LDAP and Apache problem

httpd.conf
<Directory /www/>
#AllowOverride None
#Order allow,deny
#Allow from all
AuthType Basic
AuthName "Members Only"
AuthBasicProvider ldap
AuthLDAPURL ldap://***/o=*,dc=*dc=*?cn
AuthLDAPBindDN "cn=Manager,dc=*,dc=*"
AuthLDAPBindPassword {crypt}***
AuthzLDAPAuthoritative off
require valid-user
</Directory>

.htaccess

AuthName "Members Only"
AuthType Basic
AuthLDAPURL ldap://***/o=*,dc=*dc=*?cn
Require valid-user

I apache error log I receive: [Fri Mar 30 15:59:48 2007] [warn] [client 192.168.*.*] [4886] auth_ldap authenticate: user *** authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Fri Mar 30 15:59:48 2007] [error] [client 192.168.1.*.*] user ***: authentication failure for "/": Password Mismatch


Server version: Apache/2.2.3

@(#) $OpenLDAP: slapd 2.3.27 (Oct 1 2006 16:34:13) $
brewbuilder@ls20-bc2-14.build.redhat.com:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd

LDIF of my user:

dn: cn=test,o=Authorization,dc=*,dc=*
uid: test
objectClass: top
objectClass: person
objectClass: inetOrgPerson
sn: test
cn: test
mail: test@test.com
userPassword: test

this is mine, and my works completly from within httpd.conf with no .htaccess

Code:

---

<Location /relativefolder/>
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off
        AuthName "whateveryouwant"
    AuthLDAPURL "ldap://fqdn_of_ldap_server/ou=it,ou=departments,dc=fake,dc=fake,dc=com?sAMAccountName"
    AuthLDAPBindDN "fakeuser@fake.fake.com"
    AuthLDAPBindPassword "fakepassword"
    require valid-user
</location>

---

the relative folder determines what gets restricted http://fakeurl.com/relativefolder/

one difference I see though is mine is using authnz modules and yours is not, not sure how much of a difference that makes though. Let me know if that helps or not.

I try with this configuration:

<Location /test/>
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthName "whateveryouwant"
AuthLDAPURL "ldap://ldap.*.*i/o=Authorization,dc=*,dc=*?cn"
AuthLDAPBindDN "cn=Manager,dc=*,dc=*"
AuthLDAPBindPassword "someone"
require valid-user
</location>

[Fri Apr 20 19:59:19 2007] [warn] [client *] [925] auth_ldap authenticate: user Test authentication failed; URI /test/ [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Fri Apr 20 19:59:19 2007] [error] [client *] user Test: authentication failure for "/test/": Password Mismatch

try for the bindDN to use "youruser@your.domain.com" like I have above and see if it works.

I try with this options but I always receive error 500:
[Fri Apr 20 21:45:59 2007] [warn] [client 192.*.*.*] [1295] auth_ldap authenticate: user * authentication failed; URI /test/ [LDAP: ldap_simple_bind_s() failed][Invalid DN syntax]

AuthLDAPBindDN "user@ldap.*.*"
AuthLDAPBindDN "Manager@ldap.*.*"
AuthLDAPBindDN "manager@ldap.*.*"
AuthLDAPBindDN "Manager@192.*.*.*"

did you notice at the end of my ldap url, ?sAMAccountName

that tells the ldap lookup what field to search for.

I also assume that in your ldap structure the manager account you are searching for is not outside of o=Authorization,dc=*,dc=*

Quote:

---

Originally Posted by jledhead

try for the bindDN to use "youruser@your.domain.com" like I have above and see if it works.

---

This not work

When I try with user which is not in directory
[Sat Apr 21 20:10:27 2007] [warn] [client *] [5189] auth_ldap authenticate: user * authentication failed; URI /test/ [User not found][No such object]
[Sat Apr 21 20:10:27 2007] [error] [client *] user * not found: /test/

When I try with user which is in directory
[Sat Apr 21 20:13:21 2007] [warn] [client *] [5202] auth_ldap authenticate: user * authentication failed; URI /test/ [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Sat Apr 21 20:13:21 2007] [error] [client *] user *: authentication failure for "/test/": Password Mismatch

Please look at the error


auth_ldap authenticate: user rk authentication failed; URI /twtest [LDAP: ldap_simple_bind_s() failed][Invalid credentials]