?
Solved

Apache2 authetication to AD LDAP

Posted on 2005-03-02
39
Medium Priority
?
16,987 Views
Last Modified: 2011-08-18
I have two websites being served from a FreeBSD/sparc box by Apache2; we have an Active Directory Domain Controller that also does LDAP. I would like to give access to these two websites by authenticating to the LDAP server. When I built apache2 from ports, I specified "-DWITH_LDAP_MODULES" during the make, so it should be there.

- how can I verify that apache has been built with LDAP support (mod_ldap_auth?). I've looked in /usr/local/include, /usr/local/lib and /usr/local/lib/apache2 and I see a lot of ldap-related files (.h and .so files,) but I don't see mod_ldap_auth. Where _should_ it be?

- how can I get the websites to prompt for authentication credentials (username/password) and check against the LDAP server?

- will it require that the username be in the format DOMAIN\username ? if so, is there any way to configure it so that the user can omit the domain?

# httpd -v
Server version: Apache/2.0.50
Server built:   Nov  9 2004 23:51:31

# uname -a
FreeBSD my.server.host.name 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov  5 19:30:40 UTC 2004     root@bobbi.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  sparc64
0
Comment
Question by:David Piniella
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 19
  • 9
  • 8
  • +2
39 Comments
 
LVL 19

Expert Comment

by:ramazanyich
ID: 13441530
there are two possible ways of apache compilation: shared and static
In first mode core httpd binary file is small and will load necessary modules on the fly from separet mod.so files (you should use LoadModule directive in that case).
And second way all modules are built into httpd binary file.

To understand do you have you module in first case check that your mod...so file exists in libexec or modules directory.
In sexond case execute
httpd -l
it will show you built in modules
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13441643
# httpd -l
Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
#

in /usr/local/libexec i have:
# ls  -la | grep mod_auth_ldap.so
-rwxr-xr-x  1 root  wheel   34911 Nov 10 01:48 mod_auth_ldap.so
#
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13441656
what should I place in the .htaccess file(s) in the directories I want to authenticate?
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 13442171
not shure for AD's LDAP but with openLDAp it's like this:

httpd.conf:
<Location "/confidential/">
        AuthName "confidential data"
        AuthType Basic
        AuthLDAPHosts "FQDN"
        AuthLDAPBindDN "cn=Manager,...,dc=xxx-xxx,dc=de"
        AuthLDAPBindPassword password
        AuthLDAPBaseDN "..,dc=xxx,dc=xxx-xxx,dc=de"
        AuthLDAPSearchScope subtree
        AuthLDAPUserKey uid
        AuthLDAPPassKey userPassword
        AuthLDAPSchemePrefix off
        <Limit GET POST>
        require valid-user
        </Limit>
</Location>
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13442199
that would place the protection on the "/confidential/" dir? or is that just a label?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13442361
> protection on the "/confidential/" dir?
yes, change as you need
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13442473
to make sure I have it right:
- for FQDN, I replace with the virtualhost's fqdn

- AuthLDAPBindDN == name of the user that apache will use to authenticate itself against LDAP to do the actual lookup against the ldap server

- I'll have to add a <Location> block for each of the sites I want to protect, right? Do I place this anywhere in httpd.conf or inside the <VirtualHost> or <Directory> blocks?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13442546
> FQDN
yes

> AuthLDAPBindDN
yes (a user's dn)

> <Location> block
culd be location or directory, which then could be in VirtualHost too
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13443476
When I restarted apache I got this error message:
Syntax error on line 1136 of /usr/local/etc/apache2/httpd.conf:
Invalid command 'AuthLDAPHosts', perhaps mis-spelled or defined by a module not included in the server configuration

This is the relevant VirtualHost section from my httpd.conf:

<VirtualHost 10.67.1.252>
DocumentRoot /usr/local/www/test
ServerName myserver.full.address
<Directory "/usr/local/www/vpninstall">
allow from all
Options +Indexes
AuthName "confidential data"
AuthType Basic
AuthLDAPHosts "myserver.full.address"
AuthLDAPBindDN "cn=MyUser,dc=ad,dc=xxx,dc=xxxxx,dc=xxx"
AuthLDAPBindPassword password
AuthLDAPBaseDN "dc=ad,dc=xxx,dc=xxxxx,dc=xxx"
AuthLDAPSearchScope subtree
AuthLDAPUserKey uid
AuthLDAPPassKey userPassword
AuthLDAPSchemePrefix off
<Limit GET POST>
require valid-user
</Limit>
</Directory>
</VirtualHost>


