httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Hart <tomh...@coopfed.org>
Subject Re: [users@httpd] ldap authentication not working
Date Thu, 04 Oct 2007 20:21:32 GMT
It works!

For the record here's my final setup. I'm using Apache 2.2.x and 
mod_authnz_ldap with Windows 2003 Server

<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order deny,allow

    AuthType Basic
    AuthName "Testing LDAP Auth"
    AuthBasicProvider ldap
   
    #AuthLDAPAuthoritative on - this didn't work because it should have 
been authz not auth, see below

    AuthzLDAPAuthoritative off
   
    #the ldapurl started working better when i hardcoded the ip, and 
added ou=People to the dn
    AuthLDAPUrl 
"ldap://192.168.1.171:389/ou=People,dc=coopfed,dc=local?sAMAccountName"

    #the bind account not auth'ing right caused me the original problems 
with [LDAP: ldap_simple_bind_s() failed][Invalid Credentials]
    AuthLDAPBindDN "cn=cu_apache_auth,cn=Users,dc=coopfed,dc=local"
    AuthLDAPBindPassword "********"

    Require valid-user

</Directory>

I didn't get a lot of responses on this one, but maybe this information 
will help somebody you know.

Tom Hart wrote:
> I'm beginning to believe that the BindDN and BindPassword are 
> incorrect, because it doesn't seem to matter what I type in there, I 
> get the same results. I'm pretty sure I have the DN correct though.
>
> We have an apache service account (account name is cu_apache) in the 
> Users container under our domain coopfed.local. Does the DN seem right?
>
> Tom Hart wrote:
>> Ok, I'm getting a bit closer. Here's what I have now.
>>
>> <Directory "C:/Program Files/Apache Software 
>> Foundation/Apache2.2/htdocs">
>>    Options Indexes FollowSymLinks
>>    AllowOverride None
>>    Order deny,allow
>>
>>    AuthType Basic
>>    AuthName "Testing LDAP Auth"
>>    AuthBasicProvider ldap
>>      #AuthLDAPAuthoritative on - still doesn't let apache start
>>
>>    AuthLDAPUrl "ldap://server/?sAMAccountName"
>>    AuthLDAPBindDN "cn=cu_apache,cn=Users,dc=coopfed,dc=local"
>>    AuthLDAPBindPassword "********"
>>
>>    Require valid-user
>>
>> </Directory>
>>
>> Now I get a login box, but when using the admin u/p I get this in 
>> error.log
>>
>> [Thu Oct 04 13:57:10 2007] [warn] [client 192.168.1.207] [6764] 
>> auth_ldap authenticate: user administrator authentication failed; URI 
>> /test.php [LDAP: ldap_simple_bind_s() failed][Invalid Credentials]
>> [Thu Oct 04 13:57:10 2007] [error] [client 192.168.1.207] user 
>> administrator: authentication failure for "/test.php": Password Mismatch
>>
>> I know the login credentials are correct. Is there a better way to 
>> set up LDAPUrl or to see what's trying to authenticate where in the 
>> 2003 AD?
>>
>> Tom Hart wrote:
>>> As a follow-up I realized ldap-user is used to specifiy a certain 
>>> user aka ldap-user "Joe Smith". However based on the fact that I'm 
>>> not getting prompted for a u/p, and AuthLDAPAuthoritative is 
>>> failing, I believe my problem lies deeper than that. I could be 
>>> wrong of course, just trying to narrow down the search.
>>>
>>> Tom Hart wrote:
>>>> Hi everybody. Thanks to the help of this list I managed to get the 
>>>> auth_ldap module loaded, but now I'm having a little trouble 
>>>> bringing this project to full fruition.
>>>>
>>>> I'm not sure which part of this is failing, and unfortunately I 
>>>> can't seem to find where I can see any type of log info about ldap 
>>>> access attemps, whether they're even happening, or why apache won't 
>>>> start with AuthLDAPAuthoritative on.
>>>>
>>>> Any ideas? Here's my main directory chunk from httpd.conf
>>>>
>>>> <Directory "C:/Program Files/Apache Software 
>>>> Foundation/Apache2.2/htdocs">
>>>>    Options Indexes FollowSymLinks
>>>>    AllowOverride None
>>>>    Order allow,deny
>>>>
>>>>    #AuthLDAPAuthoritative on - apache won't start with this enabled
>>>>
>>>>    AuthType Basic
>>>>    AuthName "Testing LDAP Auth"
>>>>    AuthBasicProvider ldap
>>>>
>>>>    AuthLDAPUrl 
>>>> "ldap://192.168.1.171:389/ou=People,dc=coopfed,dc=local"
>>>>    AuthLDAPBindDN "cn=tomhart,ou=people,dc=coopfed,dc=local"
>>>>    AuthLDAPBindPassword ********
>>>>
>>>>    Require ldap-user
>>>>
>>>> </Directory>
>>>>
>>>> Also, I'm not sure how important this is but I'm using windows 2003 
>>>> server.
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server 
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server 
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message