httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Massara <james.mass...@digitalinsight.com>
Subject RE: [users@httpd] OpenLDAP to Active Directory Authentication
Date Mon, 20 Dec 2004 21:31:20 GMT
Hi Michael, thanks for the response.  I've tried it with the bundled
software and here's my .htaccess file settings:

AuthName "DI Admin Platform"
AuthType Basic
AuthLDAPURL
ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?(objectClas
s=user)
AuthLDAPBindDN cn=jmassara,ou=users,dc=ad,dc=company,dc=com
AuthLDAPBindPassword mypasswd
require valid-user

I get the same results as described in my original email.

-----Original Message-----
From: Michael Mattsson [mailto:apache-list@phrenetic.to] 
Sent: Monday, December 20, 2004 10:42 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication


Hi!

If you use the bundled LDAP authentication module you specify in AuthLDAPURL
to explictly search recursive.

Example:
AuthLDAPURL
ldap://ad.company.com:389/dc=corp,dc=ad,dc=company,dc=com?sAMAccountName?sub
?(objectClass=user)
require valid-user

It's the "sub" keyword that specifies the scope of the search. Please see:
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for more examples
and further documentation.

//Dri

Quoting James Massara <james.massara@digitalinsight.com>:

> Hello,
>
> I'm trying to get OpenLDAP based Apache2 modules to authenticate 
> against an Windows 2000 Active Directory Server.  Software used:
>
> Operating System Gentoo Linux (kernel v2.6.8)
> OpenLDAP v2.1.30
> Apache HTTPD v2.0.52
> Apache Module ModAuthLDAP from muquit.com v2.12
> I've also tried the bundled version of mod_auth_ldap that comes with 
> apache2 with the exact same results (described below).
>
> Here is my .htaccess file settings for authenticating a user:
>
> LDAP_Server ad.company.com
> LDAP_Port 389
> Bind_DN "cn=jmassara,ou=users,dc=ad,dc=company,dc=com"
> Bind_Pass "mypasswd"
> Base_DN "dc=corp,dc=ad,dc=company,dc=com"
> UID_Attr sAMAccountName
>
> When trying to authenticate I get the following error message:
>
> [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] 
> [mod_auth_ldap.c] -
> Error: Operations error
> ldap_search_s: Operations error (1)
>         additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In
order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
>
> Also, the jmassara user in the Bind_DN setting has full read access 
> throughout the AD tree.  If I change the Base_DN setting to 
> "cn=users,dc=corp,dc=ad,dc=company,dc=com", it works fine.  However, 
> our user accounts are being move out of "cn=users" to something like 
> "ou=users,ou=city,dc=corp,dc=ad,dc=company,dc=com" so this isn't a 
> viable solution for me.
>
> The function the muquit.com apache2 module is using is 
> "ldap_search_s". When I run the same query that the apache2 module 
> uses via ldapsearch it works fine.  I see that the ldapsearch binary 
> uses "ldap_search_ext" to do its searching.  The filter being used is 
> "(sAMAccountName=userid)" -- where userid is the person trying to 
> authenticate.
>
> Why does one ldap_search function work fine but the other fail (unless 
> explicitly defining the path to the user accounts)?
>
> Any help is greatly appreciated.  Thanks for your time, -James
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project. See <URL:http://httpd.apache.org/userslist.html> for more 
> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message