Solved

LDAP/APACHE Authentication

Posted on 2009-05-15
3
550 Views
Last Modified: 2013-12-24
I am currently hosting an intranet web page on a linux (RHEL4.4) server. I needed to restrict access to a certain group, so I am authenticating Apache against our Active Directory. It is working perfectly for all of my 30+ users except for two. All user accounts are identical except for name. There are no messages in my /var/log/messages or /var/log/httpd/error_log that would give any hint. In fact, they appear to be authenticating properly, but receive a "You do not have permission to view..." in the browser. The site is located in /var/www/html/<site_name> and the owner of all files are Apache.Apache.

Here is the authentication from my /etc/httpd/conf/httpd.conf:

  Order allow,deny
    Allow from all
        AuthType Basic
        AuthName "INTRANET"
        AuthzLDAPMethod ldap
        AuthzLDAPServer <ldap_server_name>
        AuthzLDAPBindDN "cn=ldapuser,cn=Users,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPBindPassword "<password>"
        AuthzLDAPUserKey sAMAccountName
        AuthzLDAPUserBase "ou=<custom_OU>,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPUserScope subtree
        AuthzLDAPGroupBase "ou=<custom_group_OU>,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPGroupKey cn
        AuthzLDAPMemberKey member
        AuthzLDAPSetGroupAuth ldapdn
        require group <group_name>

As stated, the authentication works perfectly for ever user except for two and I cannot for the life of me figure out why they would be denied. Their AD accounts are exactly the same as the others.
0
Comment
Question by:powellchristopher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24402293
What I would suggest is to get some type of ldap browser and look at the accounts from a LDAP view.  I use Softerra LDAP Browser, v2.6 is free.  I believe that MS has a free LDAP browser also.


If ldap connection is not SSL'ed you can get wireshark (http://www.wireshark.org) and just do a packet capture of somebody that works and then one of the ids that does not work and Wireshark will show you the ldap calls and results.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24402312
0
 

Accepted Solution

by:
powellchristopher earned 0 total points
ID: 24714257
No solution yet.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently I was talking with Tim Sharp, one of my colleagues from our Technical Account Manager team about MongoDB’s scalability. While doing some quick training with some of the Percona team, Tim brought something to my attention...
This post looks at MongoDB and MySQL, and covers high-level MongoDB strengths, weaknesses, features, and uses from the perspective of an SQL user.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question