Link to home
Create AccountLog in
Avatar of SirParadox
SirParadox

asked on

Single Sign On - mod_auth_ldap Against Windows 2003 AD

Here's what I'm trying to accomplish and our current setup:

We have a Unix server running Apache, and we're trying to get one of our internal sites to authenticate users against Windows AD. I've setup mod_auth_ldap but I can't seem to get the AuthLDAPBindDN right (at least I think that's the issue), as I'm getting "Invalid credentials" (when testing using ldapsearch). Here's what I have in the config:

======
<Directory "/usr/local/www/sites/tools.nac.net/html/private/ldap-status">
       Options All ExecCGI -Indexes
       Order allow,deny
       Allow from all

       AuthType Basic
       AuthName "Domain Login"
       AuthLDAPAuthoritative on
       AuthLDAPURL ldap://sub.domain.com:389/dc=sub,dc=domain,dc=com?sAMAccountName?sub?(objectclass=*)
       AuthLDAPEnabled on
       AuthLDAPBindDN "dn=ldapuser,ou=Users_Something,dc=sub,dc=domain,dc=com"
       AuthLDAPBindPassword "password"
       Require valid-user
</Directory>
======

Using the same bind user/pass with ldapsearch, I get the following:

======
# ldapsearch -H ldap://sub.domain.com:389 -D "dn=ldapuser,ou=Users_Something,dc=sub,dc=domain,dc=com" -w "password" -v  -s sub

ldap_initialize( ldap://sub.domain.com:389 )
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
======

Here is what the AD tree looks like using ldp (snipped, of course):

======
dc=sub,dc=domain,dc=com
   |
   |
    XXXXXXX
   |
   |
    XXXXXXX
   |
   |
    -OU=Users_Something,DC=sub,DC=domain,DC=com
     |
     |
      -CN=LDAP User,OU=Users_Something,DC=sub,DC=domain,DC=com
======

I've tried numerous combinations for the bind name, but I can't get it to authenticate. Can someone provide a working example of this or point me in the right direction? I've spent hours googling and digging through forums and mail archives with no luck.

Let me know if any additional information is needed. Thanks!
Avatar of ahoffmann
ahoffmann
Flag of Germany image

> .. as I'm getting "Invalid credentials" (when testing using ldapsearch).
you have to ask your AD admin for the correct baseDN, bindDN and password, if that works you can use these values for apache
Avatar of Arty K
AFAIK Windows AD uses ldaps://sub.domain.com (not ldap://) as the only possible way to bind to the directory.
Avatar of SirParadox
SirParadox

ASKER

@ahoffmann

I have access to the domain controller(s), that's how I was able to view the tree using the ldp utility. The bind user/pass I have is also confirmed to work, since it's the one I've been using to bind with when using the ldp utility (on the DC) - so the DC *does* allow queries with this bind user/pass.

The real issue I'm having is trying to determine what *exactly* Windows AD is looking for in the AuthLDAPBindDN. When I look at the the AD tree on the DC, I see:

CN=LDAP User,OU=Users_Something,DC=sub,DC=domain,DC=com

"LDAP User" is not the *actual* username though, the username is "ldapuser" so I'm not sure what to put here. What I need is either a working example of this, or a way to determine what Windows wants to see in the AuthLDAPBindDN (keep in mind, I can view the AD directly if there's information there I need to find).

Hope this info helps clear things up a bit. Thanks again!
with ldapsearch you searched the subtree (-s sub), but you're missing this option in your httpd.conf, not sure if this solves your problem:

AuthLDAPSearchScope subtree
ASKER CERTIFIED SOLUTION
Avatar of SirParadox
SirParadox

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account