httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rodney Ramos" <rodne...@gmail.com>
Subject Re: [users@httpd] mod_authnz_ldap module and Microsoft AD LDAP Server
Date Tue, 21 Oct 2008 17:58:00 GMT
Hi, Eric. Thank you for your answers.
I´ve tried to do what you said, setting the directive AuthBasicProvider as
below:

AuthBasicProvider ldap file

But the problem is the same. Apache doen´t check the flat file, as you can
see in the log below:
=================================================================
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(849): [5053] auth_ldap
url parse: `ldap://ldapserver:3268/dc=domain,dc=com?cn'
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(858): [5053] auth_ldap
url parse: Host: ldapserver:3268
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(860): [5053] auth_ldap
url parse: Port: 3268
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(862): [5053] auth_ldap
url parse: DN: dc=domain,dc=com
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(864): [5053] auth_ldap
url parse: attrib: cn
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(866): [5053] auth_ldap
url parse: scope: base
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(871): [5053] auth_ldap
url parse: filter: (null)
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(951): LDAP: auth_ldap
not using SSL connections
[Tue Oct 21 15:49:38 2008] [debug] mod_authnz_ldap.c(373): [client
10.10.10.10] [5053] auth_ldap authenticate: using URL
ldap://ldapserver:3268/dc=domain,dc=com?cn, referer: http://webserver
[Tue Oct 21 15:49:38 2008] [warn] [client 10.10.10.10] [5053] auth_ldap
authenticate: user admin authentication failed; URI /std/cgi-bin/login.cgi
[ldap_simple_bind_s() to check user credentials failed][Invalid
credentials], referer: http://webserver
[Tue Oct 21 15:49:38 2008] [error] [client 10.10.10.10] user admin:
authentication failure for "/std/cgi-bin/login.cgi": Password Mismatch,
referer: http://webserver
=================================================================

I´ve forgotten to send the Apache version:

Installed Packages
Name   : httpd
Arch   : i386
Version: 2.2.3
Release: 11.el5_1.3
Size   : 2.8 M
Repo   : installed
Summary: Apache HTTP Server

It is installed in a Red Hat Linux Server release 5.2.

Thank you again.
Rodney.

On Tue, Oct 21, 2008 at 3:27 PM, Eric Covener <covener@gmail.com> wrote:

> On Tue, Oct 21, 2008 at 12:59 PM, Rodney Ramos <rodneyra@gmail.com> wrote:
> > I´m trying to use the mod_authnz_ldap module to authenticate the users in
> a
> > Microsoft AD LDAP Server, but I´m having a lot of problems.
> >
> > The only configuration that worked was:
> >
> > AuthName "XXXX"
> > AuthType Basic
> > AuthBasicProvider ldap
> > AuthLDAPUrl "ldap://ldapserver:3268/dc=domain,dc=com?cn"
> > AuthLDAPBindDN "ldap_bind_user"
> > AuthLDAPBindPassword "ldap_bind_psw"
> > AuthzLDAPAuthoritative off
> > Require valid-user
> >
> > Questions:
> >
> > 1) Why should we use the port 3268 instead of the default one, 389?
>
> On port 389, MSAD might send you on a lengthy wild goose-chase of LDAP
> referrals.
>
> >
> > 2) Why must we set the AuthzLDAPAuthoritative directive to off?
>
> you don't need it for 2.2.6 and later
>
> >
> > The second problem occurred when I tried to make Apache authenticate the
> > users first in a LDAP server and after, if it doens´t find the user
> there,
> > in a flat file. So I add the follow line, before the "Require valid-user"
> > line:
> >
> > AuthUserFile /tmp/htpasswd.txt
> >
> > The problem is that Apache doesn´t try to use the flat file to
> authenticante
> > the users. It only uses the LDAP authenticate module, even though the
> > directive AuthzLDAPAuthoritative is set to off.
>
> You need to tell basic auth to look there:
>
> AuthBasicProvider ldap file
>
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message