[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Not able to authenticate Apache against OpenLDAP
- To: openldap-technical@openldap.org
- Subject: Not able to authenticate Apache against OpenLDAP
- From: Michael March <mmarch@gmail.com>
- Date: Mon, 24 Aug 2009 01:15:43 -0700
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=0HnOHhj6MHSKfTNkNnQOEzNjA8drKV2V3HS1yXNYLWQ=; b=NySBH7g6zr8Hz/wmgZGZZ0i9t7DR0SpuXzdrPvQlrBpc2pPzPaus2m9ADD02CjHJ7f u5lQ+yNlMOnP1GA9pTm2RZPMW/qKGiufTTwoo+EiJzdWR3sDdzKT25zUGKYaKmegpc+A 5SxTvRLAgq4wEMhCbozsPGbFqVeMvOmUz+5Cw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=wyYUq2JW00xrOwsh7hyySe+PgaaC666xYW8Py1GPHJd1YLcKjRGkIONpEHJbocwqI5 ctXbbm8FKouloyq5dh4hm5whxbAlZYQ6j1SZKWiPvz3nAQlK5OsA/2XPQVf6nLuO+/PK vhVhyQk5d8trXEZewN8GjIVB352a6TgDS33p0=
I'm using Centos / RHEL 5.2 using the stock LDAP.. I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the user 'bob'.
Here is my Apache config:
<VirtualHost *:443> ServerName addressbook-stage.acme.com
AllowEncodedSlashes on ProxyPass / http://domu-140.acme.com/
ProxyPassReverse / http://domu-140.acme.com/
<Proxy *>
allow from all
</Proxy>
<Location />
AuthType Basic
AuthName "Login with your Acme ID"
#AuthLDAPEnabled on
AuthBasicProvider ldap
AuthLDAPURL ldap://192.168.150.140:389/ou=People,dc=acme,dc=com
AuthLDAPBindDN uid=root,ou=People,dc=acme,dc=com
AuthLDAPBindPassword passwd
#require group cn=it,ou=groups,dc=acme,dc=com
require valid-user bob
</Location>
</VirtualHost>
Here is my LDAP config:
access to attrs=userPassword
by anonymous auth
by self write
by * none
# private LDAP Addressbook is readable and writable for the owner only
access to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$"
by dn.regex="uid=$2,ou=People,$3" write
by * none
# global LDAP Addressbook is writable for all authenticated users
# This entry has to be _before_ any other entry that matches the contact
# tree eg. the * entry
access to dn.subtree="ou=Contacts,dc=acme,dc=com"
by users write
by users read
# The admin dn has full write access
access to *
by users read
by peername="IP=192\.168\.150\.5" read
Here is the error from from OpenLDAP:
Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from IP=192.168.150.5:59041 (IP=0.0.0.0:389)
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text=
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))"
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text=
Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP=192.168.150.5:59042 (IP=0.0.0.0:389)
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text=
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))"
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text=
--
<admiral>
Michael F. March ----- mmarch@gmail.com
Ph: (415)462-1910 ---- Fax: (602)296-0400
P.O. Box 2254 ---- Phoenix, AZ 85002-2254
"Seriously" - HSR