Hi.
Please advise if you can.
I'm trying to configure apache to authenticate to MS AD server 2008R2,
using LDAP.
I have created a user in AD that is member of "Users" and nothing
else. I can log into my workstation using this user with the password
I set.
My Apache configuration as follows :
# Basic authentication with LDAP against MS AD
AuthType Basic
AuthBasicProvider ldap
# AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
# using this format: ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL "ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectClass=*)"
NONE
# The LDAP bind username and password
AuthLDAPBindDN "CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC=com"
AuthLDAPBindPassword passwordxyz
# we want to allow authentication only through LDAP, no fallback
AuthzLDAPAuthoritative on
AuthUserFile /dev/null
# make sure REMOTE_USER is set to sAMAccountName
AuthLDAPRemoteUserAttribute sAMAccountName
# The name of this authentication realm
AuthName "Restricted Dir [Domain Account]"
# To authenticate single domain users, list them here
require ldap-user "greg.machin"
# to authenticate a domain group, specify the full DN
# AuthLDAPGroupAttributeIsDN on
#require ldap-group CN=acl_secure_exchange,OU=Global
Groups,OU=User,DC=frank4dd,DC=com
##### end LDAP #####
When I visit the site I get the expected login prompt, authentication
fails with my own account.
[Thu Dec 01 15:32:03 2011] [debug] mod_authnz_ldap.c(403): [client
xxx.xxx.69.196] [3471] auth_ldap authenticate: using URL
ldap://xxx.xxx.32.2:389
xxx.xxx.32.10:389/DC=ad,DC=mydom,DC=com?sAMAccountName?sub?(objectClass=*)
[Thu Dec 01 15:32:03 2011] [info] [client xxx.xxx.69.196] [3471]
auth_ldap authenticate: user greg authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Invalid credentials]
[Thu Dec 01 15:32:03 2011] [error] [client xxx.xxx.69.196] user greg:
authentication failure for "/": Password Mismatch
This led me to an issue with the binddn configuration .. So I tried ldapseach
root@nzhmlwks0091:~# ldapsearch -h 192.168.32.2 -p 389 -D
"CN=apache.serverapp04,CN=Users,DC=ad,DC=mydom,DC=com" -w
"passwordxyz"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1
So the problem is with the binddn , I configured the new user the same
as another user this is know to be working. A member of User and
"Domain Admins" (I don't want this user to have admin rites if I can
avoid it.)
What have I missed what should I change to get this working ?
Thanks
G