httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Burley <jbur...@kuci.org>
Subject Re: [users@httpd] OpenLDAP to Active Directory Authentication
Date Wed, 04 May 2005 04:19:19 GMT
As a followup... what's the proper way to do AuthAthoritative 
directives? In particular as a workaround for the problem outlined below.

As far as I can tell, a work around would be to let the first 
AuthLDAPURL in the first container fail, and then try with the other 
container.

Is this possible? Or, is AuthAthoritative just for switching to a 
*different* authentication mechanism, and cannot be used with the same 
mechanism? If so, can someone supply an example?

Thanks!
.josh

Josh Burley wrote:

> Solution #1 is not an option for us (or so says our AD admin), but 
> solution #2 might be. How did you disable the referral chasing? We 
> are, in fact, using an Active Directory for authentication, sorry if I 
> wasn't clear about that.
>
> I guess I'm still a bit confused about how this works, as well... my 
> understanding is that the binding itself is done with the bind DN and 
> password, which includes the container. And then a search is done off 
> of the AuthLDAPURL. Did you just mean the search results, rather than 
> the bind, or am I getting my terminology confused.
>
> Thanks for the info,
> .josh
>
> John wrote:
>
>> Hi,
>>
>> I experienced the same problem as the one described here, and it turned
>> out to be the LDAP referrals being sent by Active Directory.
>>
>> If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to
>> a container within Active Directory, and everything works fine.
>>
>> However, if you bind to the root of your domain, i.e. just
>> dc=ad,dc=company,dc=com, then Active Directory, in addition to the
>> search results you expected, will also return referrals to the other
>> directory partitions.
>>
>> It seems that the referrals that Active Directory returns are causing
>> the authentication to be rejected.
>>
>> There are two possible solutions that I know of:
>>
>> 1. Create an organisational unit called something like "All Users" and
>> make sure all your user accounts are inside this container - that way
>> you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path.
>>
>> 2. Disabling referral chasing got the Netscape LDAP SDK to bind to the
>> root of an Active Directory domain - no idea if the same will be true of
>> OpenLDAP.
>>
>> Hope this information helps someone.
>>
>> Regards,
>>
>> John
>>
>>
>>  
>>
>>>> -----Original Message-----
>>>> From: James Massara
>>>> Sent: Wednesday, December 22, 2004 10:45 AM
>>>> To: 'users@httpd.apache.org'
>>>> Subject: RE: [users@httpd] OpenLDAP to Active Directory     
>>>
>>> Authentication
>>>   
>>>
>>>> The search works fine from the Windows ldp tool.  It also     
>>>
>>> works fine   
>>>
>>>> from the OpenLDAP ldapsearch tool:
>>>>
>>>> ldapsearch -h ad.company.com -D
>>>> 'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 
>>>> 'DC=ad,DC=company,DC=com' -x -W 
>>>> "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
>>>>
>>>> Details of my setup:
>>>>
>>>> Operating System Gentoo Linux (kernel v2.6.8) OpenLDAP     
>>>
>>> v2.1.30 Apache   
>>>
>>>> HTTPD v2.0.52 using the bundled mod_auth_ldap
>>>>
>>>> My .htaccess file settings are:
>>>>
>>>> AuthName "DI Admin Platform"
>>>> AuthType Basic
>>>> AuthLDAPURL
>>>> ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
>>>> ub?(&(objectCl
>>>> ass=user)(!(objectClass=computer)))
>>>> AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
>>>> AuthLDAPBindPassword mypasswd
>>>>
>>>> This using this setup generates the following error:
>>>>
>>>> [Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968] 
>>>> auth_ldap authenticate: user testuser authentication failed; URI 
>>>> /aptest/
>>>> [ldap_search_ext_s() for user failed][Operations error]
>>>> ldap_search_ext_s: Operations error (1)
>>>>        additional info: 00000000: LdapErr: DSID-0C0905FF,
>>>> comment: In order to perform this operation a successful     
>>>
>>> bind must be   
>>>
>>>> completed on the connection., data 0, vece
>>>>
>>>> However, if I change the AuthLDAPURL to this:
>>>>
>>>> AuthLDAPURL
>>>> ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
>>>> untName?sub?(&
>>>> (objectClass=user)(!(objectClass=computer)))
>>>>
>>>> It works just fine.  This solution doesn't work for me, though, 
>>>> because the MIS team is moving users out of cn=users and into 
>>>> ou=users,ou=city_of_office.  And I can't specify multiply     
>>>
>>> AuthLDAPURL   
>>>
>>>> variables to search the possible cities where users might reside.
>>>>
>>>> The part I don't understand is why it complains about     
>>>
>>> binding to the   
>>>
>>>> ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
>>>>
>>>> Thank you for the continued help, very much appreciated.
>>>> James
>>>>
>>>>     
>>>>
>>>>> -----Original Message-----
>>>>> From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
>>>>> Sent: Wednesday, December 22, 2004 9:18 AM
>>>>> To: users@httpd.apache.org
>>>>> Subject: Re: [users@httpd] OpenLDAP to Active Directory
>>>>>       
>>>>
>>>> Authentication
>>>>     
>>>>
>>>>> perhaps you want to try the following:
>>>>> go to a windows box in the domain of the ad. there is a       
>>>>
>>> tool called   
>>>
>>>>> ldp.exe in the windows 2k resource kit, use this to       
>>>>
>>> connect to the   
>>>
>>>>> ad via ldap. bind to the ad, then you can search in the       
>>>>
>>> ad just as   
>>>
>>>>> apache would do. if you continue to have problems,       
>>>>
>>> perhaps you could   
>>>
>>>>> send a detailed description about your setup.
>>>>> ralf
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "James Massara" <james.massara@digitalinsight.com>
>>>>> To: <users@httpd.apache.org>
>>>>> Sent: Tuesday, December 21, 2004 8:57 PM
>>>>> Subject: RE: [users@httpd] OpenLDAP to Active Directory
>>>>>       
>>>>
>>>> Authentication
>>>>     
>>>>
>>>>>       
>>>>>
>>>>>> The bind works when I do:
>>>>>>
>>>>>> AuthLDAPURL
>>>>>>
>>>>>>         
>>>>>
>>> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
>>>   
>>>
>>>>>> Name?s
>>>>>> ub?(objectClass=user)
>>>>>>
>>>>>> But not when I do:
>>>>>>
>>>>>> AuthLDAPURL
>>>>>>
>>>>>>         
>>>>>
>>> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
>>>   
>>>
>>>>>> (objec
>>>>>> tClass=user)
>>>>>>
>>>>>> That's why the following error seems misleading:
>>>>>>
>>>>>> [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] 
>>>>>> [mod_auth_ldap.c] -
>>>>>> Error: Operations error
>>>>>> ldap_search_s: Operations error (1)
>>>>>>       additional info: 00000000: LdapErr: DSID-0C0905FF,
>>>>>>         
>>>>>
>>>>> comment: In
>>>>>       
>>>>>
>>>>>> order
>>>>>> to perform this operation a successful bind must be
>>>>>>         
>>>>>
>>>> completed on the
>>>>     
>>>>
>>>>>> connection., data 0, vece
>>>>>>
>>>>>> I would try what you suggested but I don't see how I         
>>>>>
>>> can bind as   
>>>
>>>>>> user@company.com with the module.
>>>>>>
>>>>>>         
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Covington, Chris [mailto:ccovington@plusone.com]
>>>>>>> Sent: Tuesday, December 21, 2004 11:40 AM
>>>>>>> To: users@httpd.apache.org
>>>>>>> Subject: Re: [users@httpd] OpenLDAP to Active Directory 
>>>>>>> Authentication
>>>>>>>
>>>>>>>
>>>>>>>           
>>>>>>>
>>>>>>>> Has anyone experienced/fixed the problem described below?
>>>>>>>>             
>>>>>>>
>>>>>>> I haven't had direct experience with Apache/LDAP but have
>>>>>>>           
>>>>>>
>>>>> you tried
>>>>>       
>>>>>
>>>>>>> binding with the UPN login?  IE user@company.com?  (or
>>>>>>> user\@company.com)
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>>           
>>>>>>
>>> ---------------------------------------------------------------------
>>>   
>>>
>>>>>>> The official User-To-User support forum of the Apache       
   
