Re: Confused about LDAP authentication with Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eric Covener <covener <at> gmail.com> writes:

>>[Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap
>>authenticate: user eda authentication failed; URI
>>/cgi-bin/test_auth/index.html
>>[ldap_search_ext_s() for user failed][Operations error]

>If it made it out onto the wire, wireshark breaks down the protocol pretty
>well.

Thanks for the suggestion.  I logged it with tethereal and got the following:

192.168.186.41 -> 192.168.186.8 DNS Standard query A wcl-dc1.wcl.local
192.168.186.8 -> 192.168.186.41 DNS Standard query response A 192.168.186.8
192.168.186.41 -> 192.168.186.8 TCP 35969 > ldap
  [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=604241179 TSER=0 WS=6
192.168.186.8 -> 192.168.186.41 TCP ldap > 35969
  [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
192.168.186.41 -> 192.168.186.8 TCP 35969 > ldap
  [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=604241179 TSER=0
192.168.186.41 -> 192.168.186.8 LDAP bindRequest(1) "<ROOT>" simple
192.168.186.8 -> 192.168.186.41 LDAP bindResponse(1) success
192.168.186.41 -> 192.168.186.8 TCP 35969 > ldap
  [ACK] Seq=15 Ack=23 Win=5888 Len=0 TSV=604241179 TSER=30684923
192.168.186.41 -> 192.168.186.8 LDAP searchRequest(2)
  "cn=users,dc=wcl,dc=local" wholeSubtree
192.168.186.8 -> 192.168.186.41 LDAP searchResDone(2) operationsError
  (00000000: LdapErr: DSID-0C090627, comment: In order to perform this
  operation a successful bind must be completed on the connection.,
  data 0, vece)
192.168.186.41 -> 192.168.186.32 HTTP HTTP/1.1 500 Internal Server Error
  (text/html)

My httpd.conf has

    <Location "/test_auth">
      AuthType Basic
      AuthName "Secure Area"
      AuthBasicProvider ldap
      AuthLDAPBindDN "WCL\\tradingsystems"
      AuthLDAPBindPassword xxx
      AuthzLDAPAuthoritative   Off
      AuthLDAPURL \
"ldap://wcl-dc1:389/ou=WCL Users,ou=WCL Logins,dc=wcl,dc=local\
?sAMAccountName?sub"
      Require valid-user
    </Location>

So I can see that it's making an LDAP connection to host wcl-dc1 as specified. 
One thing that mystifies me is the search it's running:
"cn=users,dc=wcl,dc=local".  That doesn't match the AuthLDAPURL specified in my
configuration, although it has picked up the string 'wcl' from somewhere.

Also it seems that the initial bind to the Directory server failed (or never
happened), since the server responds 'a successful bind must be completed'.  The
AuthLDAPBindDN and AuthLDAPBindPassword I put in the file do work if I use
Perl's Net::LDAP library to connect, but seemingly not here.  If I deliberately
put a wrong password in the config file then the error message is no different.

-- 
Ed Avis <eda@xxxxxxxxxxxxx>





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux