Re: [users@httpd] OpenLDAP to Active Directory Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Solution #1 is not an option for us (or so says our AD admin), but solution #2 might be. How did you disable the referral chasing? We are, in fact, using an Active Directory for authentication, sorry if I wasn't clear about that.

I guess I'm still a bit confused about how this works, as well... my understanding is that the binding itself is done with the bind DN and password, which includes the container. And then a search is done off of the AuthLDAPURL. Did you just mean the search results, rather than the bind, or am I getting my terminology confused.

Thanks for the info,
.josh

John wrote:

Hi,

I experienced the same problem as the one described here, and it turned
out to be the LDAP referrals being sent by Active Directory.

If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to
a container within Active Directory, and everything works fine.

However, if you bind to the root of your domain, i.e. just
dc=ad,dc=company,dc=com, then Active Directory, in addition to the
search results you expected, will also return referrals to the other
directory partitions.

It seems that the referrals that Active Directory returns are causing
the authentication to be rejected.

There are two possible solutions that I know of:

1. Create an organisational unit called something like "All Users" and
make sure all your user accounts are inside this container - that way
you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path.

2. Disabling referral chasing got the Netscape LDAP SDK to bind to the
root of an Active Directory domain - no idea if the same will be true of
OpenLDAP.

Hope this information helps someone.

Regards,

John


-----Original Message-----
From: James Massara
Sent: Wednesday, December 22, 2004 10:45 AM
To: 'users@xxxxxxxxxxxxxxxx'
Subject: RE: [users@httpd] OpenLDAP to Active Directory
Authentication
The search works fine from the Windows ldp tool. It also
works fine
from the OpenLDAP ldapsearch tool:

ldapsearch -h ad.company.com -D
'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 'DC=ad,DC=company,DC=com' -x -W "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName

Details of my setup:

Operating System Gentoo Linux (kernel v2.6.8) OpenLDAP
v2.1.30 Apache
HTTPD v2.0.52 using the bundled mod_auth_ldap

My .htaccess file settings are:

AuthName "DI Admin Platform"
AuthType Basic
AuthLDAPURL
ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
ub?(&(objectCl
ass=user)(!(objectClass=computer)))
AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
AuthLDAPBindPassword mypasswd

This using this setup generates the following error:

[Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968] auth_ldap authenticate: user testuser authentication failed; URI /aptest/
[ldap_search_ext_s() for user failed][Operations error]
ldap_search_ext_s: Operations error (1)
       additional info: 00000000: LdapErr: DSID-0C0905FF,
comment: In order to perform this operation a successful
bind must be
completed on the connection., data 0, vece

However, if I change the AuthLDAPURL to this:

AuthLDAPURL
ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
untName?sub?(&
(objectClass=user)(!(objectClass=computer)))

It works just fine. This solution doesn't work for me, though, because the MIS team is moving users out of cn=users and into ou=users,ou=city_of_office. And I can't specify multiply
AuthLDAPURL
variables to search the possible cities where users might reside.

The part I don't understand is why it complains about
binding to the
ADS _unless_ I specify cn=users in the AuthLDAPURL variable.

Thank you for the continued help, very much appreciated.
James

-----Original Message-----
From: Ralf Glauberman [mailto:rglauberman@xxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 22, 2004 9:18 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] OpenLDAP to Active Directory
Authentication
perhaps you want to try the following:
go to a windows box in the domain of the ad. there is a
tool called
ldp.exe in the windows 2k resource kit, use this to
connect to the
ad via ldap. bind to the ad, then you can search in the
ad just as
apache would do. if you continue to have problems,
perhaps you could
send a detailed description about your setup.
ralf

----- Original Message -----
From: "James Massara" <james.massara@xxxxxxxxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Tuesday, December 21, 2004 8:57 PM
Subject: RE: [users@httpd] OpenLDAP to Active Directory
Authentication
The bind works when I do:

AuthLDAPURL

ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
Name?s
ub?(objectClass=user)

But not when I do:

AuthLDAPURL

ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
(objec
tClass=user)

That's why the following error seems misleading:

[Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] [mod_auth_ldap.c] -
Error: Operations error
ldap_search_s: Operations error (1)
      additional info: 00000000: LdapErr: DSID-0C0905FF,
comment: In
order
to perform this operation a successful bind must be
completed on the
connection., data 0, vece

I would try what you suggested but I don't see how I
can bind as
user@xxxxxxxxxxx with the module.

-----Original Message-----
From: Covington, Chris [mailto:ccovington@xxxxxxxxxxx]
Sent: Tuesday, December 21, 2004 11:40 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication


Has anyone experienced/fixed the problem described below?
I haven't had direct experience with Apache/LDAP but have
you tried
binding with the UPN login?  IE user@xxxxxxxxxxx?  (or
user\@company.com)

Chris


---------------------------------------------------------------------
The official User-To-User support forum of the Apache
HTTP Server
Project. See
<URL:http://httpd.apache.org/userslist.html> for more
info. To unsubscribe, e-mail:
users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest:
users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache
HTTP Server
Project. See <URL:http://httpd.apache.org/userslist.html>
for more
info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html>
for more
info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux