• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 555
  • Last Modified:

LDAP/APACHE Authentication

I am currently hosting an intranet web page on a linux (RHEL4.4) server. I needed to restrict access to a certain group, so I am authenticating Apache against our Active Directory. It is working perfectly for all of my 30+ users except for two. All user accounts are identical except for name. There are no messages in my /var/log/messages or /var/log/httpd/error_log that would give any hint. In fact, they appear to be authenticating properly, but receive a "You do not have permission to view..." in the browser. The site is located in /var/www/html/<site_name> and the owner of all files are Apache.Apache.

Here is the authentication from my /etc/httpd/conf/httpd.conf:

  Order allow,deny
    Allow from all
        AuthType Basic
        AuthName "INTRANET"
        AuthzLDAPMethod ldap
        AuthzLDAPServer <ldap_server_name>
        AuthzLDAPBindDN "cn=ldapuser,cn=Users,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPBindPassword "<password>"
        AuthzLDAPUserKey sAMAccountName
        AuthzLDAPUserBase "ou=<custom_OU>,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPUserScope subtree
        AuthzLDAPGroupBase "ou=<custom_group_OU>,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPGroupKey cn
        AuthzLDAPMemberKey member
        AuthzLDAPSetGroupAuth ldapdn
        require group <group_name>

As stated, the authentication works perfectly for ever user except for two and I cannot for the life of me figure out why they would be denied. Their AD accounts are exactly the same as the others.
0
powellchristopher
Asked:
powellchristopher
  • 2
1 Solution
 
giltjrCommented:
What I would suggest is to get some type of ldap browser and look at the accounts from a LDAP view.  I use Softerra LDAP Browser, v2.6 is free.  I believe that MS has a free LDAP browser also.


If ldap connection is not SSL'ed you can get wireshark (http://www.wireshark.org) and just do a packet capture of somebody that works and then one of the ids that does not work and Wireshark will show you the ldap calls and results.
0
 
giltjrCommented:
0
 
powellchristopherAuthor Commented:
No solution yet.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now