httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Massara <james.mass...@digitalinsight.com>
Subject RE: [users@httpd] OpenLDAP to Active Directory Authentication
Date Tue, 21 Dec 2004 18:11:24 GMT
Has anyone experienced/fixed the problem described below?

> -----Original Message-----
> From: James Massara 
> Sent: Monday, December 20, 2004 1:31 PM
> To: 'users@httpd.apache.org'
> Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication
> 
> 
> Hi Michael, thanks for the response.  I've tried it with the 
> bundled software and here's my .htaccess file settings:
> 
> AuthName "DI Admin Platform"
> AuthType Basic
> AuthLDAPURL 
> ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
> ub?(objectClas
> s=user)
> AuthLDAPBindDN cn=jmassara,ou=users,dc=ad,dc=company,dc=com
> AuthLDAPBindPassword mypasswd
> require valid-user
> 
> I get the same results as described in my original email.
> 
> -----Original Message-----
> From: Michael Mattsson [mailto:apache-list@phrenetic.to] 
> Sent: Monday, December 20, 2004 10:42 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication
> 
> 
> Hi!
> 
> If you use the bundled LDAP authentication module you specify 
> in AuthLDAPURL to explictly search recursive.
> 
> Example:
> AuthLDAPURL 
> ldap://ad.company.com:389/dc=corp,dc=ad,dc=company,dc=com?sAMA
> ccountName?sub
> ?(objectClass=user)
> require valid-user
> 
> It's the "sub" keyword that specifies the scope of the 
> search. Please see: 
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for 
> more examples and further documentation.
> 
> //Dri
> 
> Quoting James Massara <james.massara@digitalinsight.com>:
> 
> > Hello,
> >
> > I'm trying to get OpenLDAP based Apache2 modules to authenticate
> > against an Windows 2000 Active Directory Server.  Software used:
> >
> > Operating System Gentoo Linux (kernel v2.6.8)
> > OpenLDAP v2.1.30
> > Apache HTTPD v2.0.52
> > Apache Module ModAuthLDAP from muquit.com v2.12
> > I've also tried the bundled version of mod_auth_ldap that comes with
> > apache2 with the exact same results (described below).
> >
> > Here is my .htaccess file settings for authenticating a user:
> >
> > LDAP_Server ad.company.com
> > LDAP_Port 389
> > Bind_DN "cn=jmassara,ou=users,dc=ad,dc=company,dc=com"
> > Bind_Pass "mypasswd"
> > Base_DN "dc=corp,dc=ad,dc=company,dc=com"
> > UID_Attr sAMAccountName
> >
> > When trying to authenticate I get the following error message:
> >
> > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> > [mod_auth_ldap.c] -
> > Error: Operations error
> > ldap_search_s: Operations error (1)
> >         additional info: 00000000: LdapErr: DSID-0C0905FF, 
> comment: In
> order
> > to perform this operation a successful bind must be 
> completed on the 
> > connection., data 0, vece
> >
> > Also, the jmassara user in the Bind_DN setting has full read access
> > throughout the AD tree.  If I change the Base_DN setting to 
> > "cn=users,dc=corp,dc=ad,dc=company,dc=com", it works fine.  
> However, 
> > our user accounts are being move out of "cn=users" to 
> something like 
> > "ou=users,ou=city,dc=corp,dc=ad,dc=company,dc=com" so this isn't a 
> > viable solution for me.
> >
> > The function the muquit.com apache2 module is using is
> > "ldap_search_s". When I run the same query that the apache2 module 
> > uses via ldapsearch it works fine.  I see that the 
> ldapsearch binary 
> > uses "ldap_search_ext" to do its searching.  The filter 
> being used is 
> > "(sAMAccountName=userid)" -- where userid is the person trying to 
> > authenticate.
> >
> > Why does one ldap_search function work fine but the other 
> fail (unless
> > explicitly defining the path to the user accounts)?
> >
> > Any help is greatly appreciated.  Thanks for your time, -James
> >
> > 
 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message