Solved

LDAP/APACHE Authentication

Posted on 2009-05-15
3
549 Views
Last Modified: 2013-12-24
I am currently hosting an intranet web page on a linux (RHEL4.4) server. I needed to restrict access to a certain group, so I am authenticating Apache against our Active Directory. It is working perfectly for all of my 30+ users except for two. All user accounts are identical except for name. There are no messages in my /var/log/messages or /var/log/httpd/error_log that would give any hint. In fact, they appear to be authenticating properly, but receive a "You do not have permission to view..." in the browser. The site is located in /var/www/html/<site_name> and the owner of all files are Apache.Apache.

Here is the authentication from my /etc/httpd/conf/httpd.conf:

  Order allow,deny
    Allow from all
        AuthType Basic
        AuthName "INTRANET"
        AuthzLDAPMethod ldap
        AuthzLDAPServer <ldap_server_name>
        AuthzLDAPBindDN "cn=ldapuser,cn=Users,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPBindPassword "<password>"
        AuthzLDAPUserKey sAMAccountName
        AuthzLDAPUserBase "ou=<custom_OU>,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPUserScope subtree
        AuthzLDAPGroupBase "ou=<custom_group_OU>,dc=<domain>,dc=<name>,dc=com"
        AuthzLDAPGroupKey cn
        AuthzLDAPMemberKey member
        AuthzLDAPSetGroupAuth ldapdn
        require group <group_name>

As stated, the authentication works perfectly for ever user except for two and I cannot for the life of me figure out why they would be denied. Their AD accounts are exactly the same as the others.
0
Comment
Question by:powellchristopher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24402293
What I would suggest is to get some type of ldap browser and look at the accounts from a LDAP view.  I use Softerra LDAP Browser, v2.6 is free.  I believe that MS has a free LDAP browser also.


If ldap connection is not SSL'ed you can get wireshark (http://www.wireshark.org) and just do a packet capture of somebody that works and then one of the ids that does not work and Wireshark will show you the ldap calls and results.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24402312
0
 

Accepted Solution

by:
powellchristopher earned 0 total points
ID: 24714257
No solution yet.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question