0
 
LVL 9

Author Comment

by:David Piniella
ID: 13443807
What do I need to include in the httpd.conf to make sure that the ldap module(s) are loaded?
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 13444207
Loadmodule modules/mod_auth_ldap.so
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13444529
both  mod_ldap and mod_auth_ldap are included but I still get the same error
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13444566
should AuthLDAPHosts have the LDAP server's IP or is there somewhere else that is defined?
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 13444744
did you check http://httpd.apache.org/docs-2.0/en/mod/mod_auth_ldap.html
Because it seems directives in your file are taken for another mod_auth_ldap.
For standard APache2.0 mod_auth_ldap you should use other Directives:
 AuthLDAPURL,  AuthLDAPEnabled,  etc
first check that doc and if you can't make it work then I will try to help you
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13444886
ok, I've changed the entry to

<VirtualHost 10.67.1.252>
DocumentRoot /usr/local/www/test
ServerName hostname.of.my.server
<Directory "/usr/local/www/test">
AllowOverride None
order allow,deny
allow from all
Options +Indexes
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Secured Resources"
AuthLDAPUrl ldap://ldap.at.my.domain:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx?sAMAccountName?sub?(objectclass=*)
AuthLDAPBindDN "cn=MyLDAPUser,dc=ad,dc=xxx,dc=xxxxx,dc=xxx"
AuthLDAPBindPassword MyLDAPUserPassword
require valid-user
</Directory>
</VirtualHost>

and now I get a login prompt but it won't authenticate. I've used valid accounts/password combinations (including the one that's in the httpd.conf and one that isn't,) and it does not authenticate.
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 13444953
You don't need to provide AuthType directive. For mod_auth_ldap user:
AuthLDAPEnabled on

Also check your error.log file, there you should see the reason of mod_auth_ldap failure
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13445018
my httpd-error.log reports :

[warn] [client 10.67.1.108] [2061] auth_ldap authenticate: user dpiniella authentication failed; URI /
 [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[warn] [client 10.67.1.108] [2061] auth_ldap authenticate: user mydomain\\dpiniella authentication fail
ed; URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials]

but i know the username/password are valid (i'm using the same combination to get LDAP lookups in thunderbird).maybe my Url string is wrong? or could it be the BindDN?

note that although I put in mydomain\dpiniella, the log reports it as mydomain\\dpiniella -- i'm guess to ESC out the \ character.
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 13445097
for microsoft  directory server probably you should provide non-default filter. try:
AuthLDAPUrl  ldap://ldap.at.my.domain:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx?samAccountName?sub?(objectCategory=person)(objectClass=User)
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13445173
having changed that line, an error 500 message when I try to access the page and in the logs I get this error:

[Wed Mar 02 18:01:59 2005] [notice] SIGHUP received.  Attempting to restart
[Wed Mar 02 18:01:59 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Wed Mar 02 18:01:59 2005] [notice] LDAP: SSL support unavailable
[Wed Mar 02 18:02:00 2005] [notice] Apache/2 configured -- resuming normal operations
[Wed Mar 02 18:02:03 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /
[Wed Mar 02 18:02:04 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /favicon.ico
[Wed Mar 02 18:02:09 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /
[Wed Mar 02 18:02:09 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /favicon.ico
[Wed Mar 02 18:02:10 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /
[Wed Mar 02 18:02:11 2005] [crit] [client 10.67.1.108] configuration error:  couldn't perform authentication. AuthType not set!: /favicon.ico
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 13445201
Ok return
AuthType Basic
back
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13447146
ok, done, i get the prompt to login but still no luck authenticating to the LDAP server. How else can I verify that it's working (e.g. do ldap lookups or alternately, confirm that the LDAPBindDN and LDAPUrl entries are correct) ?
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 13447348
if you have compiled OpenLDap then you should have ldapsearch utility.
>ldapsearch -H ldap://ldap.at.my.domain:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx -D cn=MyLDAPUser,dc=ad,dc=xxx,dc=xxxxx,dc=xxx -w  MyLDAPUserPassword  -x -s sub "(objectCategory=person)(objectClass=User)"

replace ldap url, parameter vakue for -D and -w by your real address, username and password.

At least you will see if connection successful and also you will see result of query .
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13447406
to summarize last postings: it ends up that my sample filled with propper values connects to your AD
then the problem remaining is that it does not authenticate.

Please try to connect to AD using nativ ldapsearch (or whatever you have handy) and check if the AuthLDAPBindDN with your password works at all.
0
 
LVL 19

Expert Comment

by:ramazanyich
ID: 13447417
I tried on my PC following configuration:
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Secured Resources"
AuthLDAPUrl ldap://mir:389/cn=Users,DC=xxx,DC=xxx,DC=xx?sAMAccountName?sub?(objectclass=person)
AuthLDAPBindDN "cn=adminuser,cn=users,dc=xxx,dc=xxx,dc=xx"
AuthLDAPBindPassword passwd
require valid-user

And it worked:
AD is running on Windows2000 server, and Apache2.0.52 on windowsXP
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13450846
when I do the ldapsearch as above (with my username/passwordd combo etc) I get this message:

