative on
AuthUserFile /dev/null
# make sure REMOTE_USER is set to sAMAccountName
AuthLDAPRemoteUserAttribute sAMAccountName

# The name of this authentication realm
AuthName "Restricted Dir [Domain Account]"
# To authenticate single domain users, list them here
require ldap-user "greg.machin"
# to authenticate a domain group, specify the full DN
# AuthLDAPGroupAttributeIsDN on
#require ldap-group CN=acl_secure_exchange,OU=Global
Groups,OU=User,DC=frank4dd,DC=com
##### end LDAP #####

When I visit the site I get the expected login prompt, authentication
fails with my own account.

[Thu Dec 01 15:32:03 2011] [debug] mod_authnz_ldap.c(403): [client
xxx.xxx.69.196] [3471] auth_ldap authenticate: using URL
ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectCl ass=*)
[Thu Dec 01 15:32:03 2011] [info] [client xxx.xxx.69.196] [3471]
auth_ldap authenticate: user greg authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Invalid credentials]
[Thu Dec 01 15:32:03 2011] [error] [client xxx.xxx.69.196] user greg:
authentication failure for "/": Password Mismatch

This led me to an issue with the binddn configuration .. So I tried ldapseach

root@nzhmlwks0091:~# ldapsearch -h 192.168.32.2 -p 389 -D
"CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC= com" -w
"passwordxyz"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1

So the problem is with the binddn , I configured the new user the same
as another user this is know to be working. A member of User and
"Domain Admins" (I don't want this user to have admin rites if I can
avoid it.)

What have I missed what should I change to get this working ?

Thanks
G
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-01-2011, 10:38 AM
"Joseph L. Casale"
 
Default Apache AD / LDAP authentication issues.

>require ldap-user "greg.machin"

Pretty sure that needs to be a DN... Do you actually have sAMAccountName
Names written as x.x? Strange...

When I visit the site I get the expected login prompt, authentication
fails with my own account.

>root@nzhmlwks0091:~# ldapsearch -h 192.168.32.2 -p 389 -D
>"CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC =com" -w
>"passwordxyz"
>ldap_bind: Invalid credentials (49)

Right, so check the dn and password. Is your domain actually ad.mydom.local
or is your server netbios name 'ad', in which case you don’t put that in the dn.

>So the problem is with the binddn , I configured the new user the same
>as another user this is know to be working. A member of User and
>"Domain Admins" (I don't want this user to have admin rites if I can
>avoid it.)

Certainly shouldn’t be a member of the dom admins.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 05:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org