Find the answer to your Linux question:
Results 1 to 4 of 4
I'm attempting to authorize apache against an Active Directory server. I've been fighting with it all day and have it working, but not really. Here is my conf.d entry for ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2007
    Posts
    15

    Apache2 LDAP (AD) authentication


    I'm attempting to authorize apache against an Active Directory server. I've been fighting with it all day and have it working, but not really.

    Here is my conf.d entry for the site:

    Code:
    ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
    
    <Directory "/usr/local/nagios/sbin">
    #  SSLRequireSSL
       Options ExecCGI
       AllowOverride None
       AuthName "Nagios Access"
       AuthType Basic
       AuthBasicProvider ldap
       AuthLDAPURL "ldap://adc.*******.net/OU=****** Users,dc=******,dc=net?sAMAccountName?sub?"
       AuthLDAPBindDN "helpdesk@******.net"
       AuthLDAPBindPassword *******
       Require valid-user
    </Directory>
    
    Alias /nagios "/usr/local/nagios/share"
    
    <Directory "/usr/local/nagios/share">
    #  SSLRequireSSL
       Options ExecCGI
       AllowOverride None
       AuthName "Nagios Access"
       AuthType Basic
       AuthBasicProvider ldap
       AuthLDAPURL "ldap://adc.*****.net/OU=***** Users,dc=*****,dc=net?sAMAccountName?sub?"
       AuthLDAPBindDN "helpdesk@****.net"
       AuthLDAPBindPassword *****
       Require valid-user
    </Directory>
    I know my LDAPURL, user, password and binding works, as I've tried it on the command line with ldapsearch

    The interesting thing is when I attempt to access the site, I get the user/pass dialog and it asks for my username and pass 3 times before exiting to the 'Authorization Required' page. However, no errors are thrown in the logs. If I enter a bad username or a bad password, then I get the expected error in the log.

    So it's as if LDAP authentication is working, but apache continues to block access. Is there something I'm missing here?

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    is anything showing up in the apache logs about the ldap errors on on the dc you are authenticating against?

    I think the standard way to list the auth user is
    AuthLDAPBindDN "cn=helpdesk,dn=someplace,dc=domain,dc=com"

    I have to do it the same way you have but have been told that is a non-standard way to connect to AD. everything else looks good compared to my configs.

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    1
    I have had exactly the same symptoms: bind ok no errors but 3 times logon
    _Maybe_ this link mod-authnz-ldap apache directives | Your Java and Linux Experts! will help.

    5 min before I left work, I did what it said and seems to work but I need to check that my result is OK.
    - for example reading the links I have given her: at the present time, I believe theory backs up results

    UPDATE: is working

    AuthBasicProvider ldap
    # authenticate only, send authorization to some other system (authz_user cos of valid-user?), as yet not fully understood
    AuthzLDAPAuthoritative off
    # if authenticates, then authorized
    Require valid-user

    http://httpd.apache.org/docs/2.2/mod...thnz_ldap.html
    http://httpd.apache.org/docs/2.2/mod...uthz_user.html

    (The object of using ldap is, of course, to relieve me of users and free me from audits for programs like nagios, NeDi, cati, "home made" etc etc etc)

    I am using Suse 10 and IE

    /mvh Owen Brotherwood, Denmark

    Quote Originally Posted by vortmax View Post
    The interesting thing is when I attempt to access the site, I get the user/pass dialog and it asks for my username and pass 3 times before exiting to the 'Authorization Required' page. However, no errors are thrown in the logs. If I enter a bad username or a bad password, then I get the expected error in the log.

    So it's as if LDAP authentication is working, but apache continues to block access. Is there something I'm missing here?

  4. #4
    Just Joined!
    Join Date
    Jan 2007
    Posts
    15
    adding the AuthzLDAPAuthoritative off did it. I could of sworn that I tried it with that line in there before though...then again I tried so many configurations it's hard to tell.

    Now... does anyone know anything about caching? I saw some stuff when I was trying to just get it to work but didn't pursue it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •