Link to home
Create AccountLog in
Avatar of David Piniella
David PiniellaFlag for United States of America

asked on

Apache2 authetication to AD LDAP

I have two websites being served from a FreeBSD/sparc box by Apache2; we have an Active Directory Domain Controller that also does LDAP. I would like to give access to these two websites by authenticating to the LDAP server. When I built apache2 from ports, I specified "-DWITH_LDAP_MODULES" during the make, so it should be there.

- how can I verify that apache has been built with LDAP support (mod_ldap_auth?). I've looked in /usr/local/include, /usr/local/lib and /usr/local/lib/apache2 and I see a lot of ldap-related files (.h and .so files,) but I don't see mod_ldap_auth. Where _should_ it be?

- how can I get the websites to prompt for authentication credentials (username/password) and check against the LDAP server?

- will it require that the username be in the format DOMAIN\username ? if so, is there any way to configure it so that the user can omit the domain?

# httpd -v
Server version: Apache/2.0.50
Server built:   Nov  9 2004 23:51:31

# uname -a
FreeBSD my.server.host.name 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov  5 19:30:40 UTC 2004     root@bobbi.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  sparc64
Avatar of ramazanyich
ramazanyich
Flag of Belgium image

there are two possible ways of apache compilation: shared and static
In first mode core httpd binary file is small and will load necessary modules on the fly from separet mod.so files (you should use LoadModule directive in that case).
And second way all modules are built into httpd binary file.

To understand do you have you module in first case check that your mod...so file exists in libexec or modules directory.
In sexond case execute
httpd -l
it will show you built in modules
Avatar of David Piniella

ASKER

# httpd -l
Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
#

in /usr/local/libexec i have:
# ls  -la | grep mod_auth_ldap.so
-rwxr-xr-x  1 root  wheel   34911 Nov 10 01:48 mod_auth_ldap.so
#
what should I place in the .htaccess file(s) in the directories I want to authenticate?
not shure for AD's LDAP but with openLDAp it's like this:

httpd.conf:
<Location "/confidential/">
        AuthName "confidential data"
        AuthType Basic
        AuthLDAPHosts "FQDN"
        AuthLDAPBindDN "cn=Manager,...,dc=xxx-xxx,dc=de"
        AuthLDAPBindPassword password
        AuthLDAPBaseDN "..,dc=xxx,dc=xxx-xxx,dc=de"
        AuthLDAPSearchScope subtree
        AuthLDAPUserKey uid
        AuthLDAPPassKey userPassword
        AuthLDAPSchemePrefix off
        <Limit GET POST>
        require valid-user
        </Limit>
</Location>
that would place the protection on the "/confidential/" dir? or is that just a label?
> protection on the "/confidential/" dir?
yes, change as you need
to make sure I have it right:
- for FQDN, I replace with the virtualhost's fqdn

- AuthLDAPBindDN == name of the user that apache will use to authenticate itself against LDAP to do the actual lookup against the ldap server

- I'll have to add a <Location> block for each of the sites I want to protect, right? Do I place this anywhere in httpd.conf or inside the <VirtualHost> or <Directory> blocks?
> FQDN
yes

> AuthLDAPBindDN
yes (a user's dn)

> <Location> block
culd be location or directory, which then could be in VirtualHost too
When I restarted apache I got this error message:
Syntax error on line 1136 of /usr/local/etc/apache2/httpd.conf:
Invalid command 'AuthLDAPHosts', perhaps mis-spelled or defined by a module not included in the server configuration

This is the relevant VirtualHost section from my httpd.conf:

<VirtualHost 10.67.1.252>
DocumentRoot /usr/local/www/test
ServerName myserver.full.address
<Directory "/usr/local/www/vpninstall">
allow from all
Options +Indexes
AuthName "confidential data"
AuthType Basic
AuthLDAPHosts "myserver.full.address"
AuthLDAPBindDN "cn=MyUser,dc=ad,dc=xxx,dc=xxxxx,dc=xxx"
AuthLDAPBindPassword password
AuthLDAPBaseDN "dc=ad,dc=xxx,dc=xxxxx,dc=xxx"
AuthLDAPSearchScope subtree
AuthLDAPUserKey uid
AuthLDAPPassKey userPassword
AuthLDAPSchemePrefix off
<Limit GET POST>
require valid-user
</Limit>
</Directory>
</VirtualHost>


