Apache2 LDAP (AD) authentication

[vortmax]

I'm attempting to authorize apache against an Active Directory server. I've been fighting with it all day and have it working, but not really.

Here is my conf.d entry for the site:

Code:

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   AuthName "Nagios Access"
   AuthType Basic
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://adc.*******.net/OU=****** Users,dc=******,dc=net?sAMAccountName?sub?"
   AuthLDAPBindDN "helpdesk@******.net"
   AuthLDAPBindPassword *******
   Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   AuthName "Nagios Access"
   AuthType Basic
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://adc.*****.net/OU=***** Users,dc=*****,dc=net?sAMAccountName?sub?"
   AuthLDAPBindDN "helpdesk@****.net"
   AuthLDAPBindPassword *****
   Require valid-user
</Directory>

I know my LDAPURL, user, password and binding works, as I've tried it on the command line with ldapsearch

The interesting thing is when I attempt to access the site, I get the user/pass dialog and it asks for my username and pass 3 times before exiting to the 'Authorization Required' page. However, no errors are thrown in the logs. If I enter a bad username or a bad password, then I get the expected error in the log.

So it's as if LDAP authentication is working, but apache continues to block access. Is there something I'm missing here?

[jledhead]

is anything showing up in the apache logs about the ldap errors on on the dc you are authenticating against?

I think the standard way to list the auth user is
AuthLDAPBindDN "cn=helpdesk,dn=someplace,dc=domain,dc=com"

I have to do it the same way you have but have been told that is a non-standard way to connect to AD. everything else looks good compared to my configs.

[oxo-oxo]

I have had exactly the same symptoms: bind ok no errors but 3 times logon
_Maybe_ this link mod-authnz-ldap apache directives | Your Java and Linux Experts! will help.

5 min before I left work, I did what it said and seems to work but I need to check that my result is OK.
- for example reading the links I have given her: at the present time, I believe theory backs up results

UPDATE: is working

AuthBasicProvider ldap
# authenticate only, send authorization to some other system (authz_user cos of valid-user?), as yet not fully understood
AuthzLDAPAuthoritative off
# if authenticates, then authorized
Require valid-user

http://httpd.apache.org/docs/2.2/mod...thnz_ldap.html
http://httpd.apache.org/docs/2.2/mod...uthz_user.html

(The object of using ldap is, of course, to relieve me of users and free me from audits for programs like nagios, NeDi, cati, "home made" etc etc etc)

I am using Suse 10 and IE

/mvh Owen Brotherwood, Denmark

The interesting thing is when I attempt to access the site, I get the user/pass dialog and it asks for my username and pass 3 times before exiting to the 'Authorization Required' page. However, no errors are thrown in the logs. If I enter a bad username or a bad password, then I get the expected error in the log.

So it's as if LDAP authentication is working, but apache continues to block access. Is there something I'm missing here?

[vortmax]

adding the AuthzLDAPAuthoritative off did it. I could of sworn that I tried it with that line in there before though...then again I tried so many configurations it's hard to tell.

Now... does anyone know anything about caching? I saw some stuff when I was trying to just get it to work but didn't pursue it.