[users@httpd] mod_authnz_ldap and Lotus Domino

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

So i've set up the simplest-possible mod_authnz_ldap vs. Lotus Domino
authentication configuration, and it doesn't work - which over the years
i've come to expect from Domino, but i don't think it's at fault this
time. I'm running Apache & Domino on the same machine, & getting the
infamous "Operations Error".  Setup is Apache 2.2.2, Domino 6.5, Win2K-Pro.

from httpd.conf:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
[...]
Include conf/mine/httpd-directories.conf


from httpd-directories.conf:

<Directory "E:/www/httpd/htdocs/ppp">
    Options Indexes
    Order allow,deny
    Allow from 63.195.38.230 63.195.38.226 127.0.0.1

    AuthzLDAPAuthoritative off
    AuthLDAPUrl ldap://localhost:389/o=AAF?UID,CN?sub

    AuthType Basic
    AuthName "Notes LDAP"

    AuthBasicProvider ldap
    require ldap-user LDAP
</Directory>

(yes, i know the ",CN" bit in the attribute gets ignored)

from Softerra's most excellent LDAP Administrator, the relevant bits of
the Domino directory:

O=AAF
  |
   - CN=LDAP USER
       |
        - cn=ldap
        - uid=ldap
        - (etc...)

from Apache's log, after trying to authenticate as user "ldap":

[debug] mod_authnz_ldap.c(840): [296] auth_ldap url parse:
`ldap://localhost:389/o=AAF?UID,CN?sub'
[debug] mod_authnz_ldap.c(849): [296] auth_ldap url parse: Host:
localhost:389
[debug] mod_authnz_ldap.c(851): [296] auth_ldap url parse: Port: 389
[debug] mod_authnz_ldap.c(853): [296] auth_ldap url parse: DN: o=AAF
[debug] mod_authnz_ldap.c(855): [296] auth_ldap url parse: attrib: UID
[debug] mod_authnz_ldap.c(857): [296] auth_ldap url parse: scope: subtree
[debug] mod_authnz_ldap.c(862): [296] auth_ldap url parse: filter: (null)
[debug] mod_authnz_ldap.c(942): LDAP: auth_ldap not using SSL connections
[debug] util_ldap.c(1929): LDAP merging Shared Cache conf: shm=0x480d10
rmm=0x480d38 for VHOST: notes.alyx.net
[debug] util_ldap.c(1929): LDAP merging Shared Cache conf: shm=0x480d10
rmm=0x480d38 for VHOST: www.alyx.net
[debug] util_ldap.c(1929): LDAP merging Shared Cache conf: shm=0x480d10
rmm=0x480d38 for VHOST: athena.alyx.net
[info] APR LDAP: Built with Microsoft Corporation. LDAP SDK
[...]
[debug] mod_authnz_ldap.c(373): [client 63.195.38.230] [296] auth_ldap
authenticate: using URL ldap://localhost:389/o=AAF?UID,CN?sub
[warn] [client 63.195.38.230] [296] auth_ldap authenticate: user LDAP
authentication failed; URI /ppp [ldap_search_ext_s() for user
failed][Operations Error]


Now here's the interesting bit.  The URL that mod_authnz_ldap is
constructing looks like this:

ldap://localhost:389/o=AAF?uid,cn?sub?(&(objectclass=*)(uid=LDAP))

When i use that url from MSIE or Softerra, it works; but when Apache
constructs it, it fails.  Here's what the two situations look like from
the Domino log end:

# success, from MSIE
User Name:	Anonymous
Server Name:	CN=athena/O=AAF
Remote IP:	127.0.0.1
Base Object:	o=AAF
Scope:	Whole subtree
Dereference Aliases:	Unknown
Size Limit:	100 entries
Time Limit:	60	seconds
Types Only:	False
Filter:	(&(objectclass=*)(uid=LDAP))
Attributes:	UID; CN
Search Time:	130 ms.
Directories Searched:	names.nsf
Entries Returned:	1
Bytes Returned:	170
Result Code:	0

# failure, from Apache
User Name:	Anonymous
Server Name:	CN=athena/O=AAF
Remote IP:	127.0.0.1
Base Object:	o=AAF
Scope:	Whole subtree
Dereference Aliases:	Unknown
Size Limit:	4294967295 entries
Time Limit:	None
Types Only:	False
Filter:	(&(objectclass=*)(uid=LDAP))
Attributes:	UID; CN
Search Time:	0 ms.
Directories Searched:	names.nsf
Entries Returned:	0
Bytes Returned:	14
Result Code:	1

...that result code of 1 being the notorious ldap "Operations Error",
which is apparently a polite way of saying "ldap fcuked up, and we don't
know why..."


Any thoughts or ideas?  I hate to use the B-word in my very first
posting to the list, but this does look to me like mod_authnz_ldap is
malforming the search request somehow.  Searches have brought up a few
other people w/similar problems, but no solutions,

TIA,

alex.








---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux