Re: mod_authnz_ldap module and Microsoft AD LDAP Server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Great! That´s it!
 
I´ve tried to use a user called "admin" that exists in the LDAP server.
 
So, to make the test, I´ve created a crazy username and put it into the flat file, and it works!
 
The Apache tries to consult the flat file only if it doesn´t find the user in the LDAP server.
 
Now, another problem (sorry for boring you). Instead of use a flat file as a second option, I want to use a database.
 
So, I´ve installed the Apache::DBI module and tried to use the Apache::AuthDBI to authenticate in a MySQL database.
 
Now the problem is that Apache only try to use the Apache::AuthDBI module. It doesn´t looking for in the LDAP server any more.
 
Any idea? Maybe I shoud try to use the mod_authn_dbd instead of Apache::AuthDBI?
 
What do you think?
 
Thank you again.
Rodney.

On Tue, Oct 21, 2008 at 6:09 PM, Eric Covener <covener@xxxxxxxxx> wrote:
On Tue, Oct 21, 2008 at 1:43 PM, André Warnier <aw@xxxxxxxxxx> wrote:
> Eric Covener wrote:
>>
>> On port 389, MSAD might send you on a lengthy wild goose-chase of LDAP
>> referrals.
>>
> Eric, can you elaborate a bit on that, or direct me/us to some additional
> information ?
> This is not directly related to the OP's issue, but I'm doing a lot of AAA
> related stuff these days, and like to learn these things.


LDAP has a notion of referrals, like HTTP redirects.  When you have a
complicated AD domain, you might talk to what you think of as the
master AD server, but it may send you to go ask other servers (dept.
x, dept y,  AD servers from some remote site, recent acquisitions,
etc).  I don't know if it is misconfiguration, but I've seen some
where conceptually none of the referrals seem to be needed based on
the user you're looking up (and may take you across some slow links)

When you use that high port, you're talking to the "global catalog"
where all info across the "forest" is aggregated on one LDAP server
and you just get a regular/direct result if you query or try to login.
If you use unusual data for authz, i believe you have to tell it what

MS also has a tool called ADAM (AD Application Mode) that frontends AD
for traditional LDAP applications:
http://www.microsoft.com/windowsserver2003/adam/default.mspx


--
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux