[Auth_ldap] Authentication lock out when one user fails to authenticate
Villanueva, Antonio
Antonio.Villanueva at goodrich.com
Mon Aug 21 11:12:22 PDT 2006
We are using apache (2.0.55) and authenticating to Active Directory.
Here is a sample of out configuration:
<Location /"some location">
AuthName "Windchill"
AuthType Basic
AuthLDAPURL
ldap://<host>/OU=<node2>,DC=<node1>,DC=root,DC=local?sAMAccountName?sub
AuthLDAPBindDN ldauser at us.com
AuthLDAPBindPassword xxxxxxx
AuthLDAPGroupAttributeIsDN on
require valid-user
</Location>
Excuse me if I hide the actual data. We have two issues.
1. It appears that recently, if a user fails to login (botches
their password) many times over, their account is locked with 3 bad
password attempts in active directory (that's a good thing). But what
happens on the apache side is that all users are then fail to
authenticate to active directory. So one user fails, everyone is kicked
off the web app. Restarting apache resolves the issue. What is going on
here? The behavior is such that you are given one attempts with an
immediate rejections. Log looks like this:
[Mon Aug 21 12:56:05 2006] [error] [client <IP ADDRESS>] LDAP search for
(&(objectclass=*)(sAMAccountName=offendingusername)) failed: LDAP
error:Operations error; URI /"some location"
2. The second issue is larger. We have an issue with we change the
LDAP URL to start searching at Node1 above, we get an error with an
immediate rejection (no try 3 times). If we dropped to search below
Node2, all is well. The problem is that we have users in a parallel
node to Node 2 that we want in as well. What could cause the LDAP
module to fail when searching the entire tree? What should I be looking
for in Active Directory that could cause errors in searching?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.rudedog.org/pipermail/auth_ldap/attachments/20060821/ec98512e/attachment.htm
More information about the Auth_ldap
mailing list