httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From HATJIEVGENIADU AMALIA <a.hatjievgeni...@abcol.ac.uk>
Subject RE: [users@httpd] Problem with mod_auth_ldap on Apache2
Date Fri, 01 Aug 2003 10:07:55 GMT
I translated ldap://x.x.x.x:389/DC=some,DC=domain,DC=org?sAMAccountName?sub?
into what I think it should correspond to in Muquit syntax:
<Directory "../intranet">
      Options  Indexes FollowSymLinks
      AllowOverride None
      order allow,deny
      allow from all
      AuthName "Aberdeen College Staff Only"
      AuthType Basic
      LDAP_Debug On
      LDAP_Server <Win2000 box IP addess>
      LDAP_Port 389
      Base_DN "dc=mydomain,dc=ac,dc=uk"
      Bind_DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk"
      Bind_Pass ******
      UID_Attr sAMAccountName
      require valid-user
***also tried require filter "(sAMAccountName=oneuser)"
</Directory>
and still get a similar error messages:
...cound not find DN for user "oneuser" with attr "sAMAccountName"

If I query the LDAP Directory directly with LDAPsearch on this attribute, I
do get results. Apache's httpd.conf syntax, though, is not getting through.
Any ideas? 

I tried re-configuring Apache with the "native" mod_auth_ldap, but this time
have problem running MAKE after the CONFIGURE. It fails with a complaint
about "undefined symbol" apr_generate_random_bytes 

Thank you
Amalia

-----Original Message-----
From: Jason Martens [mailto:jmartens@cityofevanston.org]
Sent: 31 July 2003 17:38
To: users@httpd.apache.org
Subject: Re: [users@httpd] Problem with mod_auth_ldap on Apache2


To connect to our active directory, I use the object sAMAccountName
instead of objectclass=person like you are using.  I am using a
different version of the auth_ldap module, but my connection url looks
like this:

ldap://x.x.x.x:389/DC=some,DC=domain,DC=org?sAMAccountName?sub?

This works to find the user's login name in the active directory.
It looks like the problem is in the searching and not in the filter.

Jason


On Thu, 2003-07-31 at 11:31, HATJIEVGENIADU AMALIA wrote:
> I am running Apache 2.0.47 on a Solaris 8 box.
> I need to perform user authentication for our intranet, and so built
> mod_auth_ldap into Apache as a DSO. I downloaded the module from
>
<http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.h
> tml, and installed OpenLDAP 2.1.22 as well, in order to use its LDAP C
SDK.
> My LDAP server is Active Directory running on a Windows box. If I target
it
> with LDAPsearch, I bind to it, no problem. Then I edited the httpd.conf
> following directions from M.A.Muquit's page. Here's the relavant section:
> ...
> <Directory "../intranet">
>      Options   Indexes FollowSymLinks
>      AllowOverride None
>      order allow,deny
>      allow from all
>      AuthName "Aberdeen College Staff Only"
>      AuthType Basic
>      LDAP_Debug On
>      LDAP_Server <Win2000 box IP addess>
>      LDAP_Port 389
>      Base_DN "dc=mydomain,dc=ac,dc=uk"
>      Bind_DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk"
>      Bind_Pass ******
>      UID_Attr cn
>      require filter "(&(objectclass=person)(cn=oneuser))"
> </Directory>
> ...
> When I type the URL to my browser, I am prompted for a username and
> password. I expect that, provided I supply username oneuser and the
correct
> password, the credentials will be authenticated on the LDAP server and I
> will gain access to ../intranet. However, it doesn't work. In the
error_log
> file I have:
> ...
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c
(1039)
> ]- mod_auth_ldap v2.11 (compiled with OpenLDAP TLS) url:
http://muquit.com/
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c
(1052)]
> - LDAP server=<Windows LDAP server IP address>,Port=389
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c]
(1160)
> - MAKING NEW CONNECTION, try# 1, pid=1025
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c]
(1165)
> - cr->ld: 0x217fc0, pid=1025
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c
(1206)]
> - you didn't compile with iPlanet C SDK, connect timeout will not be
> available
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c (705)
]
> - Using LDAP filter: (cn=user1)
> [Tue Jul 29 12:42:06 2003] [error] [client a.b.c.d] [mod_auth_ldap.c] -
> trying to bind with bind DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk"
and
> password(not shown)
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60]
[mod_auth_ldap.c]
> - Bound successfully with DN "cn=admin,cn=users,dc=mydomain,dc=ac,dc=uk"
and
> password (not shown)
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60]
[mod_auth_ldap.c]
> - ldap_search_s() failed
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60]
[mod_auth_ldap.c]
> - Error: Can't contact LDAP server
> [Tue Jul 29 12:42:06 2003] [error] [client 194.82.237.60] [mod_auth_ldap.c
> (1242)] - Bind attempt# 1, cound not find DN for user "oneuser" with attr
> "cn"
> ...
> 
> It seems not to like my "require" (or something before it). I read the
> RFC1960 directions for the filter syntax, but I am not sure I should be
> using a filter in the first place. I tried a combination of things but get
> similar error messages. I am replicating the Directory structure of the
> ActiveDirectory server, as it's returned from the LDAPSEARCH command. 
> 
> I would appreciate any help with this. Short of upgrading to Solaris 9 and
> trying with Iplanet C SDK instead, I think I have tried everything.
> 
> Thanks, Amalia
> -----------------------
> Analyst Programmer
> Aberdeen College
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message