httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Burley <jbur...@kuci.org>
Subject Re: [users@httpd] OpenLDAP to Active Directory Authentication
Date Tue, 03 May 2005 15:56:19 GMT
Solution #1 is not an option for us (or so says our AD admin), but 
solution #2 might be. How did you disable the referral chasing? We are, 
in fact, using an Active Directory for authentication, sorry if I wasn't 
clear about that.

I guess I'm still a bit confused about how this works, as well... my 
understanding is that the binding itself is done with the bind DN and 
password, which includes the container. And then a search is done off of 
the AuthLDAPURL. Did you just mean the search results, rather than the 
bind, or am I getting my terminology confused.

Thanks for the info,
.josh

John wrote:

>Hi,
>
>I experienced the same problem as the one described here, and it turned
>out to be the LDAP referrals being sent by Active Directory.
>
>If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to
>a container within Active Directory, and everything works fine.
>
>However, if you bind to the root of your domain, i.e. just
>dc=ad,dc=company,dc=com, then Active Directory, in addition to the
>search results you expected, will also return referrals to the other
>directory partitions.
>
>It seems that the referrals that Active Directory returns are causing
>the authentication to be rejected.
>
>There are two possible solutions that I know of:
>
>1. Create an organisational unit called something like "All Users" and
>make sure all your user accounts are inside this container - that way
>you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path.
>
>2. Disabling referral chasing got the Netscape LDAP SDK to bind to the
>root of an Active Directory domain - no idea if the same will be true of
>OpenLDAP.
>
>Hope this information helps someone.
>
>Regards,
>
>John
>
>
>  
>
>>>-----Original Message-----
>>>From: James Massara
>>>Sent: Wednesday, December 22, 2004 10:45 AM
>>>To: 'users@httpd.apache.org'
>>>Subject: RE: [users@httpd] OpenLDAP to Active Directory 
>>>      
>>>
>>Authentication
>>    
>>
>>>The search works fine from the Windows ldp tool.  It also 
>>>      
>>>
>>works fine 
>>    
>>
>>>from the OpenLDAP ldapsearch tool:
>>>
>>>ldapsearch -h ad.company.com -D
>>>'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 
>>>'DC=ad,DC=company,DC=com' -x -W 
>>>"(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
>>>
>>>Details of my setup:
>>>
>>>Operating System Gentoo Linux (kernel v2.6.8) OpenLDAP 
>>>      
>>>
>>v2.1.30 Apache 
>>    
>>
>>>HTTPD v2.0.52 using the bundled mod_auth_ldap
>>>
>>>My .htaccess file settings are:
>>>
>>>AuthName "DI Admin Platform"
>>>AuthType Basic
>>>AuthLDAPURL
>>>ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
>>>ub?(&(objectCl
>>>ass=user)(!(objectClass=computer)))
>>>AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
>>>AuthLDAPBindPassword mypasswd
>>>
>>>This using this setup generates the following error:
>>>
>>>[Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968] 
>>>auth_ldap authenticate: user testuser authentication failed; URI 
>>>/aptest/
>>>[ldap_search_ext_s() for user failed][Operations error]
>>>ldap_search_ext_s: Operations error (1)
>>>        additional info: 00000000: LdapErr: DSID-0C0905FF,
>>>comment: In order to perform this operation a successful 
>>>      
>>>
>>bind must be 
>>    
>>
>>>completed on the connection., data 0, vece
>>>
>>>However, if I change the AuthLDAPURL to this:
>>>
>>>AuthLDAPURL
>>>ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
>>>untName?sub?(&
>>>(objectClass=user)(!(objectClass=computer)))
>>>
>>>It works just fine.  This solution doesn't work for me, though, 
>>>because the MIS team is moving users out of cn=users and into 
>>>ou=users,ou=city_of_office.  And I can't specify multiply 
>>>      
>>>
>>AuthLDAPURL 
>>    
>>
>>>variables to search the possible cities where users might reside.
>>>
>>>The part I don't understand is why it complains about 
>>>      
>>>
>>binding to the 
>>    
>>
>>>ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
>>>
>>>Thank you for the continued help, very much appreciated.
>>>James
>>>
>>>      
>>>
>>>>-----Original Message-----
>>>>From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
>>>>Sent: Wednesday, December 22, 2004 9:18 AM
>>>>To: users@httpd.apache.org
>>>>Subject: Re: [users@httpd] OpenLDAP to Active Directory
