Apache2 LDAP (AD) authentication

09-16-2008	#1 (permalink)
vortmax Just Joined! Join Date: Jan 2007 Posts: 7	Apache2 LDAP (AD) authentication I'm attempting to authorize apache against an Active Directory server. I've been fighting with it all day and have it working, but not really. Here is my conf.d entry for the site: Code: ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin" <Directory "/usr/local/nagios/sbin"> # SSLRequireSSL Options ExecCGI AllowOverride None AuthName "Nagios Access" AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://adc.*****.net/OU=** Users,dc=**,dc=net?sAMAccountName?sub?" AuthLDAPBindDN "helpdesk@**.net" AuthLDAPBindPassword *** Require valid-user </Directory> Alias /nagios "/usr/local/nagios/share" <Directory "/usr/local/nagios/share"> # SSLRequireSSL Options ExecCGI AllowOverride None AuthName "Nagios Access" AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://adc.*.net/OU=* Users,dc=*,dc=net?sAMAccountName?sub?" AuthLDAPBindDN "helpdesk@.net" AuthLDAPBindPassword *** Require valid-user </Directory> I know my LDAPURL, user, password and binding works, as I've tried it on the command line with ldapsearch The interesting thing is when I attempt to access the site, I get the user/pass dialog and it asks for my username and pass 3 times before exiting to the 'Authorization Required' page. However, no errors are thrown in the logs. If I enter a bad username or a bad password, then I get the expected error in the log. So it's as if LDAP authentication is working, but apache continues to block access. Is there something I'm missing here?

09-17-2008	#2 (permalink)
jledhead Linux Engineer Join Date: Oct 2004 Location: North Carolina Posts: 1,055	is anything showing up in the apache logs about the ldap errors on on the dc you are authenticating against? I think the standard way to list the auth user is AuthLDAPBindDN "cn=helpdesk,dn=someplace,dc=domain,dc=com" I have to do it the same way you have but have been told that is a non-standard way to connect to AD. everything else looks good compared to my configs.

09-17-2008

#3 (permalink)

oxo-oxo

Just Joined!

Join Date: Sep 2008

Posts: 1

I have had exactly the same symptoms: bind ok no errors but 3 times logon
_Maybe_ this link mod-authnz-ldap apache directives | Your Java and Linux Experts! will help.

5 min before I left work, I did what it said and seems to work but I need to check that my result is OK.
- for example reading the links I have given her: at the present time, I believe theory backs up results

UPDATE: is working

AuthBasicProvider ldap
# authenticate only, send authorization to some other system (authz_user cos of valid-user?), as yet not fully understood
AuthzLDAPAuthoritative off
# if authenticates, then authorized
Require valid-user

http://httpd.apache.org/docs/2.2/mod...thnz_ldap.html
http://httpd.apache.org/docs/2.2/mod...uthz_user.html

(The object of using ldap is, of course, to relieve me of users and free me from audits for programs like nagios, NeDi, cati, "home made" etc etc etc)

I am using Suse 10 and IE

/mvh Owen Brotherwood, Denmark

Quote:

Originally Posted by vortmax

The interesting thing is when I attempt to access the site, I get the user/pass dialog and it asks for my username and pass 3 times before exiting to the 'Authorization Required' page. However, no errors are thrown in the logs. If I enter a bad username or a bad password, then I get the expected error in the log.

So it's as if LDAP authentication is working, but apache continues to block access. Is there something I'm missing here?

09-18-2008	#4 (permalink)
vortmax Just Joined! Join Date: Jan 2007 Posts: 7	adding the AuthzLDAPAuthoritative off did it. I could of sworn that I tried it with that line in there before though...then again I tried so many configurations it's hard to tell. Now... does anyone know anything about caching? I saw some stuff when I was trying to just get it to work but didn't pursue it.