Ldap authentication for apache2

Fedora Core 2, openldap, apache2...

I can't seem to get my authentication to work with LDAP in apache.  

I've set up my ldap server and it is being used for login and it works fine but now I've set up my htaccess for apache and It's not authentication me... I believe the problem is in my AuthLDAPURL String but I don't have enough experience to figure out what it is...
 
here is my .htaccess
---------------------------------------------------------------------
Satisfy all
Order deny,allow
Deny from all
Allow from all
AuthType Basic
AuthName "GlobalFlow Authentication"
AuthLDAPEnabled on
AuthLDAPAuthoritative on
AuthLDAPURL "ldap://localhost/o=organization?uid?sub"
Require valid-user
---------------------------------------------------------------------


Here is my log
---------------------------------------------------------------------
[Wed Dec 01 15:59:38 2004] [warn] [client 192.168.2.19] [9470] auth_ldap authenticate: user foo authentication failed; URI / [ldap_search_ext_s() for user failed][No such object]
---------------------------------------------------------------------

any suggestions would be greatly appreciated...
LVL 2
DaK00L1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wesly_chenCommented:
Hi,

  You need auth_ldap module for Apache.

In httpd.conf file, you need have the following line:
---
LoadModule   auth_ldap_module    libexec/auth_ldap.so
--

  For more details, please check the following URL:
http://www.saas.nsw.edu.au/solutions/ldap-apache-auth.html

Regards,

Wesly
0
DaK00L1Author Commented:
I have the module compiled into apache:

I'm also not getting any syntax errors so I would assume that the module is loading correctly, and is being used...

/httpd -l
Compiled in modules:
  core.c
  mod_access.c
  mod_auth.c
  util_ldap.c
  mod_auth_ldap.c
  mod_include.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c
0
wesly_chenCommented:
Can you do
grep -i ldap /etc/httpd/conf/httpd.conf  <=== path may vary
and post output here?

Wesly
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

wesly_chenCommented:
For your reference:
-- http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html--
Or create a file .htaccess with the following contents in the directory you want to protect:
-------
AuthName "RCS Staff only"
AuthType Basic
LDAP_Server ldap.fccc.edu   <== your LDAP server
LDAP_Port 389   <=== your LDAP port. port 389 by default
Base_DN "o=Fox Chase Cancer Center,c=US"  <=== Your DN
UID_Attr uid
require user muquit foo bar "john doe"  <===add the user here
-------
Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.

Wesly
0
DaK00L1Author Commented:
I don't have any ldap references in my http.conf file... the only place I use ldap is in the .htaccess file...

The allowed override is on.  I am getting the username/password popup when I browse to the site....
0
ramazanyichCommented:
Question is do you correctly provided LDAP URL ?
your URLldap://localhost/o=organization?uid?sub means that on your LDAP server o=organization entry should exist. and user who wants to logon should have attribute uid.
Second question is anonymous login is allowed on your LDAP server ?
If not use AuthLDAPBindDN AuthLDAPBindPassword attributes.
Also check access and error log of your LDAP server to see does connection to LDAP is arrived and what type of query is performed.
0
DaK00L1Author Commented:
maybe I should ask this question... do I need to use https to use ldap? I've read a couple places that said it is needed.

my o=organization does exist, and the user is trying to login using his uid, which also exists

anonymous login is not allowed on my ldap server, do I have to use authldapbindn and authldapbindpassword?
0
ramazanyichCommented:
If anonymous login is disabled then you must provide AuthLDAPBindDN and AuthLDAPBindPassword.
Because mod_ldap will use it ot search for user DN first and after that perform login with that userdn.
But for first search it will use audthldapbinddn for login.
0
ramazanyichCommented:
You don't need to use https for ldap authentication. It doesn't have any added value for mod_ldap
0
DaK00L1Author Commented:
ok I'm binding my dn, and password with this...

AuthLDAPBindDN cn=Manager,dc=domain,dc=ca
AuthLDAPBindPassword secret
AuthLDAPURL "ldap://localhost/dc=domain,dc=ca,?uid?sub?(objectClass=*)"


and the result is this (apache error_log)
[Mon Dec 06 16:00:27 2004] [warn] [client 192.168.2.34] [16767] auth_ldap authenticate: user devon authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Insufficient access]

it seems as though it is authenticating but that user devon does not have access... is this correct?
0
ramazanyichCommented:
yes, it seems like that.
Could you try to logon using that user dn using standard LDAP client (ldapbrowser for example) ?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DaK00L1Author Commented:
The problem turned out to be in my ldap configuration (slapd.conf) I need to add by * auth

access to attr=userPassword
        by self write
        by * auth
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.