Re: LDAP query failing
- From: kevinL <kevinL@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 27 Jan 2006 09:01:03 -0800
Thanks, I'll try those suggestions.
All the users and groups are in the default Users container in the one
domain in the forest.
Any suggestions for options other than sAMAccountName to allow users to use
the one word user name they are accustomed to using to logon = "user logon
name."
KevinL
"Lee Flight" wrote:
> Hi
>
> you need to speak to your AD admins and find a good search base
> to be using in your LDAP URL; you need to find where the user accounts
> are rooted.
>
> Also your search base format
>
> cn=users,dc=adsdnsname
>
> needs to be a distinguishedName so the leading part of the URL is:
>
> ldap://myaddomain.com:389/cn=user,dc=myaddomain,dc=com
>
> With mod_auth_ldap you will need an AD account that you can use to run
> the search. You will also need some discipline on how the user accounts
> are searched for if sAMAccountName is what the user will be entering that's
> fine but if variations in the input e.g. userPrincipalName are likely you
> will
> probably need to parse those into sAMAccountNames or vice versa, this
> could be tricky in a multi-domain environment and might need a global
> catalog
> search (your AD admins should be able to advise).
>
> A further thing that you will want to do is to run the LDAP connection over
> SSL so that the usernames and passwords that are presented for binding
> do not pass over the network in cleartext. In the auth_ldap conf file you
> can have a pointer to certificate store IIRC.
>
> If you google you should find plenty of mod_auth_ldap examples for running
> against
> AD (and ADAM), it's quite widely used.
>
> Lee Flight
>
> "kevinL" <kevinL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:DE9FFEE4-C12B-4E27-8C3E-E604C854CAFC@xxxxxxxxxxxxxxxx
> > My organization is really beginning to see the value of AD as an
> > enterprise
> > directory and I want to encourage that.
> >
> > We make good use of IIS for a variety of applications but our intranet
> > runs
> > on Apache, v 2.0.52. Users provide user names and passwords to access
> > various pages on the intranet. I'd like to have Apache
> > authenticate/authorize against our 2003 functional level domain ldap for
> > user
> > name and pw hash as well as group membership authorization. We already
> > have
> > our Unix servers authenticating against our AD for logins.
> >
> > I am attempting to use an Apache module called mod_auth_ldap for our
> > intranet auth/auth.
> >
> > The question:
> >
> > An ldap query to:
> >
> > ldap://addnsname:389/cn=users,dc=adsdnsname,?sAMAccoutName?sub?(objectClass=user)
> >
> > returns:
> >
> > "dap_search_ext_s() for user failed"
> >
> > Perhaps, the query is not landing at the right place in the LDAP
> > structure?
> > I'd like to query against their logon name, userprincipalname or
> > samaccountname.
> >
> > 1)Any suggestions would be appreciated.
> >
> > 2)Does anyone know where I could fine a graphical representation of the
> > default LDAP structure of a 2003 AD? Trying to extrapolate from the
> > detailed
> > tools like ldp or dsquery is daunting?
> >
>
>
>
.
- Follow-Ups:
- Re: LDAP query failing
- From: Lee Flight
- Re: LDAP query failing
- References:
- Re: LDAP query failing
- From: Lee Flight
- Re: LDAP query failing
- Prev by Date: Re: LDAP Security
- Next by Date: Changing Passwords & RSOP
- Previous by thread: Re: LDAP query failing
- Next by thread: Re: LDAP query failing
- Index(es):
Relevant Pages
|
Loading
