Hello,
I have had two problems using an MS exchange server :) to autheticate.
The first is that ldap queries allways return a dn with and extra cn attribute
as as below:
cn=qzlg4d,cn=Recipients,ou=EXNZ01,o=ABC
but when you try and bind with the same dn it fails unless you remove the
cn=Recipients. Now I do not know anything about Exchange or the way it is set
up but I created a patch to blank this out which I guess cannot be put in to
httpd_ldap but I include it anyway.
The second problem is that when connections to the exchange server go away (I
presume Exchange closed them after some time interval) httpd_ldap does not
detect this and close them. I include a patch that closes a connection when
server down is detected and finds another connection. In the patch for this I
have included a fix for arguments to util_ldap_cache_compare() being in the
wrong order that somebody put n a bug report for.
--
Regards
Thomas Bennett
NZ - CI Southern Unix Eng.
EDS (NZ) Ltd
Ph 64 6 348 9861
FAX 64 6 438 9880
*** util_ldap.c Tue Sep 10 12:21:37 2002
--- util_ldap.c.n Mon Sep 16 11:09:18 2002
***************
*** 60,69 ****
--- 60,70 ----
* Copyright 1999-2001 Dave Carrigan
*/
#include <apr_ldap.h>
#include <apr_strings.h>
+ #include <string.h>
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
***************
*** 846,855 ****
--- 847,869 ----
entry = ldap_first_entry(ldc->ldap, res);
/* Grab the dn, copy it into the pool, and free it again */
dn = ldap_get_dn(ldc->ldap, entry);
+
+ /* To overcome MS exchange proble where DN has and extra cn (cn=Recipients) in it */
+ {
+ char *cnpos;
+ if (cnpos = strstr(dn, "cn=Recipients"))
+ {
+ while (*cnpos && *cnpos != ',')
+ *cnpos++ = ' ';
+ }
+ }
+
+
+
*binddn = apr_pstrdup(st->pool, dn);
ldap_memfree(dn);
/*
* A bind to the server with an empty password always succeeds, so
*** mod_auth_ldap.c Fri Sep 20 14:24:20 2002
--- mod_auth_ldap.c.n Fri Sep 20 14:33:32 2002
***************
*** 216,225 ****
--- 216,226 ----
* DN and the supplied password.
*
*/
int mod_auth_ldap_check_user_id(request_rec *r)
{
+ int failures = 0;
const char **vals = NULL;
char filtbuf[FILTER_LENGTH];
mod_auth_ldap_config_t *sec =
(mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, &auth_ldap_module);
***************
*** 241,250 ****
--- 242,259 ----
*/
if (!sec->have_ldap_url) {
return DECLINED;
}
+ /* start TAB */
+ start_over:
+ if (failures++ > 10) {
+ /* too many failures - leave */
+ return result;
+ }
+ /* end TAB */
+
/* There is a good AuthLDAPURL, right? */
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->netscapessl, sec->starttls);
***************
*** 273,282 ****
--- 282,299 ----
/* do the user search */
result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
sec->attributes, filtbuf, sent_pw, &dn, &vals);
util_ldap_connection_close(ldc);
+ /* start TAB */
+ if (result == LDAP_SERVER_DOWN)
+ {
+ util_ldap_connection_destroy(ldc);
+ goto start_over;
+ }
+ /* end TAB */
+
if (result != LDAP_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authenticate: "
"user %s authentication failed; URI %s [%s][%s]",
getpid(), r->user, r->uri, ldc->reason, ldap_err2string(result));
***************
*** 541,552 ****
for (i = 0; i < sec->groupattr->nelts; i++) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: testing for %s: %s (%s)", getpid(),
ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
! result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
! sec->group_attrib_is_dn ? req->dn : req->user);
switch(result) {
case LDAP_COMPARE_TRUE: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: "
"authorisation successful (attribute %s) [%s][%s]",
--- 558,570 ----
for (i = 0; i < sec->groupattr->nelts; i++) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: testing for %s: %s (%s)", getpid(),
ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
! /* TAB - Should dn be fouth arg and t last */
! result = util_ldap_cache_compare(r, ldc, sec->url, sec->group_attrib_is_dn ? req->dn : req->user, ent[i].name, t);
!
switch(result) {
case LDAP_COMPARE_TRUE: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: require group: "
"authorisation successful (attribute %s) [%s][%s]",
