Solved

LDAP/APACHE Authentication

Posted on 2009-05-15
3
545 Views
Last Modified: 2013-12-24
I am currently hosting an intranet web page on a linux (RHEL4.4) server. I needed to restrict access to a certain group, so I am authenticating Apache against our Active Directory. It is working perfectly for all of my 30+ users except for two. All user accounts are identical except for name. There are no messages in my /var/log/messages or /var/log/httpd/error_log that would give any hint. In fact, they appear to be authenticating properly, but receive a "You do not have permission to view..." in the browser. The site is located in /var/www/html/<site_name> and the owner of all files are Apache.Apache.

Here is the authentication from my /etc/httpd/conf/httpd.conf:

  Order allow,deny
    Allow from all
        AuthType Basic
        AuthName "INTRANET"
        AuthzLDAPMethod ldap
        AuthzLDAPServer <ldap_server_name>
        AuthzLDAPBindDN "cn=ldapuser,cn=Users,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPBindPassword "<password>"
        AuthzLDAPUserKey sAMAccountName
        AuthzLDAPUserBase "ou=<custom_OU>,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPUserScope subtree
        AuthzLDAPGroupBase "ou=<custom_group_OU>,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPGroupKey cn
        AuthzLDAPMemberKey member
        AuthzLDAPSetGroupAuth ldapdn
        require group <group_name>

As stated, the authentication works perfectly for ever user except for two and I cannot for the life of me figure out why they would be denied. Their AD accounts are exactly the same as the others.
0
Comment
Question by:powellchristopher
  • 2
3 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24402293
What I would suggest is to get some type of ldap browser and look at the accounts from a LDAP view.  I use Softerra LDAP Browser, v2.6 is free.  I believe that MS has a free LDAP browser also.


If ldap connection is not SSL'ed you can get wireshark (http://www.wireshark.org) and just do a packet capture of somebody that works and then one of the ids that does not work and Wireshark will show you the ldap calls and results.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24402312
0
 

Accepted Solution

by:
powellchristopher earned 0 total points
ID: 24714257
No solution yet.
0

Join & Write a Comment

CCModeler offers a way to enter basic information like entities, attributes and relationships and export them as yEd or erviz diagram. It also can import existing Access or SQL Server tables with relationships.
Read about achieving the basic levels of HRIS security in the workplace.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now