Return-Path: 
 <users-return-71030-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 37605 invoked from network); 15 Mar 2007 09:56:24 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 15 Mar 2007 09:56:24 -0000
Received: (qmail 27312 invoked by uid 500); 15 Mar 2007 09:56:21 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 27297 invoked by uid 500); 15 Mar 2007 09:56:21 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 27286 invoked by uid 99); 15 Mar 2007 09:56:21 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Mar 2007 02:56:21 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (herse.apache.org: local policy)
Received: from [85.92.66.131] (HELO whittle.mywebserver.net) (85.92.66.131)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Mar 2007 02:56:08 -0700
Received: from davidh by whittle.mywebserver.net with local (Exim 4.63)
	(envelope-from <dave-cert@samndave.org.uk>)
	id 1HRme9-0008K8-Tf
	for users@httpd.apache.org; Thu, 15 Mar 2007 09:53:21 +0000
Received: from 83.137.228.3 ([83.137.228.3])
        (SquirrelMail authenticated user dave@samndave.org.uk)
        by www.samndave.org.uk with HTTP;
        Thu, 15 Mar 2007 09:53:21 -0000 (GMT)
Message-ID: <3844.83.137.228.3.1173952401.squirrel@www.samndave.org.uk>
Date: Thu, 15 Mar 2007 09:53:21 -0000 (GMT)
From: "Dave Hartburn" <dave-cert@samndave.org.uk>
To: users@httpd.apache.org
User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - whittle.mywebserver.net
X-AntiAbuse: Original Domain - httpd.apache.org
X-AntiAbuse: Originator/Caller UID/GID - [32210 500] / [47 12]
X-AntiAbuse: Sender Address Domain - samndave.org.uk
X-Source: /usr/local/cpanel/3rdparty/bin/php
X-Source-Args: /usr/local/cpanel/3rdparty/bin/php
 /usr/local/cpanel/base/3rdparty/squirrelmail/src/compose.php 
X-Source-Dir: :/base/3rdparty/squirrelmail/src
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: [users@httpd] LDAP authentication against AD

Hi,

Can anyone advise on a problem I have authenticating Apache on Linux
against an
Active Directory server? I can not authenticate for all users in the domain,
only users in specific branches.

I've found a few resources on line that suggest the following config is
correct:
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

<Directory /usr/local/www/htdoc/helpdesk>
  AuthLDAPURL ldap://gciad01/OU=Bldg800,DC=Galleon,DC=local?sAMAccountName
  AuthLDAPBindDN CN=Support,CN=Users,DC=Galleon,DC=local
  AuthLDAPBindPassword password_removed
  AuthType Basic
  AuthName "Helpdesk"
  require valid-user
</Directory>

The good news is this works for all users in the organisation unit Bldg800,
which is one of the branches under the top level domain Galleon.local.
Users are
burried down a subtree, so it can search through an number of levels of
structure.

My active directory has a number of branches under the top level domain,
another
one being a container 'Users'. As I would expect, you can not login as a
user in
'Users', as it is not part of the Bldg800 OU.

If I change the URL to:
  AuthLDAPURL ldap://gciad01/CN=Users,DC=Galleon,DC=local?sAMAccountName
then people in 'Users' can login, users in Bldg800 can not. Again as I
would expect.

I thought the next logical step was to set the URL a level higher:
  AuthLDAPURL ldap://gciad01/DC=Galleon,DC=local?sAMAccountName
However, with this set, nobody can login. The apache error log reports:
[Wed Mar 14 17:12:47 2007] [warn] [client 192.168.19.31] [5559] auth_ldap
authenticate: user support authentication failed; URI
/helpdesk/phpinfo.php [ldap_search_ext_s() for user failed][Invalid DN
syntax]

Does anyone know what this error means? It suggests it can not search down
the
whole subtree, is this the case?

Or, is there a general trick to tell LDAP to check all sub-branches of the
tree
under the top level directory, something like Galleon.local.*. If not, is it
possible to specify more than one URL?

Any help appreciated.

Dave



-- 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org