httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John" <apa...@jbnet.cns-uk.org>
Subject RE: [users@httpd] OpenLDAP to Active Directory Authentication
Date Tue, 03 May 2005 06:31:50 GMT
Hi,

I experienced the same problem as the one described here, and it turned
out to be the LDAP referrals being sent by Active Directory.

If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to
a container within Active Directory, and everything works fine.

However, if you bind to the root of your domain, i.e. just
dc=ad,dc=company,dc=com, then Active Directory, in addition to the
search results you expected, will also return referrals to the other
directory partitions.

It seems that the referrals that Active Directory returns are causing
the authentication to be rejected.

There are two possible solutions that I know of:

1. Create an organisational unit called something like "All Users" and
make sure all your user accounts are inside this container - that way
you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path.

2. Disabling referral chasing got the Netscape LDAP SDK to bind to the
root of an Active Directory domain - no idea if the same will be true of
OpenLDAP.

Hope this information helps someone.

Regards,

John


> > -----Original Message-----
> > From: James Massara
> > Sent: Wednesday, December 22, 2004 10:45 AM
> > To: 'users@httpd.apache.org'
> > Subject: RE: [users@httpd] OpenLDAP to Active Directory 
> Authentication
> > 
> > 
> > The search works fine from the Windows ldp tool.  It also 
> works fine 
> > from the OpenLDAP ldapsearch tool:
> > 
> > ldapsearch -h ad.company.com -D
> > 'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 
> > 'DC=ad,DC=company,DC=com' -x -W 
> > "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
> > 
> > Details of my setup:
> > 
> > Operating System Gentoo Linux (kernel v2.6.8) OpenLDAP 
> v2.1.30 Apache 
> > HTTPD v2.0.52 using the bundled mod_auth_ldap
> > 
> > My .htaccess file settings are:
> > 
> > AuthName "DI Admin Platform"
> > AuthType Basic
> > AuthLDAPURL
> > ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
> > ub?(&(objectCl
> > ass=user)(!(objectClass=computer)))
> > AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
> > AuthLDAPBindPassword mypasswd
> > 
> > This using this setup generates the following error:
> > 
> > [Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968] 
> > auth_ldap authenticate: user testuser authentication failed; URI 
> > /aptest/
> > [ldap_search_ext_s() for user failed][Operations error]
> > ldap_search_ext_s: Operations error (1)
> >         additional info: 00000000: LdapErr: DSID-0C0905FF,
> > comment: In order to perform this operation a successful 
> bind must be 
> > completed on the connection., data 0, vece
> > 
> > However, if I change the AuthLDAPURL to this:
> > 
> > AuthLDAPURL
> > ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
> > untName?sub?(&
> > (objectClass=user)(!(objectClass=computer)))
> > 
> > It works just fine.  This solution doesn't work for me, though, 
> > because the MIS team is moving users out of cn=users and into 
> > ou=users,ou=city_of_office.  And I can't specify multiply 
> AuthLDAPURL 
> > variables to search the possible cities where users might reside.
> > 
> > The part I don't understand is why it complains about 
> binding to the 
> > ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
> > 
> > Thank you for the continued help, very much appreciated.
> > James
> > 
> > > -----Original Message-----
> > > From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
> > > Sent: Wednesday, December 22, 2004 9:18 AM
> > > To: users@httpd.apache.org
> > > Subject: Re: [users@httpd] OpenLDAP to Active Directory
> > Authentication
> > > 
> > > 
> > > perhaps you want to try the following:
> > > go to a windows box in the domain of the ad. there is a 
> tool called 
> > > ldp.exe in the windows 2k resource kit, use this to 
> connect to the 
> > > ad via ldap. bind to the ad, then you can search in the 
> ad just as 
> > > apache would do. if you continue to have problems, 
> perhaps you could 
> > > send a detailed description about your setup.
> > > ralf
> > > 
> > > ----- Original Message -----
> > > From: "James Massara" <james.massara@digitalinsight.com>
> > > To: <users@httpd.apache.org>
> > > Sent: Tuesday, December 21, 2004 8:57 PM
> > > Subject: RE: [users@httpd] OpenLDAP to Active Directory
> > Authentication
> > > 
> > > 
> > > > The bind works when I do:
> > > >
> > > > AuthLDAPURL
> > > > 
> > > 
> > 
> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
> > > > Name?s
> > > > ub?(objectClass=user)
> > > >
> > > > But not when I do:
> > > >
> > > > AuthLDAPURL
> > > > 
> > > 
> > 
> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
> > > > (objec
> > > > tClass=user)
> > > >
> > > > That's why the following error seems misleading:
> > > >
> > > > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] 
> > > > [mod_auth_ldap.c] -
> > > > Error: Operations error
> > > > ldap_search_s: Operations error (1)
> > > >        additional info: 00000000: LdapErr: DSID-0C0905FF,
> > > comment: In
> > > > order
> > > > to perform this operation a successful bind must be
> > completed on the
> > > > connection., data 0, vece
> > > >
> > > > I would try what you suggested but I don't see how I 
> can bind as 
> > > > user@company.com with the module.
> > > >
> > > >> -----Original Message-----
> > > >> From: Covington, Chris [mailto:ccovington@plusone.com]
> > > >> Sent: Tuesday, December 21, 2004 11:40 AM
> > > >> To: users@httpd.apache.org
> > > >> Subject: Re: [users@httpd] OpenLDAP to Active Directory 
> > > >> Authentication
> > > >>
> > > >>
> > > >> > Has anyone experienced/fixed the problem described below?
> > > >>
> > > >> I haven't had direct experience with Apache/LDAP but have
> > > you tried
> > > >> binding with the UPN login?  IE user@company.com?  (or
> > > >> user\@company.com)
> > > >>
> > > >> Chris
> > > >>
> > > >> 
> > > 
> > 
> ---------------------------------------------------------------------
> > > >> The official User-To-User support forum of the Apache 
> HTTP Server 
> > > >> Project. See
> > <URL:http://httpd.apache.org/userslist.html> for more
> > > >> info. To unsubscribe, e-mail: 
> users-unsubscribe@httpd.apache.org
> > > >>    "   from the digest: 
> users-digest-unsubscribe@httpd.apache.org
> > > >> For additional commands, e-mail: users-help@httpd.apache.org
> > > >>
> > > >
> > > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > > The official User-To-User support forum of the Apache 
> HTTP Server 
> > > > Project. See <URL:http://httpd.apache.org/userslist.html>
> > for more
> > > > info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > 
> > > 
> > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server 
> > > Project. See <URL:http://httpd.apache.org/userslist.html> 
> for more 
> > > info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > > 
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server 
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message