[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-03-02 Thread Ed Avis
Mark H. Wood IUPUI.Edu> writes: >I've forgotten whether there was some special complicating factor in >the original request. Probably not - just my inability to translate the directory structure as seen in the browser into a query string. But in the end I found that Apache2::MSAD does the job w

Re: [us...@httpd] Re: Confused about LDAP authentication with Active ?Directory

2009-03-02 Thread Mark H. Wood
On Fri, Feb 27, 2009 at 05:19:18PM +, Ed Avis wrote: > AuthLDAPBindDN "WCL\\tradingsystems" That's not a DN. A DN would look something like: sAMAccountName=tradingsystems,dc=WCL,dc=example,dc=com -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let frien

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-03-02 Thread Mark H. Wood
I've forgotten whether there was some special complicating factor in the original request. This works here with 2.2.10: AuthTypeBasic AuthBasicProvider ldap AuthName"ADS" AuthBasicAuthoritative On AuthLDAPURL "ldap://domain controller list/ou=

[us...@httpd] Re: Confused about LDAP authentication with Active Directory - use Apache2::AuthenMSAD

2009-03-02 Thread Ed Avis
Krist van Besien gmail.com> writes: >I've bene using the following module for apache AD authentication for >quite some time. > >http://search.cpan.org/~reggers/Apache2-AuthenMSAD-0.02/AuthenMSAD.pm Thanks - that's exactly what I needed. I now have this: AuthType Basic AuthName

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Eric Covener
On Fri, Feb 27, 2009 at 12:19 PM, Ed Avis wrote: > Eric Covener gmail.com> writes: > >>>[Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap >>>authenticate: user eda authentication failed; URI >>>/cgi-bin/test_auth/index.html >>>[ldap_search_ext_s() for user failed][Operati

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Ed Avis
André Warnier ice-sa.com> writes: >Now, to the OP : since you can do that with Perl, won't you consider >writing your own Apache/mod_perl LDAP authentication module, where you >can do exactly the same as you did in your test program ? Yes that thought crossed my mind. There are four ways I ca

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Ed Avis
Eric Covener gmail.com> writes: >>[Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap >>authenticate: user eda authentication failed; URI >>/cgi-bin/test_auth/index.html >>[ldap_search_ext_s() for user failed][Operations error] >If it made it out onto the wire, wireshark b

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Krist van Besien
On Fri, Feb 27, 2009 at 3:45 PM, André Warnier wrote: > Now, to the OP : since you can do that with Perl, won't you consider writing > your own Apache/mod_perl LDAP authentication module, where you can do > exactly the same as you did in your test program ? > There are some stubs already availabl

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread André Warnier
Marc Patermann wrote: Ed Avis schrieb: Marc Patermann ofd-sth.niedersachsen.de> writes: [...] This spits out details of every user in the domain, with the sAMAccountName being the user's login. You were lucky. :) No, he was just using Perl, and the magical CPAN library. Great stuff for

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Marc Patermann
Ed Avis schrieb: Marc Patermann ofd-sth.niedersachsen.de> writes: You mean the DN contains a component with a space in it!? ou=WCL user,dc=foo,dc=bar Ah... 'ou'... I was using 'cn'. This was only an example. Actually I know nothing about the DIT in AD. :) The corrected search query works

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Mark H. Wood
On Fri, Feb 27, 2009 at 12:18:14PM +, Ed Avis wrote: > Davide Bianchi walterisookeensufferukker.nl> writes: > >>I don't know what the extra '?cn?sub' at the end of the query string is for > > > >"cn" means that the attibute to use to login is the CN = common name, > > Surely that's not what I

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Eric Covener
On Fri, Feb 27, 2009 at 8:21 AM, Ed Avis wrote: > Upgrading to Apache 2.2.11 fixes the segfault.  Instead now I get an error_log > entry: > > [Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap > authenticate: user eda authentication failed; URI > /cgi-bin/test_auth/index.h

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Ed Avis
Upgrading to Apache 2.2.11 fixes the segfault. Instead now I get an error_log entry: [Fri Feb 27 13:16:30 2009] [warn] [client 192.168.186.32] [2890] auth_ldap authenticate: user eda authentication failed; URI /cgi-bin/test_auth/index.html [ldap_search_ext_s() for user failed][Operations error]

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Ed Avis
Ed Avis waniasset.com> writes: >Hmm, so what Apache does is first of all bind to the directory server, then do >a >search using the query string which returns the 'cn' (common name). Finally it >constructs a distinguished name using this value of 'cn' and the password >supplied by the user. I

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Ed Avis
Davide Bianchi walterisookeensufferukker.nl> writes: I don't know what the extra '?cn?sub' at the end of the query string is for >Heee... sorry (not enough coffee in my bloodstream), that is the >attribute that is returned Hmm, so what Apache does is first of all bind to the directory s

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Davide Bianchi
Ed Avis wrote: > Davide Bianchi walterisookeensufferukker.nl> writes: > >>> I don't know what the extra '?cn?sub' at the end of the query string is for >> "cn" means that the attibute to use to login is the CN = common name, Heee... sorry (not enough coffee in my bloodstream), that is the at

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Ed Avis
I installed debugging symbols and got a full backtrace. The top stack frame is #0 uldap_connection_init (r=0xb715d830, ldc=0xb7f086e0) at /usr/src/debug/httpd-2.2.10/modules/ldap/util_ldap.c:261 rc = ldap_option = 0 version = 3 result = (apr_ldap_err_t *) 0x0 timeOut = {

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Ed Avis
Davide Bianchi walterisookeensufferukker.nl> writes: >>I don't know what the extra '?cn?sub' at the end of the query string is for > >"cn" means that the attibute to use to login is the CN = common name, Surely that's not what I want? The username is in the sAMAccountName attribute. >>[Fri Feb

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Davide Bianchi
Ed Avis wrote: > I don't know what the extra '?cn?sub' at the end of the query string is for "cn" means that the attibute to use to login is the CN = common name, "sub" means that the query will return all the SUB-entries (as opposed to 'one' that returns max 1 entry). > [Fri Feb 27 11:26:09 2009

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Ed Avis
Marc Patermann ofd-sth.niedersachsen.de> writes: >You mean the DN contains a component with a space in it!? >ou=WCL user,dc=foo,dc=bar Ah... 'ou'... I was using 'cn'. The corrected search query works, as demonstrated by the following perl script: #!/usr/bin/perl die "usage: $0 host dom

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-27 Thread Marc Patermann
Ed Avis schrieb: This means that to get the current code working, I must find the right LDAP search expression to locate users in the Directory. Yes. This might be complicated by the fact that they are under 'WCL users' which contains a space character. You mean the DN contains a component

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-26 Thread Ed Avis
Peter Schober univie.ac.at> writes: >But it seems it's currently simply not possible to configure either >a. to use the provided username "as is", or >b. to fill in a DN-template (e.g. uid=%s,ou=users,dc=example,dc=org) >so this is all rather pointless, until someone contributes code. Thanks fo

Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-26 Thread Eric Covener
> If so, it seems unnecessary in the case of Active Directory, since AD allows > you > to bind simply giving username and password (you don't have to give a full DN > when binding). It is unnecessary to perform the search if your users provide something that can bind to the LDAP server directly.

[us...@httpd] Re: Confused about LDAP authentication with Active Directory

2009-02-26 Thread Ed Avis
Davide Bianchi walterisookeensufferukker.nl> writes: >> imply that >>Apache connects to the LDAP server using a fixed username and >>password, and then merely queries the existence of an object in the >>directory that matches the username