httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "De Filippo Andrea" <Andrea.DeFili...@mail.wind.it>
Subject [users@httpd] R: [users@httpd] R: [users@httpd] Apache2 authenticating via LDAP on Active Directory
Date Mon, 23 Jun 2008 09:59:25 GMT
I have also tried to install Apache2-AuthenMSAD-0.02 <http://search.cpan.org/~reggers/Apache2-AuthenMSAD-0.02/>
 perl module:

 

Inserting these lines in /etc/apache2/sites-enabled/000-default:

 

<Directory /var/www/prova>

    # Authentication Realm and Type (only Basic supported)

 

    AuthName "Microsoft Active Directory Authentication"

    AuthType Basic

 

    # Authentication  method/handler

 

    PerlAuthenHandler Apache2::AuthenMSAD

 

    # The Microsoft Active Directory Domain Name must be set

    # The Active Directory Server Name will default to the domain.

 

    PerlSetVar MSADDomain MyDomain

    PerlSetVar MSADServer MyKdcServer

 

    # Require lines can be any of the following -- any user, one of a list

 

    require valid-user

    #require user joe mary tom

 

  </Directory>

 

 

But I have this error on /var/log/apache2/error.log:

 

[Mon Jun 23 11:47:07 2008] [error] access to /prova/index.html failed for  "MyIP", reason:
user - Active Directory Authen Failed

 

I don't know what else to do .

 

Ciao

 

 

________________________________

Da: De Filippo Andrea [mailto:Andrea.DeFilippo@mail.wind.it] 
Inviato: venerdì 20 giugno 2008 10.16
A: users@httpd.apache.org
Oggetto: [users@httpd] R: [users@httpd] Apache2 authenticating via LDAP on Active Directory

 

I have tried with this conf: 

<Directory /var/www/prova>

  #LDAP Authentication

                    AllowOverride all

                    AuthName "Autenticazione utente"

                    AuthType Basic

                    #AuthLDAPEnabled on                   Is commented because if enabled
I have an error when restart apache

                    AuthBasicAuthoritative off

                    AuthBasicProvider ldap

                    AuthLDAPURL ldap://gc2kwive01:389/dc=wind,dc=root,DC=it?sAMAccountName?sub?(objectClass=user)

                    AuthLDAPBindDN "CN=*****,OU=Privileged,OU=Office,OU=Wind,DC=wind,DC=root,DC=it"

                    AuthLDAPBindPassword "My password"

                    require valid-user

  </Directory>

 

also changing the port as you suggest, 

 

but I have thi error:

 

[Fri Jun 20 09:43:00 2008] [warn] [client 10.73.5.119] [26287] auth_ldap authenticate: user
windroot\\***** authentication failed; URI /prova/index.html [LDAP: ldap_simple_bind_s() failed][Invalid
credentials]

[Fri Jun 20 09:43:00 2008] [error] [client 10.73.5.119] user windroot\\*****: authentication
failure for "/prova/index.html": Password Mismatch

 

Trying Generic and Simple with ldp (windows) I have noticed this:

 

res = ldap_simple_bind_s(ld, 'de filippo', <unavailable>); // v.3

Error <49>: ldap_simple_bind_s() failed: Credenziali non valide

Server error: <empty>

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 128); // v.3

         {NtAuthIdentity: User=*****; Pwd= <unavailable>; domain = 'windroot'.}

Authenticated as dn:'*****'.

 

The problem is ldap_simple_bind_s ?

 

If I try to bind via php5 with ldap_connect and ldap_bind functions, all works fine !

 

Help me !

________________________________________

Da: David Dyer-Bennet [mailto:David.Dyer-Bennet@pinerivercapital.com] 

Inviato: giovedì 19 giugno 2008 18.34

A: users@httpd.apache.org

Oggetto: RE: [users@httpd] Apache2 authenticating via LDAP on Active Directory

 

 

 De Filippo Andrea [mailto:Andrea.DeFilippo@mail.wind.it]  said: 

 

My question is how to authenticate apache2 via LDAP on Active Directory.

