[Auth_ldap] Ldap issue with apache and AD windows 2k3
Jeff Saxton
jeff.saxton at sensage.com
Wed Jun 7 20:36:21 PDT 2006
Just a guess, and I haven't looked at the code, but here is something to check:
1) make sure that your AuthLDAPBindDN can enumerate users in the CN=group,OU=Users,OU=AAA,DC=xxx,DC=yyy,DC=com
group:
---- cut here ----
#!/usr/bin/perl
use Net::LDAP;
my $adServer = 'ldap://DCGCwindows2003.xxx.yyy.com:389';
my $ldapVersion = '3';
my $ldapBindDN = 'CN=user,OU=Users,OU=AAA,DC=xxx,DC=yyy,DC=com';
my $ldapBindPW = 'therightpassword';
my $ldap = Net::LDAP->new(
$adServer,
version => $ldapVersion
) || die $!;
$result - $ldap->bind(
$ldapBindDN,
password => $ldapBindPW
) || die $!;
$msg = $ldap->search(
base => 'OU=Users,OU=AAA,DC=xxx,DC=yyy,DC=com',
scope => 'sub',
filter => '(CN=group=user)',
attrs => ['1.1','members'],
sizelimit => '0',
) || die $!;
if ( $msg->count() > 0) {
print $msg->count(), "entries returned.\n";
foreach $entry ( $msg->all_entries() ) {
$entry->dump();
}
} else { print "no entries returned\n"; }
$ldap->unbind();
exit;
---- cut here ----
Brady Bellinger wrote:
> This is the mailing list for the Apache 1.3 module. The 2.x versions of
> Apache have the ldap mod included...so you'd be best served by an Apache
> mailing list.
>
> As for your problem, point to the global catalog port instead of 389...I
> can't remember offhand what port it is, 3268 (?)
> Not sure if that will fix your problem, but I had trouble going through
> 389.
>
> Brady
>
>
> On 6/7/06, Lubrano di Ciccone, Christophe (DEF) <diciccone at ppg.com> wrote:
>
>>
>> Hello,
>> I have a unix with apache 2.0 with the mod auth_ldap_mode. I have this
>> .conf for the ldap request with some directives setup accordingly to
>> my env.
>> and the others ones not defined then the default vues are used. (see
>> below)
>>
>> It is working fine with 2000 native mode. I test my configuration with a
>> 2003 domain and I cannot longer have the user (sAMAccountname) being
>> authentified. GRR***
>>
>> I made a capture using ethereal and I noticed that the user
>> sAMAccountname
>> is well authenticated, but when the require group is processed, the
>> bind was
>> a NULL one and and I get "This server could not verify that you are
>> authorized to access the document requested. Either you supplied the
>> wrong
>> credentials (e.g., bad password), or your browser doesn't understand how
>> to supply the credentials required." in the browser on the client.
>>
>> Does anybody have faced one day with such issue ?
>>
>> Thanks a lot for your help
>> Christophe
>>
>> <IfModule !mod_auth_ldap.c>
>> LoadModule auth_ldap_module modules/auth_ldap.so
>> </IfModule>
>>
>> <Location />
>> AuthName "ZZZZZZZZZZ"
>> AuthType Basic
>>
>> AuthLDAPURL
>> ldap://DCGCwindows2003.xxx.yyy.com:389/dc=xxx,dc=yyy,dc=com?sAMAccountName
>>
>> AuthLDAPBindDN "CN=user,OU=Users,OU=AAA,DC=xxx,DC=yyy,DC=com"
>> AuthLDAPBindPassword "therightpassword"
>>
>> require group CN=group,OU=Users,OU=AAA,DC=xxx,DC=yyy,DC=com
>>
>>
>> _______________________________________________
>> Auth_ldap mailing list
>> Auth_ldap at rudedog.org
>> http://www.rudedog.org/mailman/listinfo/auth_ldap
>>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Auth_ldap mailing list
> Auth_ldap at rudedog.org
> http://www.rudedog.org/mailman/listinfo/auth_ldap
--
Jeff Saxton
SenSage, Inc.
55 Hawthorne Street Suite 700
San Francisco, CA 94105
Phone: 415.808.5900
Fax: 415.371.1385
Direct: 415-808-5921
Cell: 650-235-0776
mailto:support at sensage.com
Enterprise Security Analytics
SenSage, the leading provider of enterprise security analytics, offers
unparalleled performance and a scalable means for organizations to centrally
aggregate, efficiently analyze, dynamically monitor and cost-effectively
store massive volumes of event log data.
More information about the Auth_ldap
mailing list