httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Massara <james.mass...@digitalinsight.com>
Subject RE: [users@httpd] OpenLDAP to Active Directory Authentication
Date Wed, 22 Dec 2004 18:45:17 GMT
The search works fine from the Windows ldp tool.  It also works fine from
the OpenLDAP ldapsearch tool:

ldapsearch -h ad.company.com -D
'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 'DC=ad,DC=company,DC=com'
-x -W "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName

Details of my setup:

Operating System Gentoo Linux (kernel v2.6.8)
OpenLDAP v2.1.30
Apache HTTPD v2.0.52 using the bundled mod_auth_ldap

My .htaccess file settings are:

AuthName "DI Admin Platform"
AuthType Basic
AuthLDAPURL
ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?(&(objectCl
ass=user)(!(objectClass=computer)))
AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
AuthLDAPBindPassword mypasswd

This using this setup generates the following error:

[Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968]
auth_ldap authenticate: user testuser authentication failed; URI /aptest/
[ldap_search_ext_s() for user failed][Operations error]
ldap_search_ext_s: Operations error (1)
        additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece

However, if I change the AuthLDAPURL to this:

AuthLDAPURL
ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccountName?sub?(&
(objectClass=user)(!(objectClass=computer)))

It works just fine.  This solution doesn't work for me, though, because the
MIS team is moving users out of cn=users and into
ou=users,ou=city_of_office.  And I can't specify multiply AuthLDAPURL
variables to search the possible cities where users might reside.

The part I don't understand is why it complains about binding to the ADS
_unless_ I specify cn=users in the AuthLDAPURL variable.

Thank you for the continued help, very much appreciated.
James

> -----Original Message-----
> From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de] 
> Sent: Wednesday, December 22, 2004 9:18 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication
> 
> 
> perhaps you want to try the following:
> go to a windows box in the domain of the ad. there is a tool 
> called ldp.exe 
> in the windows 2k resource kit, use this to connect to the ad 
> via ldap. bind 
> to the ad, then you can search in the ad just as apache would 
> do. if you 
> continue to have problems, perhaps you could send a detailed 
> description 
> about your setup.
> ralf
> 
> ----- Original Message ----- 
> From: "James Massara" <james.massara@digitalinsight.com>
> To: <users@httpd.apache.org>
> Sent: Tuesday, December 21, 2004 8:57 PM
> Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication
> 
> 
> > The bind works when I do:
> >
> > AuthLDAPURL 
> > 
> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
> > Name?s
> > ub?(objectClass=user)
> >
> > But not when I do:
> >
> > AuthLDAPURL 
> > 
> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
> > (objec
> > tClass=user)
> >
> > That's why the following error seems misleading:
> >
> > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] 
> > [mod_auth_ldap.c] -
> > Error: Operations error
> > ldap_search_s: Operations error (1)
> >        additional info: 00000000: LdapErr: DSID-0C0905FF, 
> comment: In 
> > order
> > to perform this operation a successful bind must be completed on the
> > connection., data 0, vece
> >
> > I would try what you suggested but I don't see how I can bind as 
> > user@company.com with the module.
> >
> >> -----Original Message-----
> >> From: Covington, Chris [mailto:ccovington@plusone.com]
> >> Sent: Tuesday, December 21, 2004 11:40 AM
> >> To: users@httpd.apache.org
> >> Subject: Re: [users@httpd] OpenLDAP to Active Directory 
> >> Authentication
> >>
> >>
> >> > Has anyone experienced/fixed the problem described below?
> >>
> >> I haven't had direct experience with Apache/LDAP but have 
> you tried 
> >> binding with the UPN login?  IE user@company.com?  (or
> >> user\@company.com)
> >>
> >> Chris
> >>
> >> 
> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP Server 
> >> Project. See <URL:http://httpd.apache.org/userslist.html> for more 
> >> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server 
> > Project. See <URL:http://httpd.apache.org/userslist.html> for more 
> > info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project. See 
> <URL:http://httpd.apache.org/userslist.html> for more info. 
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message