Krist van Besien krist.vanbesien at gmail.com writes:
I've bene using the following module for apache AD authentication for
quite some time.
http://search.cpan.org/~reggers/Apache2-AuthenMSAD-0.02/AuthenMSAD.pm
Thanks - that's exactly what I needed. I now have this:
Location /test_auth
I've forgotten whether there was some special complicating factor in
the original request. This works here with 2.2.10:
AuthTypeBasic
AuthBasicProvider ldap
AuthNameADS
AuthBasicAuthoritative On
AuthLDAPURL ldap://domain controller
On Fri, Feb 27, 2009 at 05:19:18PM +, Ed Avis wrote:
AuthLDAPBindDN WCL\\tradingsystems
That's not a DN. A DN would look something like:
sAMAccountName=tradingsystems,dc=WCL,dc=example,dc=com
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Friends don't let friends
Mark H. Wood mwood at IUPUI.Edu writes:
I've forgotten whether there was some special complicating factor in
the original request.
Probably not - just my inability to translate the directory structure as seen in
the browser into a query string. But in the end I found that Apache2::MSAD does
the
Ed Avis schrieb:
This means that to get the current code working, I must
find the right LDAP search expression to locate users in the Directory.
Yes.
This
might be complicated by the fact that they are under 'WCL users' which contains
a space character.
You mean the DN contains a component
Ed Avis wrote:
I don't know what the extra '?cn?sub' at the end of the query string is for
cn means that the attibute to use to login is the CN = common name,
sub means that the query will return all the SUB-entries (as opposed
to 'one' that returns max 1 entry).
[Fri Feb 27 11:26:09 2009]
Davide Bianchi davide at walterisookeensufferukker.nl writes:
I don't know what the extra '?cn?sub' at the end of the query string is for
cn means that the attibute to use to login is the CN = common name,
Surely that's not what I want? The username is in the sAMAccountName attribute.
[Fri
Ed Avis wrote:
Davide Bianchi davide at walterisookeensufferukker.nl writes:
I don't know what the extra '?cn?sub' at the end of the query string is for
cn means that the attibute to use to login is the CN = common name,
Heee... sorry (not enough coffee in my bloodstream), that is the
Davide Bianchi davide at walterisookeensufferukker.nl writes:
I don't know what the extra '?cn?sub' at the end of the query string is for
Heee... sorry (not enough coffee in my bloodstream), that is the
attribute that is returned
Hmm, so what Apache does is first of all bind to the
Ed Avis eda at waniasset.com writes:
Hmm, so what Apache does is first of all bind to the directory server, then do
a
search using the query string which returns the 'cn' (common name). Finally it
constructs a distinguished name using this value of 'cn' and the password
supplied by the user.
I
Upgrading to Apache 2.2.11 fixes the segfault. Instead now I get an error_log
entry:
[Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap
authenticate: user eda authentication failed; URI /cgi-bin/test_auth/index.html
[ldap_search_ext_s() for user failed][Operations error]
On Fri, Feb 27, 2009 at 8:21 AM, Ed Avis e...@waniasset.com wrote:
Upgrading to Apache 2.2.11 fixes the segfault. Instead now I get an error_log
entry:
[Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap
authenticate: user eda authentication failed; URI
Ed Avis schrieb:
Marc Patermann hans.moser at ofd-sth.niedersachsen.de writes:
You mean the DN contains a component with a space in it!?
ou=WCL user,dc=foo,dc=bar
Ah... 'ou'... I was using 'cn'.
This was only an example. Actually I know nothing about the DIT in AD. :)
The corrected
Marc Patermann wrote:
Ed Avis schrieb:
Marc Patermann hans.moser at ofd-sth.niedersachsen.de writes:
[...]
This spits out details of every user in the domain, with the
sAMAccountName
being the user's login.
You were lucky. :)
No, he was just using Perl, and the magical CPAN library.
On Fri, Feb 27, 2009 at 3:45 PM, André Warnier a...@ice-sa.com wrote:
Now, to the OP : since you can do that with Perl, won't you consider writing
your own Apache/mod_perl LDAP authentication module, where you can do
exactly the same as you did in your test program ?
There are some stubs
Eric Covener covener at gmail.com writes:
[Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap
authenticate: user eda authentication failed; URI
/cgi-bin/test_auth/index.html
[ldap_search_ext_s() for user failed][Operations error]
If it made it out onto the wire, wireshark
André Warnier aw at ice-sa.com writes:
Now, to the OP : since you can do that with Perl, won't you consider
writing your own Apache/mod_perl LDAP authentication module, where you
can do exactly the same as you did in your test program ?
Yes that thought crossed my mind. There are four ways I
On Fri, Feb 27, 2009 at 12:19 PM, Ed Avis e...@waniasset.com wrote:
Eric Covener covener at gmail.com writes:
[Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap
authenticate: user eda authentication failed; URI
/cgi-bin/test_auth/index.html
[ldap_search_ext_s() for user
Davide Bianchi davide at walterisookeensufferukker.nl writes:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html imply that
Apache connects to the LDAP server using a fixed username and
password, and then merely queries the existence of an object in the
directory that matches the username.
If so, it seems unnecessary in the case of Active Directory, since AD allows
you
to bind simply giving username and password (you don't have to give a full DN
when binding).
It is unnecessary to perform the search if your users provide
something that can bind to the LDAP server directly.
Peter Schober peter.schober at univie.ac.at writes:
But it seems it's currently simply not possible to configure either
a. to use the provided username as is, or
b. to fill in a DN-template (e.g. uid=%s,ou=users,dc=example,dc=org)
so this is all rather pointless, until someone contributes code.
21 matches
Mail list logo
