Ldap – Active Directory LDAP and user issues (using apache2 for svn access)

active-directoryapache-2.2ldap

I currently have a setup where I work that lets users use their active directory domain logins and passwords to authenticate and authorize access to Subversion. Currently I need to allow application accounts the same access. So our IT group creates application accounts in the active directory for us to use. But they want to be "secure" so they set the "Workstations Allowed"/userWorkstations attribute to be only a limited number of workstations. So when an application account hits the apache2 server for authentication they can't login for some reason and I'm having a heck of a time trying to debug. The error logs only show me:

[Tue Apr 06 11:24:25 2010] [warn] [client 24.24.24.24] [3469] auth_ldap authenticate: user appuser13 authentication failed; URI /svn [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Tue Apr 06 11:24:25 2010] [error] [client 24.24.24.24] user appuser13: authentication failure for "/svn": Password Mismatch

I've checked the password numerous times and it appears to be correct but I can't seem to get the user to authenticate properly. Below is a snippet of the apache configuration for ldap:

# Auth providers
# Active Directory
<AuthnProviderAlias ldap ldap1>
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://dmain.company.com:389/dc=dmain,dc=company,dc=com?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=svnuser13,OU=Application Accounts,dc=dmain,dc=teradata,dc=com"
    AuthLDAPBindPassword secret3
</AuthnProviderAlias>

# Another set of users from a different group
<AuthnProviderAlias ldap ldap2>
    AuthBasicProvider ldap
    AuthLDAPURL ldap://diffldapserver:389/dc=specialusers,dc=com?uid
</AuthnProviderAlias>

# Another set of users from a different group
<AuthnProviderAlias file file1>
        AuthUserFile /var/svn/auth/htpasswd
</AuthnProviderAlias>

<Location /svn>
    DAV svn
    SVNPath /var/svn

    Satisfy Any
    Require valid-user

    AuthType Basic
    AuthName "SVN Repository"
    AuthBasicProvider ldap1 file1 ldap2
    AuthzSVNAccessFile /var/svn/auth/access
    AuthzLDAPAuthoritative  on
    Require valid-user
</Location>

Any help, like tips for debugging is appreciated!

I seem to think this might be related to the netbios name resolution. In windows I think it broadcasts and registers this properly but in Linux I know its not the default. So I'm guessing the domain server rejects all requests from this host since it doesn't know it by name. I tried the ldapsearch program in linux and it rejected it, so I tend to think this is the issue. I'm waiting on some others to help me test this locally but I thought I'd throw that out there in case anyone has an opinion on it.

Best Answer

When you're doing LDAP logins, the workstation being logged into is the server providing the LDAP service. To do what you want, you'll have to add dmain and diffldapserver to the 'allow logins from' tab on those users.

Related Topic