What do I need to include in the httpd.conf to make sure that the ldap module(s) are loaded?
Loadmodule modules/mod_auth_ldap.so
both  mod_ldap and mod_auth_ldap are included but I still get the same error
should AuthLDAPHosts have the LDAP server's IP or is there somewhere else that is defined?
did you check http://httpd.apache.org/docs-2.0/en/mod/mod_auth_ldap.html
Because it seems directives in your file are taken for another mod_auth_ldap.
For standard APache2.0 mod_auth_ldap you should use other Directives:
 AuthLDAPURL,  AuthLDAPEnabled,  etc
first check that doc and if you can't make it work then I will try to help you
ok, I've changed the entry to

<VirtualHost 10.67.1.252>
DocumentRoot /usr/local/www/test
ServerName hostname.of.my.server
<Directory "/usr/local/www/test">
AllowOverride None
order allow,deny
allow from all
Options +Indexes
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Secured Resources"
AuthLDAPUrl ldap://ldap.at.my.domain:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx?sAMAccountName?sub?(objectclass=*)
AuthLDAPBindDN "cn=MyLDAPUser,dc=ad,dc=xxx,dc=xxxxx,dc=xxx"
AuthLDAPBindPassword MyLDAPUserPassword
require valid-user
</Directory>
</VirtualHost>

and now I get a login prompt but it won't authenticate. I've used valid accounts/password combinations (including the one that's in the httpd.conf and one that isn't,) and it does not authenticate.
You don't need to provide AuthType directive. For mod_auth_ldap user:
AuthLDAPEnabled on

Also check your error.log file, there you should see the reason of mod_auth_ldap failure
my httpd-error.log reports :

[warn] [client 10.67.1.108] [2061] auth_ldap authenticate: user dpiniella authentication failed; URI /
 [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[warn] [client 10.67.1.108] [2061] auth_ldap authenticate: user mydomain\\dpiniella authentication fail
ed; URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials]

but i know the username/password are valid (i'm using the same combination to get LDAP lookups in thunderbird).maybe my Url string is wrong? or could it be the BindDN?

note that although I put in mydomain\dpiniella, the log reports it as mydomain\\dpiniella -- i'm guess to ESC out the \ character.
for microsoft  directory server probably you should provide non-default filter. try:
AuthLDAPUrl  ldap://ldap.at.my.domain:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx?samAccountName?sub?(objectCategory=person)(objectClass=User)
having changed that line, an error 500 message when I try to access the page and in the logs I get this error:

[Wed Mar 02 18:01:59 2005] [notice] SIGHUP received.  Attempting to restart
[Wed Mar 02 18:01:59 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Wed Mar 02 18:01:59 2005] [notice] LDAP: SSL support unavailable
[Wed Mar 02 18:02:00 2005] [notice] Apache/2 configured -- resuming normal operations
[Wed Mar 02 18:02:03 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /
[Wed Mar 02 18:02:04 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /favicon.ico
[Wed Mar 02 18:02:09 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /
[Wed Mar 02 18:02:09 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /favicon.ico
[Wed Mar 02 18:02:10 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /
[Wed Mar 02 18:02:11 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /favicon.ico
Ok return
AuthType Basic
back
ok, done, i get the prompt to login but still no luck authenticating to the LDAP server. How else can I verify that it's working (e.g. do ldap lookups or alternately, confirm that the LDAPBindDN and LDAPUrl entries are correct) ?
if you have compiled OpenLDap then you should have ldapsearch utility.
>ldapsearch -H ldap://ldap.at.my.domain:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx -D cn=MyLDAPUser,dc=ad,dc=xxx,dc=xxxxx,dc=xxx -w  MyLDAPUserPassword  -x -s sub "(objectCategory=person)(objectClass=User)"

replace ldap url, parameter vakue for -D and -w by your real address, username and password.

At least you will see if connection successful and also you will see result of query .
to summarize last postings: it ends up that my sample filled with propper values connects to your AD
then the problem remaining is that it does not authenticate.

