Apache AD / LDAP authentication issues.

Gregory Machin gdm at linuxpro.co.za
Thu Dec 1 03:42:44 UTC 2011 

Hi.
Please advise if you can.

I'm trying to configure apache to authenticate to MS AD server 2008R2,
using LDAP.

I have created a user in AD that is member of "Users" and nothing
else. I can log into my workstation using this user with the password
I set.

My Apache configuration as follows :

# Basic authentication with LDAP against MS AD
AuthType Basic
AuthBasicProvider ldap

  # AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
  # using this format: ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL "ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectClass=*)"
NONE

  # The LDAP bind username and password
AuthLDAPBindDN "CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC=com"
AuthLDAPBindPassword passwordxyz

  # we want to allow authentication only through LDAP, no fallback
AuthzLDAPAuthoritative on
AuthUserFile /dev/null
  # make sure REMOTE_USER is set to sAMAccountName
AuthLDAPRemoteUserAttribute sAMAccountName

# The name of this authentication realm
AuthName "Restricted Dir [Domain Account]"
  # To authenticate single domain users, list them here
require ldap-user "greg.machin"
  # to authenticate a domain group, specify the full DN
  # AuthLDAPGroupAttributeIsDN on
  #require ldap-group CN=acl_secure_exchange,OU=Global
Groups,OU=User,DC=frank4dd,DC=com
##### end LDAP #####

When I visit the site I get the expected login prompt, authentication
fails with my own account.

[Thu Dec 01 15:32:03 2011] [debug] mod_authnz_ldap.c(403): [client
xxx.xxx.69.196] [3471] auth_ldap authenticate: using URL
ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectClass=*)
[Thu Dec 01 15:32:03 2011] [info] [client xxx.xxx.69.196] [3471]
auth_ldap authenticate: user greg authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Invalid credentials]
[Thu Dec 01 15:32:03 2011] [error] [client xxx.xxx.69.196] user greg:
authentication failure for "/": Password Mismatch

This led me to an issue with the binddn configuration .. So I tried ldapseach

root at nzhmlwks0091:~# ldapsearch -h 192.168.32.2 -p 389 -D
"CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC=com" -w
"passwordxyz"
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1

So the problem is with the binddn , I configured the new user the same
as another user this is know to be working. A member of User and
"Domain Admins" (I don't want this user to have admin rites if I can
avoid it.)

What have I missed what should I change to get this working ?

Thanks
G

More information about the users mailing list