So i've set up the simplest-possible mod_authnz_ldap vs. Lotus Domino
authentication configuration, and it doesn't work - which over the years
i've come to expect from Domino, but i don't think it's at fault this
time. I'm running Apache & Domino on the same machine, & getting the
infamous "Operations Error". Setup is Apache 2.2.2, Domino 6.5, Win2K-Pro.
from httpd.conf:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
[...]
Include conf/mine/httpd-directories.conf
from httpd-directories.conf:
<Directory "E:/www/httpd/htdocs/ppp">
Options Indexes
Order allow,deny
Allow from 63.195.38.230 63.195.38.226 127.0.0.1
AuthzLDAPAuthoritative off
AuthLDAPUrl ldap://localhost:389/o=AAF?UID,CN?sub
AuthType Basic
AuthName "Notes LDAP"
AuthBasicProvider ldap
require ldap-user LDAP
</Directory>
(yes, i know the ",CN" bit in the attribute gets ignored)
from Softerra's most excellent LDAP Administrator, the relevant bits of
the Domino directory:
O=AAF
|
- CN=LDAP USER
|
- cn=ldap
- uid=ldap
- (etc...)
from Apache's log, after trying to authenticate as user "ldap":
[debug] mod_authnz_ldap.c(840): [296] auth_ldap url parse:
`ldap://localhost:389/o=AAF?UID,CN?sub'
[debug] mod_authnz_ldap.c(849): [296] auth_ldap url parse: Host:
localhost:389
[debug] mod_authnz_ldap.c(851): [296] auth_ldap url parse: Port: 389
[debug] mod_authnz_ldap.c(853): [296] auth_ldap url parse: DN: o=AAF
[debug] mod_authnz_ldap.c(855): [296] auth_ldap url parse: attrib: UID
[debug] mod_authnz_ldap.c(857): [296] auth_ldap url parse: scope: subtree
[debug] mod_authnz_ldap.c(862): [296] auth_ldap url parse: filter: (null)
[debug] mod_authnz_ldap.c(942): LDAP: auth_ldap not using SSL connections
[debug] util_ldap.c(1929): LDAP merging Shared Cache conf: shm=0x480d10
rmm=0x480d38 for VHOST: notes.alyx.net
[debug] util_ldap.c(1929): LDAP merging Shared Cache conf: shm=0x480d10
rmm=0x480d38 for VHOST: www.alyx.net
[debug] util_ldap.c(1929): LDAP merging Shared Cache conf: shm=0x480d10
rmm=0x480d38 for VHOST: athena.alyx.net
[info] APR LDAP: Built with Microsoft Corporation. LDAP SDK
[...]
[debug] mod_authnz_ldap.c(373): [client 63.195.38.230] [296] auth_ldap
authenticate: using URL ldap://localhost:389/o=AAF?UID,CN?sub
[warn] [client 63.195.38.230] [296] auth_ldap authenticate: user LDAP
authentication failed; URI /ppp [ldap_search_ext_s() for user
failed][Operations Error]
Now here's the interesting bit. The URL that mod_authnz_ldap is
constructing looks like this:
ldap://localhost:389/o=AAF?uid,cn?sub?(&(objectclass=*)(uid=LDAP))
When i use that url from MSIE or Softerra, it works; but when Apache
constructs it, it fails. Here's what the two situations look like from
the Domino log end:
# success, from MSIE
User Name: Anonymous
Server Name: CN=athena/O=AAF
Remote IP: 127.0.0.1
Base Object: o=AAF
Scope: Whole subtree
Dereference Aliases: Unknown
Size Limit: 100 entries
Time Limit: 60 seconds
Types Only: False
Filter: (&(objectclass=*)(uid=LDAP))
Attributes: UID; CN
Search Time: 130 ms.
Directories Searched: names.nsf
Entries Returned: 1
Bytes Returned: 170
Result Code: 0
# failure, from Apache
User Name: Anonymous
Server Name: CN=athena/O=AAF
Remote IP: 127.0.0.1
Base Object: o=AAF
Scope: Whole subtree
Dereference Aliases: Unknown
Size Limit: 4294967295 entries
Time Limit: None
Types Only: False
Filter: (&(objectclass=*)(uid=LDAP))
Attributes: UID; CN
Search Time: 0 ms.
Directories Searched: names.nsf
Entries Returned: 0
Bytes Returned: 14
Result Code: 1
...that result code of 1 being the notorious ldap "Operations Error",
which is apparently a polite way of saying "ldap fcuked up, and we don't
know why..."
Any thoughts or ideas? I hate to use the B-word in my very first
posting to the list, but this does look to me like mod_authnz_ldap is
malforming the search request somehow. Searches have brought up a few
other people w/similar problems, but no solutions,
TIA,
alex.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
