Apache AD / LDAP authentication issues.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi.
Please advise if you can.

I'm trying to configure apache to authenticate to MS AD server 2008R2,
using LDAP.

I have created a user in AD that is member of "Users" and nothing
else. I can log into my workstation using this user with the password
I set.

My Apache configuration as follows :

# Basic authentication with LDAP against MS AD
AuthType Basic
AuthBasicProvider ldap

  # AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
  # using this format: ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL "ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectClass=*)"
NONE

  # The LDAP bind username and password
AuthLDAPBindDN "CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC=com"
AuthLDAPBindPassword passwordxyz

  # we want to allow authentication only through LDAP, no fallback
AuthzLDAPAuthoritative on
AuthUserFile /dev/null
  # make sure REMOTE_USER is set to sAMAccountName
AuthLDAPRemoteUserAttribute sAMAccountName

# The name of this authentication realm
AuthName "Restricted Dir [Domain Account]"
  # To authenticate single domain users, list them here
require ldap-user "greg.machin"
  # to authenticate a domain group, specify the full DN
  # AuthLDAPGroupAttributeIsDN on
  #require ldap-group CN=acl_secure_exchange,OU=Global
Groups,OU=User,DC=frank4dd,DC=com
##### end LDAP #####

When I visit the site I get the expected login prompt, authentication
fails with my own account.

[Thu Dec 01 15:32:03 2011] [debug] mod_authnz_ldap.c(403): [client
xxx.xxx.69.196] [3471] auth_ldap authenticate: using URL
ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectClass=*)
[Thu Dec 01 15:32:03 2011] [info] [client xxx.xxx.69.196] [3471]
auth_ldap authenticate: user greg authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Invalid credentials]
[Thu Dec 01 15:32:03 2011] [error] [client xxx.xxx.69.196] user greg:
authentication failure for "/": Password Mismatch

This led me to an issue with the binddn configuration .. So I tried ldapseach

root@nzhmlwks0091:~# ldapsearch -h 192.168.32.2 -p 389 -D
"CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC=com" -w
"passwordxyz"
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1

So the problem is with the binddn , I configured the new user the same
as another user this is know to be working. A member of User and
"Domain Admins" (I don't want this user to have admin rites if I can
avoid it.)

What have I missed what should I change to get this working ?

Thanks
G
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux