httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Massara <james.mass...@digitalinsight.com>
Subject RE: [users@httpd] OpenLDAP to Active Directory Authentication
Date Mon, 03 Jan 2005 18:59:06 GMT
Does anyone have any insight into this problem?

Thanks,
James

> -----Original Message-----
> From: James Massara 
> Sent: Wednesday, December 22, 2004 10:45 AM
> To: 'users@httpd.apache.org'
> Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication
> 
> 
> The search works fine from the Windows ldp tool.  It also 
> works fine from the OpenLDAP ldapsearch tool:
> 
> ldapsearch -h ad.company.com -D 
> 'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 
> 'DC=ad,DC=company,DC=com' -x -W 
> "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
> 
> Details of my setup:
> 
> Operating System Gentoo Linux (kernel v2.6.8)
> OpenLDAP v2.1.30
> Apache HTTPD v2.0.52 using the bundled mod_auth_ldap
> 
> My .htaccess file settings are:
> 
> AuthName "DI Admin Platform"
> AuthType Basic
> AuthLDAPURL 
> ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
> ub?(&(objectCl
> ass=user)(!(objectClass=computer)))
> AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
> AuthLDAPBindPassword mypasswd
> 
> This using this setup generates the following error:
> 
> [Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] 
> [1400968] auth_ldap authenticate: user testuser 
> authentication failed; URI /aptest/
> [ldap_search_ext_s() for user failed][Operations error]
> ldap_search_ext_s: Operations error (1)
>         additional info: 00000000: LdapErr: DSID-0C0905FF, 
> comment: In order to perform this operation a successful bind 
> must be completed on the connection., data 0, vece
> 
> However, if I change the AuthLDAPURL to this:
> 
> AuthLDAPURL 
> ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
> untName?sub?(&
> (objectClass=user)(!(objectClass=computer)))
> 
> It works just fine.  This solution doesn't work for me, 
> though, because the MIS team is moving users out of cn=users 
> and into ou=users,ou=city_of_office.  And I can't specify 
> multiply AuthLDAPURL variables to search the possible cities 
> where users might reside.
> 
> The part I don't understand is why it complains about binding 
> to the ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
> 
> Thank you for the continued help, very much appreciated.
> James
> 
> > -----Original Message-----
> > From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
> > Sent: Wednesday, December 22, 2004 9:18 AM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] OpenLDAP to Active Directory 
> Authentication
> > 
> > 
> > perhaps you want to try the following:
> > go to a windows box in the domain of the ad. there is a tool
> > called ldp.exe 
> > in the windows 2k resource kit, use this to connect to the ad 
> > via ldap. bind 
> > to the ad, then you can search in the ad just as apache would 
> > do. if you 
> > continue to have problems, perhaps you could send a detailed 
> > description 
> > about your setup.
> > ralf
> > 
> > ----- Original Message -----
> > From: "James Massara" <james.massara@digitalinsight.com>
> > To: <users@httpd.apache.org>
> > Sent: Tuesday, December 21, 2004 8:57 PM
> > Subject: RE: [users@httpd] OpenLDAP to Active Directory 
> Authentication
> > 
> > 
> > > The bind works when I do:
> > >
> > > AuthLDAPURL
> > > 
> > 
> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
> > > Name?s
> > > ub?(objectClass=user)
> > >
> > > But not when I do:
> > >
> > > AuthLDAPURL
> > > 
> > 
> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
> > > (objec
> > > tClass=user)
> > >
> > > That's why the following error seems misleading:
> > >
> > > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> > > [mod_auth_ldap.c] -
> > > Error: Operations error
> > > ldap_search_s: Operations error (1)
> > >        additional info: 00000000: LdapErr: DSID-0C0905FF, 
> > comment: In
> > > order
> > > to perform this operation a successful bind must be 
> completed on the 
> > > connection., data 0, vece
> > >
> > > I would try what you suggested but I don't see how I can bind as
> > > user@company.com with the module.
> > >
> > >> -----Original Message-----
> > >> From: Covington, Chris [mailto:ccovington@plusone.com]
> > >> Sent: Tuesday, December 21, 2004 11:40 AM
> > >> To: users@httpd.apache.org
> > >> Subject: Re: [users@httpd] OpenLDAP to Active Directory
> > >> Authentication
> > >>
> > >>
> > >> > Has anyone experienced/fixed the problem described below?
> > >>
> > >> I haven't had direct experience with Apache/LDAP but have
> > you tried
> > >> binding with the UPN login?  IE user@company.com?  (or
> > >> user\@company.com)
> > >>
> > >> Chris
> > >>
> > >> 
> > 
> ---------------------------------------------------------------------
> > >> The official User-To-User support forum of the Apache HTTP Server
> > >> Project. See 
> <URL:http://httpd.apache.org/userslist.html> for more 
> > >> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > >> For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >
> > > 
> > 
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project. See <URL:http://httpd.apache.org/userslist.html> 
> for more 
> > > info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > > 
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project. See 
> > <URL:http://httpd.apache.org/userslist.html> for more info. 
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message