mod_authnz_ldap not working! Help!
This is a discussion on mod_authnz_ldap not working! Help! within the Apache Web Server forums, part of the Web Server and Related Forums category; I cannot get LDAP authorization working for the life of me. I'm using the .htaccess file to define the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-15-2006
|
|||
|
|||
mod_authnz_ldap not working! Help!
I cannot get LDAP authorization working for the life of me. I'm using
the .htaccess file to define the ldap parameters. The Basic Authentication window appears, but I cannot get it to accept any username/password. The LDAP server is an MS Active Directory server, hence the sAMAccountName as the attribute in question. Here's the .htaccess file: ======== begin .htaccess ======= AuthName "Restricted" AuthType Basic AuthLDAPBindDN "cn=linux_bind,dc=domain,dc=com" AuthLDAPBindPassword "secret" AuthLDAPURL ldap://10.0.5.5:389/dc=domain,dc=com?sAMAccountName require valid-user ======== end .htaccess ======= Note that my linux machine authenticates off this ldap server, and the following ldapsearch command works: ldapsearch -x -b "dc=domain,dc=com" -D "cn=linux_bind,cn=Users, dc=domain,dc=com" -w "secret" sAMAccountName=username Any suggestions?! This is driving me crazy! I don't even see that there's any way to debug the mod_authnz_ldap module... Thanks, -Jeff |
|
11-16-2006
|
|||
|
|||
|
Re: mod_authnz_ldap not working! Help!
Ah ha - I found one more problem, as indicated by the Apache docs:
When using mod_auth_basic, this module is invoked via the AuthBasicProvider directive with the ldap value. So I need to add: AuthBasicProvider ldap It still doesn't work, but I'm one step closer... |
|
11-16-2006
|
|||
|
|||
|
Re: mod_authnz_ldap not working! Help!
[ nobody ]
> Ah ha - I found one more problem, as indicated by the Apache docs: > > When using mod_auth_basic, this module is invoked via the > AuthBasicProvider directive with the ldap value. So I need to add: > > AuthBasicProvider ldap > > It still doesn't work, but I'm one step closer... What does your error_log tell you? (If nothing, change your Loglevel-directive to "debug"). Rgds, Kenneth Svee |
|
11-20-2006
|
|||
|
|||
|
Re: mod_authnz_ldap not working! Help!
Kenneth Svee wrote: > What does your error_log tell you? > > (If nothing, change your Loglevel-directive to "debug"). Thanks for the tip Kenneth - I increased the error log verbosity, but unfortunately there is only 1 (nonuseful) debug message from mod_authnz_ldap, aside from the warn and error messages already produced: [Mon Nov 20 11:39:24 2006] [debug] mod_authnz_ldap.c(373): [client 127.0.0.1] [6067] auth_ldap authenticate: using URL ldap://10.0.5.5/DC=domain,DC=com?sAMAccountName?sub?(objectClass=* ) [Mon Nov 20 11:39:24 2006] [warn] [client 127.0.0.1] [6067] auth_ldap authenticate: user jward authentication failed; URI /ldap_auth_tst/ [LDAP: ldap_simple_bind_s() failed][Invalid credentials] [Mon Nov 20 11:39:24 2006] [error] [client 127.0.0.1] user jward: authentication failure for "/ldap_auth_tst/": Password Mismatch I assume this is meaning my linux_bind user is not binding, because I can purposely invalidate his password, and I get the same error messages... Should the password not contain special characters (like a period)? |
|
11-22-2006
|
|||
|
|||
|
Re: mod_authnz_ldap not working! Help!
[ nobody ]
> Kenneth Svee wrote: > >> What does your error_log tell you? >> >> (If nothing, change your Loglevel-directive to "debug"). > > Thanks for the tip Kenneth - I increased the error log verbosity, > but unfortunately there is only 1 (nonuseful) debug message from > mod_authnz_ldap, aside from the warn and error messages already > produced: > > [Mon Nov 20 11:39:24 2006] [debug] mod_authnz_ldap.c(373): [client > 127.0.0.1] [6067] auth_ldap authenticate: using URL > ldap://10.0.5.5/DC=domain,DC=com?sAMAccountName?sub?(objectClass=* ) > [Mon Nov 20 11:39:24 2006] [warn] [client 127.0.0.1] [6067] auth_ldap > authenticate: user jward authentication failed; URI /ldap_auth_tst/ > [LDAP: ldap_simple_bind_s() failed][Invalid credentials] > [Mon Nov 20 11:39:24 2006] [error] [client 127.0.0.1] user jward: > authentication failure for "/ldap_auth_tst/": Password Mismatch These are important: [LDAP: ldap_simple_bind_s() failed][Invalid credentials] and user jward: authentication failure for "/ldap_auth_tst/": Password Mismatch The LDAP-bind fails, seemingly because of the wrong password. > I assume this is meaning my linux_bind user is not binding, because > I can purposely invalidate his password, and I get the same error > messages... Should the password not contain special characters (like > a period)? The LDAP-modules uses the functions from the LDAP-libraries they are compiled against. If you've installed OpenLDAP, you should have the 'ldapsearch' (default on my RHEL-box is /usr/bin/ldapsearch) available. Try doing the bind with the same user using ldapsearch. Also: make sure you are allowed to do binds to your LDAP-server over a non-encrypted interface. If only TLS/SSL is required on the LDAP-server, make sure you update your mod_ldap/mod_authnz_ldap-config accordingly. Rgds, Kenneth Svee |
|
11-23-2006
|
|||
|
|||
|
Re: mod_authnz_ldap not working! Help!
I found it. Thanks for you help, Kenneth.
If you look at my post above, I had forgotten the 'cn=Users' in both my AuthLDAPBindDN and AuthLDAPURL directives. The final .htaccess file reads: ============================================== AuthName "Restricted" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthLDAPBindDN "cn=linux_bind,cn=Users,dc=domain,dc=com" AuthLDAPBindPassword "secret" AuthLDAPURL ldap://server/cn=Users,dc=domain,dc=com?sAMAccountName require valid-user ============================================== |
Linear Mode
