I seem to have a somewhat different problem than the ones I find all over forums and archives (needing an address to bind to to search for the user). I'm running Apache httpd 2.0.52 on CENTOS 4.6 (Final). The Active Directory server is on Windows 2003 Server. I'm trying to authenticate access to an internal web page (later, many pages, twiki, subversion, ...) against the active directory.
(The "*.pinerivercapital.local" names resolve to the internal IP addresses of the hosts on our internal DNS.) I can search and find users using ldapsearch (using an account with read privs), like this (password redacted): ---------- $ ldapsearch -x -D "CN=unix.ldapbind,OU=Service Accounts,OU=MPLS,DC=pinerivercapital,DC=local" -w "XXXX" -h prcdc1 -P 3 -b "dc=pinerivercapital,dc=local" "(sAMAccountName=David.dyer-bennet)" cn objectClass sAMAccountName # extended LDIF # # LDAPv3 # base <dc=pinerivercapital,dc=local> with scope sub # filter: (sAMAccountName=David.dyer-bennet) # requesting: cn objectClass sAMAccountName # # David Dyer-Bennet, PRC MN Users, MPLS, pinerivercapital.local dn: CN=David Dyer-Bennet,OU=PRC MN Users,OU=MPLS,DC=pinerivercapital,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: David Dyer-Bennet sAMAccountName: david.dyer-bennet ---------- This is my .htaccess file for the protected directory: ---------- AuthName "Pine River Capital Windows Logon" AuthType basic AuthLDAPEnabled on AuthLDAPURL "ldap://prcdc1.pinerivercapital.local/dc=pinerivercapital,dc=local?sAMAc countName?sub?(objectClass=user)(objectCategory=person)" # Special unix ldapbind service AuthLDAPBindDN "CN=unix.ldapbind,OU=Service Accounts,OU=MPLS,DC=pinerivercapital,DC=local" AuthLDAPBindPassword "XXXX" # Non-Authoritative lets it also look in .htpasswd; must config user file AuthLDAPAuthoritative on Require valid-user ---------- When I visit that page in Firefox, I'm prompted for username and password, with the right authentication name. When I enter my username (the one I searched for above) and password, I get recycled back to the authentication dialog, and if I cancel out of that, I get a 401 page. The error_log says: [Mon May 19 16:43:43 2008] [warn] [client 192.168.1.70] [5481] auth_ldap authenticate: user David.Dyer-Bennet authentication failed; URI /ldauth [ldap_search_ext_s() for user failed][Operations error] I've tried many many variations without getting anything better. I ran a packet trace on the communication with the AD server, and what I see there is the search for the username being performed, and succeeding with exactly one record found: LDAPMessage searchResEntry(2) "CN=David Dyer-Bennet,OU=PRC MN Users,OU=MPLS,DC=pinerivercapital,DC=local" [1 result] Then I see a "simple bind request": LDAPMessage bindRequest(4) simple messageID: 4 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: simple (0) simple: <MISSING> And the AD server responds with no matchedDN, and a resultCode of "success (0)". Obviously, I think that's the first symptom of my problem, but I have no idea what the cause is. I was expecting to see the DN of the record found by the previous search in the bind request. (Not sure if the password is passed in cleartext; I kinda hope not.) Then I see *another* search for the same user record, which fails with an error saying a bind must be done first ("errorMessage: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece"). I feel like I've been right on the edge of a breakthrough for 2 days, but it doesn't seem to be happening. Lots of people with essentially similar configs are reporting success; the magic thing that makes it work for most people seems to be having an account to bind to initially, to perform the user search, and I've got that, and the user search works. I can't find cases where the failure happens later, or with the messages I'm getting. There seem to be lots of workable variants of the filter in the ldapURL, and mine exactly matches some I've seen and seems compatible with others; and the packet trace shows that it *is* finding the user correctly. Much as I'd love to blame Microsoft, the packet trace makes it look to me as though something isn't going right in mod_auth_ldap; most likely due to my config not being right, though I can't yet rule out a bug either. I'd greatly appreciate any suggestions, pointers, or what-have-you contributing to getting this figured out! Note that this system is running CENTOS 4.6, not 5.1. I just did a major upgrade to get it to 4.6, it was much further behind previously. But I need to keep it matching the production systems well enough that tests here are meaningful, so I can't yet upgrade past 4.6. (Sorry about the corporate disclaimer that's about to follow this; for some reason I couldn't get a response to my subscribe message from my personal account, and this is holding me up, so I went ahead and subscribed from the work account.) --- The contents of this message and its attachments, if any, are meant for the sole use of the intended recipient and may be confidential, privileged, or otherwise protected from disclosure. If you are not the intended recipient of this message or have received this message in error, please delete it, immediately alert the sender by reply e-mail, and do not read, disclose, distribute, or otherwise use the information contained herein. If this message was misdirected, neither Pine River nor its affiliates waives any confidentiality or privilege. Pine River retains and monitors e-mail communications sent through its network. This e-mail does not constitute or form part of any offer or invitation to sell, or the solicitation of an offer to purchase any investment and is provided for information purposes only. Pine River believes that the information it provides is accurate and complete as at the date of publication, but does not grant any warranty of such and neither Pine River nor its affiliates accepts any liability in respect of errors or omissions. Past performance is not necessarily a guide to future results. --- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
