[users@httpd] authentication problem with apache2 + ldap + active directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

ldap authentication fails with the following message in the error log:

-----------------
[Sat Jun 17 21:11:19 2006] [debug] mod_auth_ldap.c(337): [client
192.168.x.x] [22698] auth_ldap authenticate: using URL
ldap://ad.host.name.com:389/DC=XYZ,DC=ABC,DC=com?sAMAccountName?sub?(objectClass=*)
[Sat Jun 17 21:11:19 2006] [warn] [client 192.168.x.x] [22698]
auth_ldap authenticate: user flastname authentication failed; URI
/test [ldap_search_ext_s() for user failed][Operations error]
[Sat Jun 17 21:11:28 2006] [debug] mod_headers.c(527): headers:
ap_headers_output_filter()
-----------------

this is the relevant config:

-----------------
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
<Location /test>
   AuthType Basic
   AuthName "LDAP test"
   AuthLDAPURL
ldap://ad.host.name.com:389/DC=XYZ,DC=ABC,DC=com?sAMAccountName?sub?(objectClass=*)
   AuthLDAPBindDN "CN=BindLDAPUsername,OU=Generic IDs,DC=XYZ,DC=ABC,DC=com"
   AuthLDAPBindPassword password
   Require valid-user
</Location>
-----------------

when i capture the traffic between the AD and apache, i can see the
bind happen, then the query, then the response with one record and
proper sAMAccountName, but no subsequent bind to the LDAP server using
the DN and the password passed by the HTTP client.

i can run the same exact query using ldapsearch and it gets back
identical results (and captured traffic looks the same):

-----------------
ldapsearch -v -W -x \
-D"CN=BindLDAPUsername,OU=Generic IDs,DC=XYZ,DC=ABC,DC=com" \
-H ldap://ad.host.name.com:389 \
-b "DC=XYZ,DC=ABC,DC=com" \
"(&(objectClass=*)(sAMAccountName=flastname))" sAMAccountName
-----------------


tcpdump capture between apache and AD:
http://rafb.net/paste/results/9Duquf89.html

software:
---------
openldap 2.3.21 from sunfreeware.com
solaris sparc 8
apache 2.0.55

thank you.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux