Im trying to make restrict access to a folder using a an authenticated ldap user, this used to work with apache on ubunbt 14.04, however now im trying to me to 16.04, however it does not work, i get AH1618 user not found errors, im sure its something simple 🙂
the users are in this "domain" ou=Users,dc=ldap,dc=kattronics,dc=com
When accessing the webpage, i get prompted for the password which is good, however i get this error.
[auth_basic:error] [pid 10821] [client 10.0.5.167:58662] AH01618: user lasse.knudsen not found: /
Maybe there is a clue in the trailing slash
Debugging is enabled for apache2
AH01694: auth_ldap authenticate: user lasse.knudsen authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)
The cant contact LDAP server, puzzles me, the host does resolve.
Anyone that can point me in the right direction.
Directory entry from apache site configuration
<Directory /var/www/html>
AuthName "Restricted - Kattronics Users Only"
AuthType Basic
#Satisfy any
AuthBasicProvider ldap
AuthLDAPUrl "ldaps://dc2-ldap001:636/ou=Users,dc=ldap,dc=kattronics,dc=com?uid"
AuthLDAPBindDN "ou=Users,dc=ldap,dc=kattronics,dc=com"
AuthLDAPBindAuthoritative off
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
#Require valid-user
Require ldap-user # Gives error AH01618
</Directory>
Workaround below
<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
</IfModule>
<Directory /var/www/html>
AuthType Basic
AuthName "Login"
AuthBasicProvider external
AuthExternal pwauth
Require valid-user
</Directory>
Best Answer
Most LDAP servers require you to authenticate before you can request any useful directory information. In LDAP jargon connection is called to "bind" to the directory server.
That means that Apache will need to be configured with a username and password. The username needs to be the full Distinct Name that includes the full path in the directory where it is stored and your
AuthLDAPBindDN
needs to look something like:and you probaly need a
AuthLDAPBindPassword
(preferably one that never expires) as well:A second issue when using a TLS/SSL secured LDAP connection is that Apache will need to verify the authenticity of the server certificate the LDAP server uses. Typically I would expect that an LDAP server does not use a certificate issued by one of the well known public CA's but rather one issued by an internal CA. Download the CA certificate to your web server and load it with
LDAPTrustedGlobalCert
directive i.e.Alternatively as an insecure work-around, use the
LDAPVerifyServerCert
directive and don't verify the server certificate: