RE: [users@httpd] OpenLDAP to Active Directory Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm having the exact same problem that was described on December 22nd (and described below).
Has anyone else seen this problem? Is there a workaround, or a solution? I also turned on LogLevel debug. The AuthLDAPURL is being parsed 
correctly... Is there any debugging info I can offer?

.josh


Does anyone have any insight into this problem?

Thanks,
James

-----Original Message-----
From: James Massara Sent: Wednesday, December 22, 2004 10:45 AM 
To: 'users@xxxxxxxxxxxxxxxx'
Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication
The search works fine from the Windows ldp tool. It also works fine from the OpenLDAP ldapsearch tool:
ldapsearch -h ad.company.com -D 'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 'DC=ad,DC=company,DC=com' -x -W "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName 

Details of my setup:

Operating System Gentoo Linux (kernel v2.6.8)
OpenLDAP v2.1.30
Apache HTTPD v2.0.52 using the bundled mod_auth_ldap

My .htaccess file settings are:

AuthName "DI Admin Platform"
AuthType Basic
AuthLDAPURL ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s 
ub?(&(objectCl
ass=user)(!(objectClass=computer)))
AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
AuthLDAPBindPassword mypasswd

This using this setup generates the following error:
[Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968] auth_ldap authenticate: user testuser authentication failed; URI /aptest/ 
[ldap_search_ext_s() for user failed][Operations error]
ldap_search_ext_s: Operations error (1)
additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece 

However, if I change the AuthLDAPURL to this:
AuthLDAPURL ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco 
untName?sub?(&
(objectClass=user)(!(objectClass=computer)))
It works just fine. This solution doesn't work for me, though, because the MIS team is moving users out of cn=users and into ou=users,ou=city_of_office. And I can't specify multiply AuthLDAPURL variables to search the possible cities where users might reside.
The part I don't understand is why it complains about binding to the ADS _unless_ I specify cn=users in the AuthLDAPURL variable. 

Thank you for the continued help, very much appreciated.
James

> -----Original Message-----
> From: Ralf Glauberman [mailto:rglauberman@xxxxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, December 22, 2004 9:18 AM
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication > > > perhaps you want to try the following: 
> go to a windows box in the domain of the ad. there is a tool
> called ldp.exe > in the windows 2k resource kit, use this to connect to the ad > via ldap. bind > to the ad, then you can search in the ad just as apache would > do. if you > continue to have problems, perhaps you could send a detailed > description > about your setup. 
> ralf
> > ----- Original Message ----- 
> From: "James Massara" <james.massara@xxxxxxxxxxxxxxxxxx>
> To: <users@xxxxxxxxxxxxxxxx>
> Sent: Tuesday, December 21, 2004 8:57 PM
> Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication > > > > The bind works when I do: 
> >
> > AuthLDAPURL
> > > ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount 
> > Name?s
> > ub?(objectClass=user)
> >
> > But not when I do:
> >
> > AuthLDAPURL
> > > ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub? 
> > (objec
> > tClass=user)
> >
> > That's why the following error seems misleading:
> >
> > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> > [mod_auth_ldap.c] -
> > Error: Operations error
> > ldap_search_s: Operations error (1)
> > additional info: 00000000: LdapErr: DSID-0C0905FF, > comment: In 
> > order
> > to perform this operation a successful bind must be completed on the > > connection., data 0, vece 
> >
> > I would try what you suggested but I don't see how I can bind as
> > user@xxxxxxxxxxx with the module.
> >
> >> -----Original Message-----
> >> From: Covington, Chris [mailto:ccovington@xxxxxxxxxxx]
> >> Sent: Tuesday, December 21, 2004 11:40 AM
> >> To: users@xxxxxxxxxxxxxxxx
> >> Subject: Re: [users@httpd] OpenLDAP to Active Directory
> >> Authentication
> >>
> >>
> >> > Has anyone experienced/fixed the problem described below?
> >>
> >> I haven't had direct experience with Apache/LDAP but have
> you tried
> >> binding with the UPN login?  IE user@xxxxxxxxxxx?  (or
> >> user\@company.com)
> >>
> >> Chris
> >>
> >> > --------------------------------------------------------------------- 
> >> The official User-To-User support forum of the Apache HTTP Server
> >> Project. See <URL:http://httpd.apache.org/userslist.html> for more > >> info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
> >>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >>
> >
> > > --------------------------------------------------------------------- 
> > The official User-To-User support forum of the Apache HTTP Server
> > Project. See <URL:http://httpd.apache.org/userslist.html> for more > > info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
> >   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > > > > --------------------------------------------------------------------- 
> The official User-To-User support forum of the Apache HTTP
> Server Project. See > <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project. 
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux