RE: Apache2 authenticating via LDAP on Active Directory (Apache Users)

RE: Apache2 authenticating via LDAP on Active Directory

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: <users@xxxxxxxxxxxxxxxx>

Subject: RE: Apache2 authenticating via LDAP on Active Directory

From: "David Dyer-Bennet" <David.Dyer-Bennet@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 19 Jun 2008 11:33:52 -0500

Reply-to: users@xxxxxxxxxxxxxxxx

Thread-index: AcjR9oHlCJiNbLzdQ8K9CHGEVMuedwAAy8KQAAv28yA=

Thread-topic: Apache2 authenticating via LDAP on Active Directory

De Filippo Andrea [mailto:Andrea.DeFilippo@xxxxxxxxxxxx] said:

My question is how to authenticate apache2 via LDAP on Active Directory.

This is my configuration in /etc/apache2/sites-enabled/000-default:

# LDAP Authentication

    LDAPSharedCacheSize 200000

    LDAPCacheEntries 1024

    LDAPCacheTTL 600

    LDAPOpCacheEntries 1024

    LDAPOpCacheTTL 600

    <Location /prova>

            Options Indexes FollowSymLinks

           #AllowOverride None

            order allow,deny

            Allow from all

            AuthType Basic

            AuthName "Autenticazione utente"

            AuthBasicAuthoritative off

            AuthBasicProvider ldap

            AuthzLDAPAuthoritative off

            AuthLDAPURL ldap://gc2kwive01:389/dc=wind,dc=root,DC=it?sAMAccountName?sub?(objectClass=user)

            require valid-user

    </Location>

But I have this error in /var/log/apache2/error.log:

[Thu Jun 19 12:54:30 2008] [warn] [client 10.73.5.119] [22817] auth_ldap authenticate: user windroot\\de filippo authentication failed; URI /prova/index.html [User not found][No such object]

[Thu Jun 19 12:54:30 2008] [crit] [client 10.73.5.119] configuration error: couldn't check user. No user file?: /prova/index.html

I'm still fighting with some of my Active Directory authentication needs, but I did get my subversion repository working correctly, so maybe what I have here will help.

AD needs you to bind before it lets you search. Also, it sometimes segments the information weirdly and uses redirects weirdly, so you sometimes have to use port 3268 which is a magic merged global view of the directory.

So here's what I have currently working, with obvious secret stuff overwritten:

   AuthName "Pine River Capital Windows Logon"
   AuthType basic
   AuthLDAPEnabled on
   AuthLDAPURL "ldap://dc1.ourinternaldomain.local:3268/dc=pinerivercapital,dc=local?sAMAccountName?sub?(objectClass=user)(objectCategory=person)"
   # Suitable user with read access
   AuthLDAPBindDN "CN=accounttobindwith,OU=Service Accounts,OU=MPLS,DC=pinerivercapital,DC=local"
   AuthLDAPBindPassword "itsasecret"
   # Non-Authoritative lets it also look in .htpasswd; must config user file
   AuthLDAPAuthoritative off
   #AuthLDAPGroupAttributeIsDN on
   AuthUserFile /home/svn/access/users
   Require valid-user

---

The contents of this message and its attachments, if any, are meant for the sole use of the intended recipient and may be confidential, privileged, or otherwise protected from disclosure. If you are not the intended recipient of this message or have received this message in error, please delete it, immediately alert the sender by reply e-mail, and do not read, disclose, distribute, or otherwise use the information contained herein. If this message was misdirected, neither Pine River nor its affiliates waives any confidentiality or privilege. Pine River retains and monitors e-mail communications sent through its network. This e-mail does not constitute or form part of any offer or invitation to sell, or the solicitation of an offer to purchase any investment and is provided for information purposes only. Pine River believes that the information it provides is accurate and complete as at the date of publication, but does not grant any warranty of such and neither Pine River nor its affiliates accepts any liability in respect of errors or omissions. Past performance is not necessarily a guide to future results.

---