Ldap – Apache and Active Directory authentication

active-directoryapache-2.2ldap

I'm having trouble with LDAP authentication in Apache 2.2. Here's the excerpt from httpd.conf

<Location /folder>
   AuthType Basic
   AuthName "Project"
   AuthBasicProvider ldap
   AuthLDAPBindDN "user@domain"
   AuthLDAPBindPassword "my_password"
   AuthLDAPURL "ldap://my_domain_controller/?samAccountName?sub?(objectClass=user)"
   Require valid-user
</Location>

I keep getting "ldap_search_ext_s() for user failed" in error.log. I tried using my quoted DN as AuthLDAPBindDN but results were the same. What could be the problem?

Best Answer

When I had this problem, it was apparently because Active Directory was returning referrals, and the openldap libraries couldn't cope. Two different solutions work for me; I prefer the second. First solution: in /etc/openldap/ldap.conf put the line

REFERRALS no

That, of course, assumes you're using the openldap libraries; I don't have recent experience with any others.

Second solution: the Active Directory Global Catalog service does not generate referrals, so point your ldap at its port instead of the normal port (of course, you'll need to be talking to a Global Catalog server; to find them look at the output of "dig -t srv _gc._tcp.domain", where "domain" is your domain). The port for the global catalog is 3268, so

AuthLDAPURL "ldap://my_domain_controller:3268/?samAccountName?sub?(objectClass=user)"

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Debian – Apache + LDAP Auth: access to / failed, reason: require directives present and no Authoritative handler

Your 'Require' line reads

Require ldap-group cn=CHANGED, cn=CHANGED

That doesn't look write - I don't believe you can have have two cn's in a DN like that.

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Debian – Apache + LDAP Auth: access to / failed, reason: require directives present and no Authoritative handler

Related Topic