[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Not able to authenticate Apache against OpenLDAP

I am using the following conf on apache and it works fine.

 

AuthName " Users Only"

                AuthBasicProvider ldap

                AuthLDAPURL "ldap://xena.research.phg.com.au/ou=People,dc=research,dc=dbc,dc=com,dc=au?uid"

     

                AuthLDAPGroupAttribute memberUid

                AuthLDAPGroupAttributeIsDN off

 

                #AuthzLDAPAuthoritative off

                #require valid-user

                require ldap-group cn=svnusers,ou=group,dc=res,dc=dbc,dc=com,dc=au

                #require ldap-user peter

 

Regards
Nazeer

From: openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org [mailto:openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org] On Behalf Of Michael March
Sent: Monday, 24 August 2009 6:16 PM
To: openldap-technical@openldap.org
Subject: Not able to authenticate Apache against OpenLDAP

 

I'm using Centos / RHEL 5.2 using the stock LDAP..  I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the  user 'bob'.

Here is my Apache config:

<VirtualHost *:443>  ServerName addressbook-stage.acme.com
  AllowEncodedSlashes on  ProxyPass / http://domu-140.acme.com/
  ProxyPassReverse / http://domu-140.acme.com/
  <Proxy *>
   allow from all
   </Proxy>
  <Location />    
  AuthType Basic
     AuthName "Login with your Acme ID"    
     #AuthLDAPEnabled on
     AuthBasicProvider ldap    
     AuthLDAPURL ldap://192.168.150.140:389/ou=People,dc=acme,dc=com
     AuthLDAPBindDN uid=root,ou=People,dc=acme,dc=com    
     AuthLDAPBindPassword passwd
     #require group cn=it,ou=groups,dc=acme,dc=com
     require valid-user bob
  </Location>
</VirtualHost>

Here is my LDAP config:

access to attrs=userPassword
        by anonymous auth
        by self write
        by * none


# private LDAP Addressbook is readable and writable for the owner only
access  to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$"
        by dn.regex="uid=$2,ou=People,$3" write
        by * none

# global LDAP Addressbook is writable for all authenticated users
# This entry has to be _before_ any other entry that matches the contact
# tree eg. the * entry
access to dn.subtree="ou=Contacts,dc=acme,dc=com"
    by users write
    by users read

# The admin dn has full write access
access to *
        by users read
        by peername="IP=192\.168\.150\.5" read


Here is the error from from OpenLDAP:


Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from IP=192.168.150.5:59041 (IP=0.0.0.0:389)
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text=
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))"
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0
Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text=
Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP=192.168.150.5:59042 (IP=0.0.0.0:389)
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text=
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))"
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0
Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text=



--
<admiral>

Michael F. March ----- mmarch@gmail.com
Ph: (415)462-1910 ---- Fax: (602)296-0400
P.O. Box 2254 ---- Phoenix, AZ 85002-2254
         "Seriously" - HSR

***************************************************************************

CAUTION: This email message and accompanying data may contain information

that is confidential and/or subject to legal privilege. If you are not the

intended recipient, you are notified that any use, dissemination,

distribution or copying of this message or data is prohibited.

If you have received this email message in error, please notify us

immediately and erase all copies of this message and attachments. Thank you.

***************************************************************************