>>>>>>
>>> HTTP Server   
>>>
>>>>>>> Project. See
>>>>>>>           
>>>>>>
>>>> <URL:http://httpd.apache.org/userslist.html> for more
>>>>     
>>>>
>>>>>>> info. To unsubscribe, e-mail:           
>>>>>>
>>> users-unsubscribe@httpd.apache.org
>>>   
>>>
>>>>>>>   "   from the digest:           
>>>>>>
>>> users-digest-unsubscribe@httpd.apache.org
>>>   
>>>
>>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>
>>>>>>>           
>>>>>>
>>>>>>         
>>>>>
>>> ---------------------------------------------------------------------
>>>   
>>>
>>>>>> The official User-To-User support forum of the Apache         
>>>>>
>>> HTTP Server   
>>>
>>>>>> Project. See <URL:http://httpd.apache.org/userslist.html>
>>>>>>         
>>>>>
>>>> for more
>>>>     
>>>>
>>>>>> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>         
>>>>>
>>>>>
>>>>>       
>>>>
>>> ---------------------------------------------------------------------
>>>   
>>>
>>>>> The official User-To-User support forum of the Apache HTTP Server 
>>>>> Project. See <URL:http://httpd.apache.org/userslist.html>     
 
>>>>
>>> for more   
>>>
>>>>> info.
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>       
>>>>
>>>>     
>>>
>>> ---------------------------------------------------------------------
>>>   
>>>
>>>> The official User-To-User support forum of the Apache HTTP Server 
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>     
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server 
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server 
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>   
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>  
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message