It works!
For the record here's my final setup. I'm using Apache 2.2.x and
mod_authnz_ldap with Windows 2003 Server
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
AuthType Basic
AuthName "Testing LDAP Auth"
AuthBasicProvider ldap
#AuthLDAPAuthoritative on - this didn't work because it should have
been authz not auth, see below
AuthzLDAPAuthoritative off
#the ldapurl started working better when i hardcoded the ip, and
added ou=People to the dn
AuthLDAPUrl
"ldap://192.168.1.171:389/ou=People,dc=coopfed,dc=local?sAMAccountName";
#the bind account not auth'ing right caused me the original problems
with [LDAP: ldap_simple_bind_s() failed][Invalid Credentials]
AuthLDAPBindDN "cn=cu_apache_auth,cn=Users,dc=coopfed,dc=local"
AuthLDAPBindPassword "********"
Require valid-user
</Directory>
I didn't get a lot of responses on this one, but maybe this information
will help somebody you know.
Tom Hart wrote:
I'm beginning to believe that the BindDN and BindPassword are
incorrect, because it doesn't seem to matter what I type in there, I
get the same results. I'm pretty sure I have the DN correct though.
We have an apache service account (account name is cu_apache) in the
Users container under our domain coopfed.local. Does the DN seem right?
Tom Hart wrote:
Ok, I'm getting a bit closer. Here's what I have now.
<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
AuthType Basic
AuthName "Testing LDAP Auth"
AuthBasicProvider ldap
#AuthLDAPAuthoritative on - still doesn't let apache start
AuthLDAPUrl "ldap://server/?sAMAccountName";
AuthLDAPBindDN "cn=cu_apache,cn=Users,dc=coopfed,dc=local"
AuthLDAPBindPassword "********"
Require valid-user
</Directory>
Now I get a login box, but when using the admin u/p I get this in
error.log
[Thu Oct 04 13:57:10 2007] [warn] [client 192.168.1.207] [6764]
auth_ldap authenticate: user administrator authentication failed; URI
/test.php [LDAP: ldap_simple_bind_s() failed][Invalid Credentials]
[Thu Oct 04 13:57:10 2007] [error] [client 192.168.1.207] user
administrator: authentication failure for "/test.php": Password Mismatch
I know the login credentials are correct. Is there a better way to
set up LDAPUrl or to see what's trying to authenticate where in the
2003 AD?
Tom Hart wrote:
As a follow-up I realized ldap-user is used to specifiy a certain
user aka ldap-user "Joe Smith". However based on the fact that I'm
not getting prompted for a u/p, and AuthLDAPAuthoritative is
failing, I believe my problem lies deeper than that. I could be
wrong of course, just trying to narrow down the search.
Tom Hart wrote:
Hi everybody. Thanks to the help of this list I managed to get the
auth_ldap module loaded, but now I'm having a little trouble
bringing this project to full fruition.
I'm not sure which part of this is failing, and unfortunately I
can't seem to find where I can see any type of log info about ldap
access attemps, whether they're even happening, or why apache won't
start with AuthLDAPAuthoritative on.
Any ideas? Here's my main directory chunk from httpd.conf
<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
#AuthLDAPAuthoritative on - apache won't start with this enabled
AuthType Basic
AuthName "Testing LDAP Auth"
AuthBasicProvider ldap
AuthLDAPUrl
"ldap://192.168.1.171:389/ou=People,dc=coopfed,dc=local";
AuthLDAPBindDN "cn=tomhart,ou=people,dc=coopfed,dc=local"
AuthLDAPBindPassword ********
Require ldap-user
</Directory>
Also, I'm not sure how important this is but I'm using windows 2003
server.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
