httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Dyer-Bennet" <David.Dyer-Ben...@pinerivercapital.com>
Subject [users@httpd] LDAP authentication against an Active Directory server
Date Mon, 19 May 2008 23:14:54 GMT
I seem to have a somewhat different problem than the ones I find all
over forums and archives (needing an address to bind to to search for
the user).  
 
I'm running Apache httpd 2.0.52 on CENTOS 4.6 (Final).  The Active
Directory server is on Windows 2003 Server.
 
I'm trying to authenticate access to an internal web page (later, many
pages, twiki, subversion, ...) against the active directory.  

(The "*.pinerivercapital.local" names resolve to the internal IP
addresses of the hosts on our internal DNS.)
 
I can search and find users using ldapsearch (using an account with read
privs), like this (password redacted):

----------

$ ldapsearch -x -D "CN=unix.ldapbind,OU=Service
Accounts,OU=MPLS,DC=pinerivercapital,DC=local" -w "XXXX" -h prcdc1 -P 3
-b "dc=pinerivercapital,dc=local" "(sAMAccountName=David.dyer-bennet)"
cn objectClass sAMAccountName

# extended LDIF
#
# LDAPv3
# base <dc=pinerivercapital,dc=local> with scope sub
# filter: (sAMAccountName=David.dyer-bennet)
# requesting: cn objectClass sAMAccountName 
#

# David Dyer-Bennet, PRC MN Users, MPLS, pinerivercapital.local
dn: CN=David Dyer-Bennet,OU=PRC MN
Users,OU=MPLS,DC=pinerivercapital,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: David Dyer-Bennet
sAMAccountName: david.dyer-bennet

----------

This is my .htaccess file for the protected directory:

----------

AuthName "Pine River Capital Windows Logon"
AuthType basic
AuthLDAPEnabled on

AuthLDAPURL
"ldap://prcdc1.pinerivercapital.local/dc=pinerivercapital,dc=local?sAMAc
countName?sub?(objectClass=user)(objectCategory=person)"
# Special unix ldapbind service
AuthLDAPBindDN "CN=unix.ldapbind,OU=Service
Accounts,OU=MPLS,DC=pinerivercapital,DC=local"
AuthLDAPBindPassword "XXXX"

# Non-Authoritative lets it also look in .htpasswd; must config user
file

AuthLDAPAuthoritative on
Require valid-user

----------

When I visit that page in Firefox, I'm prompted for username and
password, with the right authentication name.  When I enter my username
(the one I searched for above) and password, I get recycled back to the
authentication dialog, and if I cancel out of that, I get a 401 page.
The error_log says: 

[Mon May 19 16:43:43 2008] [warn] [client 192.168.1.70] [5481] auth_ldap
authenticate: user David.Dyer-Bennet authentication failed; URI /ldauth
[ldap_search_ext_s() for user failed][Operations error]

I've tried many many variations without getting anything better.

I ran a packet trace on the communication with the AD server, and what I
see there is the search for the username being performed, and succeeding
with exactly one record found:

LDAPMessage searchResEntry(2) "CN=David Dyer-Bennet,OU=PRC MN
Users,OU=MPLS,DC=pinerivercapital,DC=local" [1 result]

Then I see a "simple bind request":

LDAPMessage bindRequest(4) simple
messageID: 4
protocolOp: bindRequest (0)
bindRequest
version: 3
name: 
authentication: simple (0)
simple: <MISSING>

And the AD server responds with no matchedDN, and a resultCode of
"success (0)".  Obviously, I think that's the first symptom of my
problem, but I have no idea what the cause is.  I was expecting to see
the DN of the record found by the previous search in the bind request.
(Not sure if the password is passed in cleartext; I kinda hope not.)

Then I see *another* search for the same user record, which fails with
an error saying a bind must be done first ("errorMessage: 00000000:
LdapErr: DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece").

I feel like I've been right on the edge of a breakthrough for 2 days,
but it doesn't seem to be happening.  Lots of people with essentially
similar configs are reporting success; the magic thing that makes it
work for most people seems to be having an account to bind to initially,
to perform the user search, and I've got that, and the user search
works.  I can't find cases where the failure happens later, or with the
messages I'm getting.  There seem to be lots of workable variants of the
filter in the ldapURL, and mine exactly matches some I've seen and seems
compatible with others; and the packet trace shows that it *is* finding
the user correctly.

Much as I'd love to blame Microsoft, the packet trace makes it look to
me as though something isn't going right in mod_auth_ldap; most likely
due to my config not being right, though I can't yet rule out a bug
either.  

I'd greatly appreciate any suggestions, pointers, or what-have-you
contributing to getting this figured out!

Note that this system is running CENTOS 4.6, not 5.1.  I just did a
major upgrade to get it to 4.6, it was much further behind previously.
But I need to keep it matching the production systems well enough that
tests here are meaningful, so I can't yet upgrade past 4.6.  

(Sorry about the corporate disclaimer that's about to follow this; for
some reason I couldn't get a response to my subscribe message from my
personal account, and this is holding me up, so I went ahead and
subscribed from the work account.)



--- 

The contents of this message and its attachments, if any, are meant for the sole use of the
intended recipient and may be confidential, privileged, or otherwise protected from disclosure.
If you are not the intended recipient of this message or have received this message in error,
please delete it, immediately alert the sender by reply e-mail, and do not read, disclose,
distribute, or otherwise use the information contained herein. If this message was misdirected,
neither Pine River nor its affiliates waives any confidentiality or privilege. Pine River
retains and monitors e-mail communications sent through its network. This e-mail does not
constitute or form part of any offer or invitation to sell, or the solicitation of an offer
to purchase any investment and is provided for information purposes only. Pine River believes
that the information it provides is accurate and complete as at the date of publication, but
does not grant any warranty of such and neither Pine River nor its affiliates accepts any
liability in respect of errors or omissions. Past performance is not necessarily a guide to
future results.

--- 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message