Re: LDAP query failing
- From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
- Date: Fri, 27 Jan 2006 14:01:12 -0000
Hi
you need to speak to your AD admins and find a good search base
to be using in your LDAP URL; you need to find where the user accounts
are rooted.
Also your search base format
cn=users,dc=adsdnsname
needs to be a distinguishedName so the leading part of the URL is:
ldap://myaddomain.com:389/cn=user,dc=myaddomain,dc=com
With mod_auth_ldap you will need an AD account that you can use to run
the search. You will also need some discipline on how the user accounts
are searched for if sAMAccountName is what the user will be entering that's
fine but if variations in the input e.g. userPrincipalName are likely you
will
probably need to parse those into sAMAccountNames or vice versa, this
could be tricky in a multi-domain environment and might need a global
catalog
search (your AD admins should be able to advise).
A further thing that you will want to do is to run the LDAP connection over
SSL so that the usernames and passwords that are presented for binding
do not pass over the network in cleartext. In the auth_ldap conf file you
can have a pointer to certificate store IIRC.
If you google you should find plenty of mod_auth_ldap examples for running
against
AD (and ADAM), it's quite widely used.
Lee Flight
"kevinL" <kevinL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DE9FFEE4-C12B-4E27-8C3E-E604C854CAFC@xxxxxxxxxxxxxxxx
> My organization is really beginning to see the value of AD as an
> enterprise
> directory and I want to encourage that.
>
> We make good use of IIS for a variety of applications but our intranet
> runs
> on Apache, v 2.0.52. Users provide user names and passwords to access
> various pages on the intranet. I'd like to have Apache
> authenticate/authorize against our 2003 functional level domain ldap for
> user
> name and pw hash as well as group membership authorization. We already
> have
> our Unix servers authenticating against our AD for logins.
>
> I am attempting to use an Apache module called mod_auth_ldap for our
> intranet auth/auth.
>
> The question:
>
> An ldap query to:
>
> ldap://addnsname:389/cn=users,dc=adsdnsname,?sAMAccoutName?sub?(objectClass=user)
>
> returns:
>
> "dap_search_ext_s() for user failed"
>
> Perhaps, the query is not landing at the right place in the LDAP
> structure?
> I'd like to query against their logon name, userprincipalname or
> samaccountname.
>
> 1)Any suggestions would be appreciated.
>
> 2)Does anyone know where I could fine a graphical representation of the
> default LDAP structure of a 2003 AD? Trying to extrapolate from the
> detailed
> tools like ldp or dsquery is daunting?
>
.
- Follow-Ups:
- Re: LDAP query failing
- From: kevinL
- Re: LDAP query failing
- Prev by Date: Re: certificate of type DomainController has failed
- Next by Date: Re: Shadow copies
- Previous by thread: certificate of type DomainController has failed
- Next by thread: Re: LDAP query failing
- Index(es):
Relevant Pages
|
