Binding and searching in mod_auth_ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi list,

I'd like to authenticate against an active directory via mod_auth_ldap. After 
reading the docs, I tried the following:

AuthType Basic
AuthName "Logon with your DOMAIN Account"
AuthBasicAuthoritative Off
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL 
ldap://DomainDnsZones.domain.com/DC=domain,DC=com?sAMAccountName?sub?
(objectclass=*)

Unfortunately this does not work, because I have to bind to the ldap 
with 'domain\username', but the sAMAccountName attribute only 
contains 'username'. There is no other attribute that includes the 'domain\' 
part either. Binding as 'domain\username' and searching 
for '(&(objectclass=*)(sAMAccountName=username))' via ldapsearch on the 
command line I get the correct results. Trying to bind as only 'username' 
does not work.

You could of course bind to the ldap server with a separate account and search 
for the sAMAccountName of the user, but then I would also have to create a new 
bindable dn, that could manually verify passwords, which is not possible for 
me. Or is there another way?

Is it possible to bind to the AD via mod_auth_ldap without specifying an 
attribute to search for after binding? I would like to define something along 
the lines of:

AuthLDAPUrl ldap://ddz.domain.com/DC=domain,DC=com
AuthLDAPBindDN domain\\%{username}
AuthLDAPFilter (&(objectclass=*)(sAMAccountName=%{username}))

if that was possible. %{username} would then be substituted by the user 
supplied string. Did I miss something in the documentation or is this just 
not possible? Or am I doing something wrong? Is there some standard way of 
binding to an AD without specifying the domain before the username I do not 
know of?


Alex

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux