mod_authnz_ldap AuthLDAPURL problem

mod_authnz_ldap AuthLDAPURL problem

am 18.03.2010 18:25:03 von phiroc

Hi,

when I use the following AuthLDAPURL

"ldap://adserver/ou=city1,dc=abc,dc=com?sAMAccountName?sub?( &(objectClass=user)(!(objectClass=computer)))" NONE

I can authenticate any user in "ou" city1.

If I replace the AuthLDPAURL by

"ldap://adserver/dc=abc,dc=com?sAMAccountName?sub?(&(objectC lass=user)(!(objectClass=computer)))" NONE

I get an Apache 2.2 internal error and in the error log the following message:

[debug] mod_authnz_ldap.c(379): [client xxxx] [8655] auth_ldap authenticate: using URL ldap://adserver/dc=abc,dc=com?sAMAccountName?sub?(&(objectCl ass=user)(!(objectClass=computer)))
[info] [client xxxx] [8655] auth_ldap authenticate: user myusername authentication failed; URI /test/ [ldap_search_ext_s() for user failed][Operations error]

When I do ldapsearch ... -b 'dc=abc,dc=com' '(&(objectClass=user)(!(objectClass=computer))(samaccountnam e=myusername)', the Active Directory server returns data, which seems to imply that there's something wrong with the mod_authnz_ldap module, or with the way I set it up or use it.

Has anyone encountered this problem before?

Is there a solution?

Many thanks.

Best regards,

p




------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_authnz_ldap AuthLDAPURL problem

am 18.03.2010 18:34:18 von Eric Covener

On Thu, Mar 18, 2010 at 1:25 PM, wrote:
> Hi,
>
> when I use the following AuthLDAPURL
>
> "ldap://adserver/ou=3Dcity1,dc=3Dabc,dc=3Dcom?sAMAccountName ?sub?(&(objec=
tClass=3Duser)(!(objectClass=3Dcomputer)))" NONE
>
> I can authenticate any user in "ou" city1.
>
> If I replace the AuthLDPAURL by
>
> "ldap://adserver/dc=3Dabc,dc=3Dcom?sAMAccountName?sub?(&(obj ectClass=3Dus=
er)(!(objectClass=3Dcomputer)))" NONE
>
> I get an Apache 2.2 internal error and in the error log the following mes=
sage:
>
> [debug] mod_authnz_ldap.c(379): [client xxxx] [8655] auth_ldap authentica=
te: using URL ldap://adserver/dc=3Dabc,dc=3Dcom?sAMAccountName?sub?(&(obje c=
tClass=3Duser)(!(objectClass=3Dcomputer)))
> [info] [client xxxx] [8655] auth_ldap authenticate: user myusername authe=
ntication failed; URI /test/ [ldap_search_ext_s() for user failed][Operatio=
ns error]
>
> When I do ldapsearch ... -b 'dc=3Dabc,dc=3Dcom' '(&(objectClass=3Duser)(!=
(objectClass=3Dcomputer))(samaccountname=3Dmyusername)', the Active Directo=
ry server returns data, which seems to imply that there's something wrong w=
ith the mod_authnz_ldap module, or with the way I set it up or use it.

Can you look at the differences on the wire via e.g. wireshark? This
should make the difference in the search pretty easy to spot.



--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_authnz_ldap AuthLDAPURL problem

am 19.03.2010 10:04:47 von phiroc

Hi,

when I run ldapsearch -x -W -D 'aduser' -H 'ldap://adserver:389' -b 'dc=3Di=
ht,dc=3Dcom' '(&(objectclass=3Duser)(!(objectclass=3Dcomputer))(samaccoun tn=
ame=3Dmyname))' samaccountname

tethereal displays the following:

LDAP MsgId=3D2 Search Request, Base DN=3Ddc=3Dabc,dc=3Dcom
LDAP MsgId=3D2 Search Entry, 1 result
LDAP MsgId=3D3 Unbind Request

When I use mod_authnz_ldap with the following line in my Apache httpd.conf =
file:

AuthLDAPURL "ldap://adserver:389/dc=3Dabc,dc=3Dcom?sAMAccountName?sub?(& (ob=
jectClass=3Duser)(!(objectClass=3Dcomputer)))" NONE

tethereal displays the following:

LDAP MsgId=3D2 Search Request, Base DN=3Ddc=3Dabc,dc=3Dcom
LDAP MsgId=3D2 Search Entry, 1 result
DNS Standard query AAAA ForestDnsZones.ABC.com
DNS Standard query response
DNS Standard query AAAA ForestDnsZones.ABC.com.abc.com
DNS Standard query response, No such name

In the first case, AD finds a user whose sAMAccountName is "myname", wherea=
s, in the second case, AD seems to get lost in the Root DSE (which contains=
the ForestDnsZones.ABC.com branch).

Has anyone run into this problem before?

p






----- Mail Original -----
De: "Eric Covener"
À: users@httpd.apache.org
Envoyé: Jeudi 18 Mars 2010 18:34:18 GMT +01:00 Amsterdam / Berlin / Be=
rne / Rome / Stockholm / Vienne
Objet: Re: [users@httpd] mod_authnz_ldap AuthLDAPURL problem

On Thu, Mar 18, 2010 at 1:25 PM, wrote:
> Hi,
>
> when I use the following AuthLDAPURL
>
> "ldap://adserver/ou=3Dcity1,dc=3Dabc,dc=3Dcom?sAMAccountName ?sub?(&(objec=
tClass=3Duser)(!(objectClass=3Dcomputer)))" NONE
>
> I can authenticate any user in "ou" city1.
>
> If I replace the AuthLDPAURL by
>
> "ldap://adserver/dc=3Dabc,dc=3Dcom?sAMAccountName?sub?(&(obj ectClass=3Dus=
er)(!(objectClass=3Dcomputer)))" NONE
>
> I get an Apache 2.2 internal error and in the error log the following mes=
sage:
>
> [debug] mod_authnz_ldap.c(379): [client xxxx] [8655] auth_ldap authentica=
te: using URL ldap://adserver/dc=3Dabc,dc=3Dcom?sAMAccountName?sub?(&(obje c=
tClass=3Duser)(!(objectClass=3Dcomputer)))
> [info] [client xxxx] [8655] auth_ldap authenticate: user myusername authe=
ntication failed; URI /test/ [ldap_search_ext_s() for user failed][Operatio=
ns error]
>
> When I do ldapsearch ... -b 'dc=3Dabc,dc=3Dcom' '(&(objectClass=3Duser)(!=
(objectClass=3Dcomputer))(samaccountname=3Dmyusername)', the Active Directo=
ry server returns data, which seems to imply that there's something wrong w=
ith the mod_authnz_ldap module, or with the way I set it up or use it.

Can you look at the differences on the wire via e.g. wireshark? This
should make the difference in the search pretty easy to spot.



--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org