Re: [users@httpd] OpenLDAP to Active Directory Authentication

Josh Burley <jburley@xxxxxxxx> · Tue, 03 May 2005 21:19:19 -0700

As a followup... what's the proper way to do AuthAthoritative 

directives? In particular as a workaround for the problem outlined below.

As far as I can tell, a work around would be to let the first 

AuthLDAPURL in the first container fail, and then try with the other 

container.

Is this possible? Or, is AuthAthoritative just for switching to a 

*different* authentication mechanism, and cannot be used with the same 

mechanism? If so, can someone supply an example?

Thanks!
.josh

Josh Burley wrote:

Solution #1 is not an option for us (or so says our AD admin), but 

solution #2 might be. How did you disable the referral chasing? We 

are, in fact, using an Active Directory for authentication, sorry if I 

wasn't clear about that.

I guess I'm still a bit confused about how this works, as well... my 

understanding is that the binding itself is done with the bind DN and 

password, which includes the container. And then a search is done off 

of the AuthLDAPURL. Did you just mean the search results, rather than 

the bind, or am I getting my terminology confused.

Thanks for the info,
.josh

John wrote:

Hi,

I experienced the same problem as the one described here, and it turned
out to be the LDAP referrals being sent by Active Directory.

If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to
a container within Active Directory, and everything works fine.

However, if you bind to the root of your domain, i.e. just
dc=ad,dc=company,dc=com, then Active Directory, in addition to the
search results you expected, will also return referrals to the other
directory partitions.

It seems that the referrals that Active Directory returns are causing
the authentication to be rejected.

There are two possible solutions that I know of:

1. Create an organisational unit called something like "All Users" and
make sure all your user accounts are inside this container - that way
you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path.

2. Disabling referral chasing got the Netscape LDAP SDK to bind to the
root of an Active Directory domain - no idea if the same will be true of
OpenLDAP.

Hope this information helps someone.

Regards,

John

-----Original Message-----
From: James Massara
Sent: Wednesday, December 22, 2004 10:45 AM
To: 'users@xxxxxxxxxxxxxxxx'

Subject: RE: [users@httpd] OpenLDAP to Active Directory     

Authentication

The search works fine from the Windows ldp tool.  It also     

works fine   

from the OpenLDAP ldapsearch tool:

ldapsearch -h ad.company.com -D

'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 

'DC=ad,DC=company,DC=com' -x -W 

"(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName

Details of my setup:

Operating System Gentoo Linux (kernel v2.6.8) OpenLDAP     

v2.1.30 Apache   

HTTPD v2.0.52 using the bundled mod_auth_ldap

My .htaccess file settings are:

AuthName "DI Admin Platform"
AuthType Basic
AuthLDAPURL
ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
ub?(&(objectCl
ass=user)(!(objectClass=computer)))
AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
AuthLDAPBindPassword mypasswd

This using this setup generates the following error:

[Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968] 

auth_ldap authenticate: user testuser authentication failed; URI 

/aptest/

[ldap_search_ext_s() for user failed][Operations error]
ldap_search_ext_s: Operations error (1)
       additional info: 00000000: LdapErr: DSID-0C0905FF,

comment: In order to perform this operation a successful     

bind must be   

completed on the connection., data 0, vece

However, if I change the AuthLDAPURL to this:

AuthLDAPURL
ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
untName?sub?(&
(objectClass=user)(!(objectClass=computer)))

It works just fine.  This solution doesn't work for me, though, 

because the MIS team is moving users out of cn=users and into 

ou=users,ou=city_of_office.  And I can't specify multiply     

AuthLDAPURL   

variables to search the possible cities where users might reside.

The part I don't understand is why it complains about     

binding to the   

ADS _unless_ I specify cn=users in the AuthLDAPURL variable.

Thank you for the continued help, very much appreciated.
James

-----Original Message-----
From: Ralf Glauberman [mailto:rglauberman@xxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 22, 2004 9:18 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] OpenLDAP to Active Directory

Authentication

perhaps you want to try the following:

go to a windows box in the domain of the ad. there is a       

tool called   

ldp.exe in the windows 2k resource kit, use this to       

connect to the   

ad via ldap. bind to the ad, then you can search in the       

ad just as   

apache would do. if you continue to have problems,       

perhaps you could   

send a detailed description about your setup.
ralf

----- Original Message -----
From: "James Massara" <james.massara@xxxxxxxxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Tuesday, December 21, 2004 8:57 PM
Subject: RE: [users@httpd] OpenLDAP to Active Directory

Authentication

The bind works when I do:

AuthLDAPURL

ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount

Name?s
ub?(objectClass=user)

But not when I do:

AuthLDAPURL

ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?

(objec
tClass=user)

That's why the following error seems misleading:

[Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] 

[mod_auth_ldap.c] -

Error: Operations error
ldap_search_s: Operations error (1)
      additional info: 00000000: LdapErr: DSID-0C0905FF,

comment: In

order
to perform this operation a successful bind must be

completed on the

connection., data 0, vece

I would try what you suggested but I don't see how I         

can bind as   

user@xxxxxxxxxxx with the module.

-----Original Message-----
From: Covington, Chris [mailto:ccovington@xxxxxxxxxxx]
Sent: Tuesday, December 21, 2004 11:40 AM
To: users@xxxxxxxxxxxxxxxx

Subject: Re: [users@httpd] OpenLDAP to Active Directory 

Authentication

Has anyone experienced/fixed the problem described below?

I haven't had direct experience with Apache/LDAP but have

you tried

binding with the UPN login?  IE user@xxxxxxxxxxx?  (or
user\@company.com)

Chris

---------------------------------------------------------------------

The official User-To-User support forum of the Apache           

HTTP Server   

Project. See

<URL:http://httpd.apache.org/userslist.html> for more

info. To unsubscribe, e-mail:           

users-unsubscribe@xxxxxxxxxxxxxxxx

  "   from the digest:           

users-digest-unsubscribe@xxxxxxxxxxxxxxxx

For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------

The official User-To-User support forum of the Apache         

HTTP Server   

Project. See <URL:http://httpd.apache.org/userslist.html>

for more

info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------

The official User-To-User support forum of the Apache HTTP Server 

Project. See <URL:http://httpd.apache.org/userslist.html>       

for more   

info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------

The official User-To-User support forum of the Apache HTTP Server 

Project.