Apache2 and windows LDAP authentication

how do i verify

the user id is ldapsub.

let me try the ldap browser

I just used that application you sent and put in the credentials and i was able to see what i think i needed to see

O.K., forgot that Windows uses a non-standard binddn, normally there is a userid object that specifies the userid.

 Is the userid in the Users group?  Or it is in another group or a sub group?

the user is in users group

Now try the same thing but use the user-id tester2 with their password.

what do you mean.

AuthLDAPBindDN "ldapsub"
AuthLDAPURL "ldap://dc4/DC=domain1,DC=net?sAMAccountName?sub?(objectClass=*)" NONE

When i used the following above, I was able to connect.

Why is that? What is that NONE mean? ldabsub didn't need a full CN= OU= listing, and the ldapurl doesn't specifiy OU=users

Why is this?

GOT IT. the none specifies the conneciton type, in my case, LDAP, no SSL.

I want to use LDAPS,

so when i changed the ldapurl to ldaps

httpd log shows server down unable to connect hm
i can telnet to port 389 no problem

I have never seen the "NONE" before.  The URL workss just like the http and https does for web servers.

The "ldap://" implies port 389 which is the port that is typically used for non-SSL connections.  

The "ldaps://" implies port 636 which is typically the SSL ldap port.

If you read:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

You can see that specifing "NONE" is the same as using ldap:// or ldap:389/ and that "SSL" is  the same as ldaps:// or ldap:636.

The only odd-ball is if you are using TLS.

I have no clue why using just AuthLDAPBindDN "ldapsub" worked, it should not.

What I meant was to use the ldap browser and use tester2 instead of ldapsub as the user-id, and use the appropriate password for tester2 also.

ah yes tester2 worked no problem too

if i remove none, i cannot access the server.. strange.. hmm

If Apache is running under Windows look at the file c:\windows\system32\drivers\etc\services and see what port "ldap" is set to.

If you are running under *nix look at /etc/servers.  It is poosible that somebody could have updated the services file so that the service ldap is set to 636 instead of 398.

636

O.K. so in your services file ldap is defined as going to port 636, that is your problem.  That port is used for SSL.

If you update your services file so that ldap points to 389 and then verify that ldaps points to 363, you should be fine.

but why must i specify?

Because somebody updated your services file to say that when somebody asks to do protocols ldap use port 636, you need to use port 386.  So you need to update the services file so that ldap is defined as 389 (the normal default).

Think of the services file as a phone list and ldap as the name of the person you want to call.  You look up the "name" ldap in the phone list, it says to dial phone number 636.  The problem is their phone number is not 636 it is 389.  So you need to update the phone list with the correct number.

this wasn't updated. it's a brand new box, just build. so windows by default things 636 is ldap when it should be 389? again, not by someone changing it intentionally..

I just checked a few Windows boxes (I don't have a 2008 server) and on every single one of them ldap is 389.

So, either MS really messed up or somebody/something changed it.