I guess I'm still a bit confused about how this works, as well... my understanding is that the binding itself is done with the bind DN and password, which includes the container. And then a search is done off of the AuthLDAPURL. Did you just mean the search results, rather than the bind, or am I getting my terminology confused.
Thanks for the info, .josh John wrote:
Hi, I experienced the same problem as the one described here, and it turned out to be the LDAP referrals being sent by Active Directory. If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to a container within Active Directory, and everything works fine. However, if you bind to the root of your domain, i.e. just dc=ad,dc=company,dc=com, then Active Directory, in addition to the search results you expected, will also return referrals to the other directory partitions. It seems that the referrals that Active Directory returns are causing the authentication to be rejected. There are two possible solutions that I know of: 1. Create an organisational unit called something like "All Users" and make sure all your user accounts are inside this container - that way you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path. 2. Disabling referral chasing got the Netscape LDAP SDK to bind to the root of an Active Directory domain - no idea if the same will be true of OpenLDAP. Hope this information helps someone. Regards, John-----Original Message----- From: James Massara Sent: Wednesday, December 22, 2004 10:45 AM To: 'users@xxxxxxxxxxxxxxxx'Subject: RE: [users@httpd] OpenLDAP to Active DirectoryAuthenticationThe search works fine from the Windows ldp tool. It alsoworks finev2.1.30 Apachefrom the OpenLDAP ldapsearch tool: ldapsearch -h ad.company.com -D'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 'DC=ad,DC=company,DC=com' -x -W "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountNameDetails of my setup:Operating System Gentoo Linux (kernel v2.6.8) OpenLDAPbind must beHTTPD v2.0.52 using the bundled mod_auth_ldap My .htaccess file settings are: AuthName "DI Admin Platform" AuthType Basic AuthLDAPURL ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s ub?(&(objectCl ass=user)(!(objectClass=computer))) AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com AuthLDAPBindPassword mypasswd This using this setup generates the following error:[Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968] auth_ldap authenticate: user testuser authentication failed; URI /aptest/[ldap_search_ext_s() for user failed][Operations error] ldap_search_ext_s: Operations error (1) additional info: 00000000: LdapErr: DSID-0C0905FF,comment: In order to perform this operation a successfulAuthLDAPURLcompleted on the connection., data 0, vece However, if I change the AuthLDAPURL to this: AuthLDAPURL ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco untName?sub?(& (objectClass=user)(!(objectClass=computer)))It works just fine. This solution doesn't work for me, though, because the MIS team is moving users out of cn=users and into ou=users,ou=city_of_office. And I can't specify multiplybinding to thevariables to search the possible cities where users might reside.The part I don't understand is why it complains abouttool calledADS _unless_ I specify cn=users in the AuthLDAPURL variable. Thank you for the continued help, very much appreciated. James-----Original Message----- From: Ralf Glauberman [mailto:rglauberman@xxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, December 22, 2004 9:18 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: [users@httpd] OpenLDAP to Active DirectoryAuthenticationperhaps you want to try the following:go to a windows box in the domain of the ad. there is aconnect to theldp.exe in the windows 2k resource kit, use this toad just asad via ldap. bind to the ad, then you can search in theperhaps you couldapache would do. if you continue to have problems,send a detailed description about your setup. ralf ----- Original Message ----- From: "James Massara" <james.massara@xxxxxxxxxxxxxxxxxx> To: <users@xxxxxxxxxxxxxxxx> Sent: Tuesday, December 21, 2004 8:57 PM Subject: RE: [users@httpd] OpenLDAP to Active DirectoryAuthenticationThe bind works when I do: AuthLDAPURLldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccountName?s ub?(objectClass=user) But not when I do: AuthLDAPURLldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?can bind as(objec tClass=user) That's why the following error seems misleading:[Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] [mod_auth_ldap.c] -Error: Operations error ldap_search_s: Operations error (1) additional info: 00000000: LdapErr: DSID-0C0905FF,comment: Inorder to perform this operation a successful bind must becompleted on theconnection., data 0, veceI would try what you suggested but I don't see how Iuser@xxxxxxxxxxx with the module.-----Original Message----- From: Covington, Chris [mailto:ccovington@xxxxxxxxxxx] Sent: Tuesday, December 21, 2004 11:40 AM To: users@xxxxxxxxxxxxxxxxSubject: Re: [users@httpd] OpenLDAP to Active Directory AuthenticationHas anyone experienced/fixed the problem described below?I haven't had direct experience with Apache/LDAP but haveyou triedbinding with the UPN login? IE user@xxxxxxxxxxx? (or user\@company.com) Chris---------------------------------------------------------------------HTTP ServerThe official User-To-User support forum of the ApacheProject. See<URL:http://httpd.apache.org/userslist.html> for moreinfo. To unsubscribe, e-mail:users-unsubscribe@xxxxxxxxxxxxxxxx" from the digest:users-digest-unsubscribe@xxxxxxxxxxxxxxxxFor additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx---------------------------------------------------------------------HTTP ServerThe official User-To-User support forum of the ApacheProject. See <URL:http://httpd.apache.org/userslist.html>for moreinfo. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx---------------------------------------------------------------------for moreThe official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html>info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx ---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|