DaK00L1
asked on
Ldap authentication for apache2
Fedora Core 2, openldap, apache2...
I can't seem to get my authentication to work with LDAP in apache.
I've set up my ldap server and it is being used for login and it works fine but now I've set up my htaccess for apache and It's not authentication me... I believe the problem is in my AuthLDAPURL String but I don't have enough experience to figure out what it is...
here is my .htaccess
-------------------------- ---------- ---------- ---------- ---------- ---
Satisfy all
Order deny,allow
Deny from all
Allow from all
AuthType Basic
AuthName "GlobalFlow Authentication"
AuthLDAPEnabled on
AuthLDAPAuthoritative on
AuthLDAPURL "ldap://localhost/o=organi zation?uid ?sub"
Require valid-user
-------------------------- ---------- ---------- ---------- ---------- ---
Here is my log
-------------------------- ---------- ---------- ---------- ---------- ---
[Wed Dec 01 15:59:38 2004] [warn] [client 192.168.2.19] [9470] auth_ldap authenticate: user foo authentication failed; URI / [ldap_search_ext_s() for user failed][No such object]
-------------------------- ---------- ---------- ---------- ---------- ---
any suggestions would be greatly appreciated...
I can't seem to get my authentication to work with LDAP in apache.
I've set up my ldap server and it is being used for login and it works fine but now I've set up my htaccess for apache and It's not authentication me... I believe the problem is in my AuthLDAPURL String but I don't have enough experience to figure out what it is...
here is my .htaccess
--------------------------
Satisfy all
Order deny,allow
Deny from all
Allow from all
AuthType Basic
AuthName "GlobalFlow Authentication"
AuthLDAPEnabled on
AuthLDAPAuthoritative on
AuthLDAPURL "ldap://localhost/o=organi
Require valid-user
--------------------------
Here is my log
--------------------------
[Wed Dec 01 15:59:38 2004] [warn] [client 192.168.2.19] [9470] auth_ldap authenticate: user foo authentication failed; URI / [ldap_search_ext_s() for user failed][No such object]
--------------------------
any suggestions would be greatly appreciated...
ASKER
I have the module compiled into apache:
I'm also not getting any syntax errors so I would assume that the module is loading correctly, and is being used...
/httpd -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
util_ldap.c
mod_auth_ldap.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
I'm also not getting any syntax errors so I would assume that the module is loading correctly, and is being used...
/httpd -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
util_ldap.c
mod_auth_ldap.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
Can you do
grep -i ldap /etc/httpd/conf/httpd.conf <=== path may vary
and post output here?
Wesly
grep -i ldap /etc/httpd/conf/httpd.conf
and post output here?
Wesly
For your reference:
-- http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html--
Or create a file .htaccess with the following contents in the directory you want to protect:
-------
AuthName "RCS Staff only"
AuthType Basic
LDAP_Server ldap.fccc.edu <== your LDAP server
LDAP_Port 389 <=== your LDAP port. port 389 by default
Base_DN "o=Fox Chase Cancer Center,c=US" <=== Your DN
UID_Attr uid
require user muquit foo bar "john doe" <===add the user here
-------
Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.
Wesly
-- http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html--
Or create a file .htaccess with the following contents in the directory you want to protect:
-------
AuthName "RCS Staff only"
AuthType Basic
LDAP_Server ldap.fccc.edu <== your LDAP server
LDAP_Port 389 <=== your LDAP port. port 389 by default
Base_DN "o=Fox Chase Cancer Center,c=US" <=== Your DN
UID_Attr uid
require user muquit foo bar "john doe" <===add the user here
-------
Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.
Wesly
ASKER
I don't have any ldap references in my http.conf file... the only place I use ldap is in the .htaccess file...
The allowed override is on. I am getting the username/password popup when I browse to the site....
The allowed override is on. I am getting the username/password popup when I browse to the site....
Question is do you correctly provided LDAP URL ?
your URLldap://localhost/o=orga nization?u id?sub means that on your LDAP server o=organization entry should exist. and user who wants to logon should have attribute uid.
Second question is anonymous login is allowed on your LDAP server ?
If not use AuthLDAPBindDN AuthLDAPBindPassword attributes.
Also check access and error log of your LDAP server to see does connection to LDAP is arrived and what type of query is performed.
your URLldap://localhost/o=orga
Second question is anonymous login is allowed on your LDAP server ?
If not use AuthLDAPBindDN AuthLDAPBindPassword attributes.
Also check access and error log of your LDAP server to see does connection to LDAP is arrived and what type of query is performed.
ASKER
maybe I should ask this question... do I need to use https to use ldap? I've read a couple places that said it is needed.
my o=organization does exist, and the user is trying to login using his uid, which also exists
anonymous login is not allowed on my ldap server, do I have to use authldapbindn and authldapbindpassword?
my o=organization does exist, and the user is trying to login using his uid, which also exists
anonymous login is not allowed on my ldap server, do I have to use authldapbindn and authldapbindpassword?
If anonymous login is disabled then you must provide AuthLDAPBindDN and AuthLDAPBindPassword.
Because mod_ldap will use it ot search for user DN first and after that perform login with that userdn.
But for first search it will use audthldapbinddn for login.
Because mod_ldap will use it ot search for user DN first and after that perform login with that userdn.
But for first search it will use audthldapbinddn for login.
You don't need to use https for ldap authentication. It doesn't have any added value for mod_ldap
ASKER
ok I'm binding my dn, and password with this...
AuthLDAPBindDN cn=Manager,dc=domain,dc=ca
AuthLDAPBindPassword secret
AuthLDAPURL "ldap://localhost/dc=domai n,dc=ca,?u id?sub?(ob jectClass= *)"
and the result is this (apache error_log)
[Mon Dec 06 16:00:27 2004] [warn] [client 192.168.2.34] [16767] auth_ldap authenticate: user devon authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Insufficient access]
it seems as though it is authenticating but that user devon does not have access... is this correct?
AuthLDAPBindDN cn=Manager,dc=domain,dc=ca
AuthLDAPBindPassword secret
AuthLDAPURL "ldap://localhost/dc=domai
and the result is this (apache error_log)
[Mon Dec 06 16:00:27 2004] [warn] [client 192.168.2.34] [16767] auth_ldap authenticate: user devon authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Insufficient access]
it seems as though it is authenticating but that user devon does not have access... is this correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The problem turned out to be in my ldap configuration (slapd.conf) I need to add by * auth
access to attr=userPassword
by self write
by * auth
access to attr=userPassword
by self write
by * auth
You need auth_ldap module for Apache.
In httpd.conf file, you need have the following line:
---
LoadModule auth_ldap_module libexec/auth_ldap.so
--
For more details, please check the following URL:
http://www.saas.nsw.edu.au/solutions/ldap-apache-auth.html
Regards,
Wesly