httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Gretencord <aru...@gmx.de>
Subject [users@httpd] Binding and searching in mod_auth_ldap
Date Thu, 13 Sep 2007 18:09:12 GMT
Hi list,

I'd like to authenticate against an active directory via mod_auth_ldap. After 
reading the docs, I tried the following:

AuthType Basic
AuthName "Logon with your DOMAIN Account"
AuthBasicAuthoritative Off
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL 
ldap://DomainDnsZones.domain.com/DC=domain,DC=com?sAMAccountName?sub?
(objectclass=*)

Unfortunately this does not work, because I have to bind to the ldap 
with 'domain\username', but the sAMAccountName attribute only 
contains 'username'. There is no other attribute that includes the 'domain\' 
part either. Binding as 'domain\username' and searching 
for '(&(objectclass=*)(sAMAccountName=username))' via ldapsearch on the 
command line I get the correct results. Trying to bind as only 'username' 
does not work.

You could of course bind to the ldap server with a separate account and search 
for the sAMAccountName of the user, but then I would also have to create a new 
bindable dn, that could manually verify passwords, which is not possible for 
me. Or is there another way?

Is it possible to bind to the AD via mod_auth_ldap without specifying an 
attribute to search for after binding? I would like to define something along 
the lines of:

AuthLDAPUrl ldap://ddz.domain.com/DC=domain,DC=com
AuthLDAPBindDN domain\\%{username}
AuthLDAPFilter (&(objectclass=*)(sAMAccountName=%{username}))

if that was possible. %{username} would then be substituted by the user 
supplied string. Did I miss something in the documentation or is this just 
not possible? Or am I doing something wrong? Is there some standard way of 
binding to an AD without specifying the domain before the username I do not 
know of?


Alex

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message