 

This is my configuration in /etc/apache2/sites-enabled/000-default:

 

# LDAP Authentication

    LDAPSharedCacheSize 200000

    LDAPCacheEntries 1024

    LDAPCacheTTL 600

    LDAPOpCacheEntries 1024

    LDAPOpCacheTTL 600

    <Location /prova>

            Options Indexes FollowSymLinks

           #AllowOverride None

            order allow,deny

            Allow from all

            AuthType Basic

            AuthName "Autenticazione utente"

            AuthBasicAuthoritative off

            AuthBasicProvider ldap

            AuthzLDAPAuthoritative off

            AuthLDAPURL ldap://gc2kwive01:389/dc=wind,dc=root,DC=it?sAMAccountName?sub?(objectClass=user)

            require valid-user

    </Location>

 

But I have this error in /var/log/apache2/error.log:

[Thu Jun 19 12:54:30 2008] [warn] [client 10.73.5.119] [22817] auth_ldap authenticate: user
windroot\\de filippo authentication failed; URI /prova/index.html [User not found][No such
object]

[Thu Jun 19 12:54:30 2008] [crit] [client 10.73.5.119] configuration error:  couldn't check
user.  No user file?: /prova/index.html

 

I'm still fighting with some of my Active Directory authentication needs, but I did get my
subversion repository working correctly, so maybe what I have here will help.

 

AD needs you to bind before it lets you search.  Also, it sometimes segments the information
weirdly and uses redirects weirdly, so you sometimes have to use port 3268 which is a magic
merged global view of the directory.

 

So here's what I have currently working, with obvious secret stuff overwritten:

 

 

   AuthName "Pine River Capital Windows Logon"

   AuthType basic

   AuthLDAPEnabled on

   AuthLDAPURL "ldap://dc1.ourinternaldomain.local:3268/dc=pinerivercapital,dc=local?sAMAccountName?sub?(objectClass=user)(objectCategory=person)"

   # Suitable user with read access

   AuthLDAPBindDN "CN=accounttobindwith,OU=Service Accounts,OU=MPLS,DC=pinerivercapital,DC=local"

   AuthLDAPBindPassword "itsasecret"

   # Non-Authoritative lets it also look in .htpasswd; must config user file

   AuthLDAPAuthoritative off

   #AuthLDAPGroupAttributeIsDN on

   AuthUserFile /home/svn/access/users

   Require valid-user

 
 
Le informazioni contenute in questo messaggio di posta elettronica e in ogni
eventuale documento allegato sono riservate, potrebbero essere coperte dal
segreto professionale e possono essere utilizzate esclusivamente dal
destinatario sopra indicato. Ogni divulgazione o copia di questo messaggio o
dei suoi eventuali allegati non autorizzata, cosi' come ogni uso o
divulgazione delle informazioni negli stessi contenute, sono da considerarsi
come vietate e potrebbero costituire violazione delle normative ivi
applicabili.  Se ricevete questo messaggio per errore Vi preghiamo di
volerci avvertire immediatamente tramite posta elettronica o telefonicamente
e di cancellare il presente messaggio e ogni documento ad esso allegato dal
Vostro sistema. Vi informiamo che svolgiamo ogni attivita' finalizzata a
proteggere la nostra rete da virus e non ci assumiamo alcuna responsabilita'
in ordine a possibili virus che possano essere trasferiti con la presente mail.
Grazie.
 
*****************
 
The information contained in this e-mail and in any file transmitted with it
is confidential and may be privileged for the sole use of the designated
addressee. Any unauthorized dissemination or copying of this e-mail or its
attachments, and any use or disclosure of any information contained in them,
is strictly prohibited and may be illegal. If you are not the designated
addressee, please notify the sender immediately by e-mail or by telephone
and delete this e-mail and any file transmitted with it from your system.
We make every effort to keep our network free from viruses and take no
responsibility for any computer virus which might be transferred by way of this
e-mail.
Thank you.
--- 

The contents of this message and its attachments, if any, are meant for the sole use of the
intended recipient and may be confidential, privileged, or otherwise protected from disclosure.
If you are not the intended recipient of this message or have received this message in error,
please delete it, immediately alert the sender by reply e-mail, and do not read, disclose,
distribute, or otherwise use the information contained herein. If this message was misdirected,
neither Pine River nor its affiliates waives any confidentiality or privilege. Pine River
retains and monitors e-mail communications sent through its network. This e-mail does not
constitute or form part of any offer or invitation to sell, or the solicitation of an offer
to purchase any investment and is provided for information purposes only. Pine River believes
that the information it provides is accurate and complete as at the date of publication, but
does not grant any warranty of such and neither Pine River nor its affiliates accepts any
liability in respect of errors or omissions. Past performance is not necessarily a guide to
future results.

--- 


Mime
View raw message