Please try to connect to AD using nativ ldapsearch (or whatever you have handy) and check if the AuthLDAPBindDN with your password works at all.
I tried on my PC following configuration:
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Secured Resources"
AuthLDAPUrl ldap://mir:389/cn=Users,DC=xxx,DC=xxx,DC=xx?sAMAccountName?sub?(objectclass=person)
AuthLDAPBindDN "cn=adminuser,cn=users,dc=xxx,dc=xxx,dc=xx"
AuthLDAPBindPassword passwd
require valid-user

And it worked:
AD is running on Windows2000 server, and Apache2.0.52 on windowsXP
when I do the ldapsearch as above (with my username/passwordd combo etc) I get this message:

Could not create LDAP session handle for URI=ldap://ldap.at.my.domain:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx -9): Bad parameter to an ldap routine
could you please post the ldapsearch oommand line
# ldapsearch -H ldap://ldap.xxx.xxxxxx.xxx:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx -D cn=dpiniella,dc=ad,dc=xxx,dc=xxxxx,dc=xxx -w password -x -s sub "(objectCategory=person)(objectClass=User)"

Could not create LDAP session handle for URI=ldap://ldap.xxx.xxxxx.xxx:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx -9): Bad parameter to an ldap routine
SOLUTION
Avatar of ahoffmann
ahoffmann
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
i did a man ldapmodify but did not see a "special" option; man ldapsearch shows that you can specify the base with the -s base switch (instead of -s sub as above,) so I ran

# ldapsearch -H ldap://ldap.xxx.xxxxx.xxx:389 -D cn=dpiniella,dc=ad,dc=xxx,dc=xxxxx,dc=xxx -w XXXXXXXXX -x -s base DC=ad,DC=xxx,DC=xxxxx,DC=xxx

and got this error:

ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece


does this mean my user doesn't have rights? I'm using the same user in thunderbird for ldap lookups...I know it's on port 389. Does this mean that my base is wrong? I'm using that as my base as well. The only difference is that in Thunderbird, my BindDN = domain\dpiniella
> .. ldapmodify  ..

oops, that was a typo, should be ldapsearch, sorry

> ldap_bind: Invalid credentials (49)
sounds like a wrong password

if it works with thunderbird, it should with ldapsearch too, chech basedn and binddn twice
Also use
   ldapsearch -h ldap.xxx.xxxxx.xxx -p 389  ...
(I personally had bad experiance with URIs) -:
BTW, if you have good old Netscape 4.x handy, you can use that with ldap://..... in the address bar ;-)
OK, so using


# ldapsearch -h ldap.xxx.xxxxx.xxx -p 389 -D "CN=My User,OU=Groups/Service Accounts,OU=IT-Admin,OU=xxx xxxxx,DC=ad,DC=xxx,DC=xxxxx,DC=xxx" -w xxxxxxxxxx -x -s base "OU=Departments,OU=xxx xxxxx,DC=ad,DC=xxx,DC=xxxxx,DC=xxx"

worked! looks like it's getting closer to a solution!

using -H ldap://ldap.server.at.domain:389 ...etcetc did not... how do I format this in the httpd.conf AuthLDAPUrl line?

ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Thank you both, it's now working :)
Avatar of cerevante
cerevante

dpiniella,

I am working on exactly same issue as you were earlier this months, could you please verify your httpd.conf settings and also elaborate on:

sAMAccountName?sub?(objectclass=person)

is this specific to your environment or generic?

OU=Groups/Service Accounts,OU=IT-Admin,OU=xxx

is this specific to your environment or generic?

Thanks

the first line you ask about is generic, the second line you ask about is specific. If the second line is not exactly right, you will not get it to work.
Is the user used for binding to AD created in any special way?

If I have only one group, and domain name is beta.net what will the 2nd string look like then?

With my current settings I keep on getting:
[Mon Mar 28 08:16:58 2005] [warn] [client 172.2.3.77] [6017] auth_ldap authenticate: user jdoe authentication failed;
 URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
no special method, and I do not know what your user's name/string will look like -- you'll have to check the settings in AD. It's in the AD Users & Groups mmc. More than this I can't say; I am not a windows admin primarily.
The "require valid-user" does not work and should now be "require ldap-user" or even better "require ldap-group"...