>>>>        
>>>>
>>>Authentication
>>>      
>>>
>>>>perhaps you want to try the following:
>>>>go to a windows box in the domain of the ad. there is a 
>>>>        
>>>>
>>tool called 
>>    
>>
>>>>ldp.exe in the windows 2k resource kit, use this to 
>>>>        
>>>>
>>connect to the 
>>    
>>
>>>>ad via ldap. bind to the ad, then you can search in the 
>>>>        
>>>>
>>ad just as 
>>    
>>
>>>>apache would do. if you continue to have problems, 
>>>>        
>>>>
>>perhaps you could 
>>    
>>
>>>>send a detailed description about your setup.
>>>>ralf
>>>>
>>>>----- Original Message -----
>>>>From: "James Massara" <james.massara@digitalinsight.com>
>>>>To: <users@httpd.apache.org>
>>>>Sent: Tuesday, December 21, 2004 8:57 PM
>>>>Subject: RE: [users@httpd] OpenLDAP to Active Directory
>>>>        
>>>>
>>>Authentication
>>>      
>>>
>>>>        
>>>>
>>>>>The bind works when I do:
>>>>>
>>>>>AuthLDAPURL
>>>>>
>>>>>          
>>>>>
>>ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
>>    
>>
>>>>>Name?s
>>>>>ub?(objectClass=user)
>>>>>
>>>>>But not when I do:
>>>>>
>>>>>AuthLDAPURL
>>>>>
>>>>>          
>>>>>
>>ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
>>    
>>
>>>>>(objec
>>>>>tClass=user)
>>>>>
>>>>>That's why the following error seems misleading:
>>>>>
>>>>>[Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] 
>>>>>[mod_auth_ldap.c] -
>>>>>Error: Operations error
>>>>>ldap_search_s: Operations error (1)
>>>>>       additional info: 00000000: LdapErr: DSID-0C0905FF,
>>>>>          
>>>>>
>>>>comment: In
>>>>        
>>>>
>>>>>order
>>>>>to perform this operation a successful bind must be
>>>>>          
>>>>>
>>>completed on the
>>>      
>>>
>>>>>connection., data 0, vece
>>>>>
>>>>>I would try what you suggested but I don't see how I 
>>>>>          
>>>>>
>>can bind as 
>>    
>>
>>>>>user@company.com with the module.
>>>>>
>>>>>          
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: Covington, Chris [mailto:ccovington@plusone.com]
>>>>>>Sent: Tuesday, December 21, 2004 11:40 AM
>>>>>>To: users@httpd.apache.org
>>>>>>Subject: Re: [users@httpd] OpenLDAP to Active Directory 
>>>>>>Authentication
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>Has anyone experienced/fixed the problem described below?
>>>>>>>              
>>>>>>>
>>>>>>I haven't had direct experience with Apache/LDAP but have
>>>>>>            
>>>>>>
>>>>you tried
>>>>        
>>>>
>>>>>>binding with the UPN login?  IE user@company.com?  (or
>>>>>>user\@company.com)
>>>>>>
>>>>>>Chris
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>---------------------------------------------------------------------
>>    
>>
>>>>>>The official User-To-User support forum of the Apache 
>>>>>>            
>>>>>>
>>HTTP Server 
>>    
>>
>>>>>>Project. See
>>>>>>            
>>>>>>
>>><URL:http://httpd.apache.org/userslist.html> for more
>>>      
>>>
>>>>>>info. To unsubscribe, e-mail: 
>>>>>>            
>>>>>>
>>users-unsubscribe@httpd.apache.org
>>    
>>
>>>>>>   "   from the digest: 
>>>>>>            
>>>>>>
>>users-digest-unsubscribe@httpd.apache.org
>>    
>>
>>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>            
>>>>>>
>>>>>          
>>>>>
>>---------------------------------------------------------------------
>>    
>>
>>>>>The official User-To-User support forum of the Apache 
>>>>>          
>>>>>
>>HTTP Server 
>>    
>>
>>>>>Project. See <URL:http://httpd.apache.org/userslist.html>
>>>>>          
>>>>>
>>>for more
>>>      
>>>
>>>>>info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>          
>>>>>
>>>>
>>>>        
>>>>
>>---------------------------------------------------------------------
>>    
>>
>>>>The official User-To-User support forum of the Apache HTTP Server 
>>>>Project. See <URL:http://httpd.apache.org/userslist.html> 
>>>>        
>>>>
>>for more 
>>    
>>
>>>>info.
>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>        
>>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>    
>>
>>>The official User-To-User support forum of the Apache HTTP Server 
>>>Project.
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP 
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP 
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>    
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>  
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message