Ldap – Apache 2.2 LDAP Authentication Error 500 – AuthLDAPURL

active-directoryapache-2.2directoryldaprhel6

I have an Apache server on RHEL 6 that uses our active directory for authentication and when we added a new "LocationMatch"

AuthLDAPURL ldap://ad.company.com/DC=ad,DC=company,DC=com?samaccountname?sub?(memberOf=CN=RnD,CN=Users,DC=domain,DC=com)

and on this location we get error 500

on other location matches :

AuthLDAPURL ldap://ad.company.com:389/OU=MA,DC=ad,DC=company,DC=com?samaccountname

it works flawlessly.

Best Answer

I am having exact same problem today, without a "ou=", AuthLDAPURL will return a 500 error.

Finally found a url: http://clabs.org/blog/RawStuff

It mentioned: "

If you need to authenticate against different OUs, then there are two options. Ideally, simply changing the ldap url to work from the root should work:

AuthLDAPURL "ldap://eiadserver1.einstruction.com:389/DC=einstruction,DC=com?sAMAccountName?sub?(objectClass=user)"

However, against Active Directory this doesn't seem to work, because in addition to the search results, it will also return referrals to other directory partitions, and Apache can't grok these or somesuch. A bug has been filed for this, and the report includes a patch.

But, if your Active Directory has a Global Directory configured, typically on port 3268, then you might be able to get the query you need to work:

AuthLDAPURL "ldap://eiadserver1.einstruction.com:3268/DC=einstruction,DC=com?sAMAccountName?sub?(objectClass=user)"

I checked our AD server and it's listening on port 3268, so I changed it, it did fix the problem.

Related Solutions

Redhat – LDAP Authentication fails with 500 or 401 depending on bind for Apache2

I had the same problem. The identical configuration i tested on Ubuntu did not work on RHEL5. I ended up changing from port 389 to 3268 after reading this and that fixed my problem.

Svn – Subversion gives Error 500 until authenticating with a web browser

I'm using a Debian "Lenny" setup, running Apache2/SVN with LDAP being authenticated through Apache directly to AD, while also hosting a Trac site on the same machine. I'll take a stab at it, but I need some more info...

The SVN access is the built-in module through Apache, so the first question I have is - are you running this as the SVN stand-alone process, or through Apache (it appears to be Apache but I just want to be sure)? The second question is, are you using Apache2 or Apache (1.x)? The third question is, do you use LDAP authentication through PAM, or through Apache's built-in support?

Just for reference, here's a (sanitized) version of the config for Trac, along with the LDAP settings that authenticate through AD (yes, it's open to anyone because Trac has its own permissions system that on my setup defaults to read-only for authenticated users):

#Rudimentary Apache2 authentication for Active Directory (without group controls)
<Location /trac>
  SetHandler mod_python
  PythonInterpreter main_interpreter
  PythonHandler trac.web.modpython_frontend
  PythonOption TracEnvParentDir /srv/trac
  PythonDebug on
  Order deny,allow
  Deny from all
  Allow from 10.0.0.0/8
  AuthType Basic
  AuthName "Trac Projects"
  AuthBasicProvider "ldap"
  AuthLDAPURL "ldap://enterprise-dc.mycompany.com:3268/DC=localsite,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=user)"
  AuthLDAPBindDN       apache-account@local-site.mycompany.com
  AuthLDAPBindPassword "supersecretpasswordthatnoonewillguess"
  authzldapauthoritative On
  require valid-user
  # require ldap-group "CN=Users,DC=local-site,DC=mycompany,DC=com"
</Location>

More importantly for your purposes, using that form of authentication as a template, we can get the settings for /etc/apache2/mods-enabled/dav_svn.conf, which will control your SVN access:

<Location /svn>
  DAV svn
  SVNParentPath /srv/svn
  SVNAutoversioning on
  Order deny,allow
  Deny from all
  Allow from 10.0.0.0/8
  AuthType Basic
  AuthName "Subversion Repository"
  AuthBasicProvider "ldap"
  AuthLDAPURL "ldap://enterprise-dc.mycompany.com:3268/DC=local-site,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=user)"
  AuthLDAPBindDN apache-account@local-site.mycompany.com
  AuthLDAPBindPassword "supersecretpasswordthatnoonewillguess"
  authzldapauthoritative On
  require valid-user
</Location>

Our desktops have fairly tight controls on program installation so I'm not as concerned about someone (a) installing an SVN client (b) figuring out the exact server name to connect to (c) getting into the repo and mucky-mucking things up, which is why the security is so low. However, with a little tweaking, you should be able to re-use this arrangement by enforcing an AD group (note the commented out cruft in the first example) and get much tighter control on access.

Hope this is of help to you.

Update (based on new information)

I think the problem is that you are not authenticating against the Global Catalog. Change the port number to the one I have in my example, and be sure to point it at a Domain Controller that is at the "Enterprise" level i.e. not a member of a child domain. So instead of site.enterprise.com, point it to enterprise.com at the new port number. Note that you might not need to specify the domain name in your setup for the user name, so if it refuses to authenticate, be sure to try it without as well (see the example I posted); and use the "email-style" account name as well vs. the "domain-style" layout.

My suspicion: The Global Catalog "flattens" the search space for users; but by asking a standard LDAP query on the child DC, I think that the initial failure occurs because there is no "answer" to be had initially, until the DC in the child domain can run out and get one. On the second attempt, the answer is cached, and you succeed.

Best Answer

Related Solutions

Redhat – LDAP Authentication fails with 500 or 401 depending on bind for Apache2

Svn – Subversion gives Error 500 until authenticating with a web browser

Related Topic