Could not create LDAP session handle for URI=ldap://ldap.at.my.domain:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx -9): Bad parameter to an ldap routine
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13450903
could you please post the ldapsearch oommand line
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13452264
# ldapsearch -H ldap://ldap.xxx.xxxxxx.xxx:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx -D cn=dpiniella,dc=ad,dc=xxx,dc=xxxxx,dc=xxx -w password -x -s sub "(objectCategory=person)(objectClass=User)"

Could not create LDAP session handle for URI=ldap://ldap.xxx.xxxxx.xxx:389/DC=ad,DC=xxx,DC=xxxxx,DC=xxx -9): Bad parameter to an ldap routine
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 800 total points
ID: 13452641
you need to use ldapmodify's special option, AFAIKnot all implementations work with Netscape-special URIs
in particular the baseDN have to be specified
You also need to quote the URI propperif it contains spaces
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13452792
i did a man ldapmodify but did not see a "special" option; man ldapsearch shows that you can specify the base with the -s base switch (instead of -s sub as above,) so I ran

# ldapsearch -H ldap://ldap.xxx.xxxxx.xxx:389 -D cn=dpiniella,dc=ad,dc=xxx,dc=xxxxx,dc=xxx -w XXXXXXXXX -x -s base DC=ad,DC=xxx,DC=xxxxx,DC=xxx

and got this error:

ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece


does this mean my user doesn't have rights? I'm using the same user in thunderbird for ldap lookups...I know it's on port 389. Does this mean that my base is wrong? I'm using that as my base as well. The only difference is that in Thunderbird, my BindDN = domain\dpiniella
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13452864
> .. ldapmodify  ..

oops, that was a typo, should be ldapsearch, sorry

> ldap_bind: Invalid credentials (49)
sounds like a wrong password

if it works with thunderbird, it should with ldapsearch too, chech basedn and binddn twice
Also use
   ldapsearch -h ldap.xxx.xxxxx.xxx -p 389  ...
(I personally had bad experiance with URIs) -:
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13452876
BTW, if you have good old Netscape 4.x handy, you can use that with ldap://..... in the address bar ;-)
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13453657
OK, so using


# ldapsearch -h ldap.xxx.xxxxx.xxx -p 389 -D "CN=My User,OU=Groups/Service Accounts,OU=IT-Admin,OU=xxx xxxxx,DC=ad,DC=xxx,DC=xxxxx,DC=xxx" -w xxxxxxxxxx -x -s base "OU=Departments,OU=xxx xxxxx,DC=ad,DC=xxx,DC=xxxxx,DC=xxx"

worked! looks like it's getting closer to a solution!

using -H ldap://ldap.server.at.domain:389 ...etcetc did not... how do I format this in the httpd.conf AuthLDAPUrl line?

0
 
LVL 19

Accepted Solution

by:
ramazanyich earned 1200 total points
ID: 13453714
AuthLDAPUrl ldap://ldap.xxx.xxxxx.xxx/OU=Departments,OU=xxx xxxxx,DC=ad,DC=xxx,DC=xxxxx,DC=xxx?sAMAccountName?sub?(objectclass=person)
AuthLDAPBindDN "CN=My User,OU=Groups/Service Accounts,OU=IT-Admin,OU=xxx xxxxx,DC=ad,DC=xxx,DC=xxxxx,DC=xxx"
AuthLDAPBindPassword xxxxxxxxxx
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13453792
Thank you both, it's now working :)
0
 

Expert Comment

by:cerevante
ID: 13642075
dpiniella,

I am working on exactly same issue as you were earlier this months, could you please verify your httpd.conf settings and also elaborate on:

sAMAccountName?sub?(objectclass=person)

is this specific to your environment or generic?

OU=Groups/Service Accounts,OU=IT-Admin,OU=xxx

is this specific to your environment or generic?

Thanks

0
 
LVL 9

Author Comment

by:David Piniella
ID: 13643202
the first line you ask about is generic, the second line you ask about is specific. If the second line is not exactly right, you will not get it to work.
0
 

Expert Comment

by:cerevante
ID: 13643236
Is the user used for binding to AD created in any special way?

If I have only one group, and domain name is beta.net what will the 2nd string look like then?

With my current settings I keep on getting:
[Mon Mar 28 08:16:58 2005] [warn] [client 172.2.3.77] [6017] auth_ldap authenticate: user jdoe authentication failed;
 URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
0
 
LVL 9

Author Comment

by:David Piniella
ID: 13643306
no special method, and I do not know what your user's name/string will look like -- you'll have to check the settings in AD. It's in the AD Users & Groups mmc. More than this I can't say; I am not a windows admin primarily.
0
 

Expert Comment

by:drew1978
ID: 20415305
The "require valid-user" does not work and should now be "require ldap-user" or even better "require ldap-group"...
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month10 days, 4 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question