Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Ldap authentication for apache2

Posted on 2004-12-01
12
Medium Priority
?
2,052 Views
Last Modified: 2010-05-19
Fedora Core 2, openldap, apache2...

I can't seem to get my authentication to work with LDAP in apache.  

I've set up my ldap server and it is being used for login and it works fine but now I've set up my htaccess for apache and It's not authentication me... I believe the problem is in my AuthLDAPURL String but I don't have enough experience to figure out what it is...
 
here is my .htaccess
---------------------------------------------------------------------
Satisfy all
Order deny,allow
Deny from all
Allow from all
AuthType Basic
AuthName "GlobalFlow Authentication"
AuthLDAPEnabled on
AuthLDAPAuthoritative on
AuthLDAPURL "ldap://localhost/o=organization?uid?sub"
Require valid-user
---------------------------------------------------------------------


Here is my log
---------------------------------------------------------------------
[Wed Dec 01 15:59:38 2004] [warn] [client 192.168.2.19] [9470] auth_ldap authenticate: user foo authentication failed; URI / [ldap_search_ext_s() for user failed][No such object]
---------------------------------------------------------------------

any suggestions would be greatly appreciated...
0
Comment
Question by:DaK00L1
  • 5
  • 4
  • 3
12 Comments
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12721392
Hi,

  You need auth_ldap module for Apache.

In httpd.conf file, you need have the following line:
---
LoadModule   auth_ldap_module    libexec/auth_ldap.so
--

  For more details, please check the following URL:
http://www.saas.nsw.edu.au/solutions/ldap-apache-auth.html

Regards,

Wesly
0
 
LVL 2

Author Comment

by:DaK00L1
ID: 12722622
I have the module compiled into apache:

I'm also not getting any syntax errors so I would assume that the module is loading correctly, and is being used...

/httpd -l
Compiled in modules:
  core.c
  mod_access.c
  mod_auth.c
  util_ldap.c
  mod_auth_ldap.c
  mod_include.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12722645
Can you do
grep -i ldap /etc/httpd/conf/httpd.conf  <=== path may vary
and post output here?

Wesly
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 38

Expert Comment

by:wesly_chen
ID: 12722691
For your reference:
-- http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html--
Or create a file .htaccess with the following contents in the directory you want to protect:
-------
AuthName "RCS Staff only"
AuthType Basic
LDAP_Server ldap.fccc.edu   <== your LDAP server
LDAP_Port 389   <=== your LDAP port. port 389 by default
Base_DN "o=Fox Chase Cancer Center,c=US"  <=== Your DN
UID_Attr uid
require user muquit foo bar "john doe"  <===add the user here
-------
Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.

Wesly
0
 
LVL 2

Author Comment

by:DaK00L1
ID: 12723076
I don't have any ldap references in my http.conf file... the only place I use ldap is in the .htaccess file...

The allowed override is on.  I am getting the username/password popup when I browse to the site....
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 12725261
Question is do you correctly provided LDAP URL ?
your URLldap://localhost/o=organization?uid?sub means that on your LDAP server o=organization entry should exist. and user who wants to logon should have attribute uid.
Second question is anonymous login is allowed on your LDAP server ?
If not use AuthLDAPBindDN AuthLDAPBindPassword attributes.
Also check access and error log of your LDAP server to see does connection to LDAP is arrived and what type of query is performed.
0
 
LVL 2

Author Comment

by:DaK00L1
ID: 12738426
maybe I should ask this question... do I need to use https to use ldap? I've read a couple places that said it is needed.

my o=organization does exist, and the user is trying to login using his uid, which also exists

anonymous login is not allowed on my ldap server, do I have to use authldapbindn and authldapbindpassword?
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 12740240
If anonymous login is disabled then you must provide AuthLDAPBindDN and AuthLDAPBindPassword.
Because mod_ldap will use it ot search for user DN first and after that perform login with that userdn.
But for first search it will use audthldapbinddn for login.
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 12740242
You don't need to use https for ldap authentication. It doesn't have any added value for mod_ldap
0
 
LVL 2

Author Comment

by:DaK00L1
ID: 12759096
ok I'm binding my dn, and password with this...

AuthLDAPBindDN cn=Manager,dc=domain,dc=ca
AuthLDAPBindPassword secret
AuthLDAPURL "ldap://localhost/dc=domain,dc=ca,?uid?sub?(objectClass=*)"


and the result is this (apache error_log)
[Mon Dec 06 16:00:27 2004] [warn] [client 192.168.2.34] [16767] auth_ldap authenticate: user devon authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Insufficient access]

it seems as though it is authenticating but that user devon does not have access... is this correct?
0
 
LVL 19

Accepted Solution

by:
ramazanyich earned 1050 total points
ID: 12762390
yes, it seems like that.
Could you try to logon using that user dn using standard LDAP client (ldapbrowser for example) ?
0
 
LVL 2

Author Comment

by:DaK00L1
ID: 12780811
The problem turned out to be in my ldap configuration (slapd.conf) I need to add by * auth

access to attr=userPassword
        by self write
        by * auth
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month21 days, 7 hours left to enroll

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question