httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Garrison <...@athensgroup.com>
Subject [users@httpd] Apache mod_auth_ldap -> Server 2003 Active Dir
Date Fri, 13 Aug 2004 04:19:46 GMT
I'm tryin to get Apache's mod_auth_ldap to authenticate against
Windows Server 2003 Active Directory, and the problem seems to be
in the initial bind.

Apache LDAP Config:

> AuthType Basic
> AuthName "Test Area"
> AuthLDAPEnabled on
> AuthLDAPBindDN "cn=ldapQuery,cn=Users,dc=athens,dc=int"
> AuthLDAPBindPassword ldapQuery
> AuthLDAPURL "ldap://triton.athens.int/cn=Users,dc=athens,dc=int?samAccountName?sub?(&(objectCategory=Person)(objectClass=User))"
> require valid-user


Apache Log Error Message:

> auth_ldap authenticate: user testuser authentication failed; 
> 	URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials]

I've confirmed that I *CAN* bind using the "ldapQuery" user in LDP,
but only in domain mode, not simple mode, which is what I assume
Apache is doing.  When authenticated in LDP as "ldapQuery" the
filter in AuthLDAPURL returns the expected records.

I've scoured Google and there are several messages saying it's easy,
along with several messages describing my problem, but no specific
solutions.

Note, I HAVE tried enabling anonymous binding in Active Directory and
commenting out the AuthLDAPBindDN and AuthLDAPBindPassword lines.
When I do that, the bind is successful but the anonymous user can't
really do much... it gets "Object Not Found".

In order to solve the problem I need either (or both) of two bits
of information:

1) How to get mod_auth_ldap to bind to Win2003 Active Dir using a
    specific user ID; or
2) How to configure Active Dir so that the anonymous user has
    enough permissions to authenticate other users

Obviously, the first answer is preferred.

Thanks in advance

Jim Garrison
jhg@athengroup.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message