Re: LDAP Authentication from Linux
- From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 03 Apr 2008 16:07:46 +0100
Hi Dana,
I think you're right about the Query privileges. What I would like is a user specifically used for the binding, so restricted in other things. I'm not sure how to set those privileges though. I know that if I change the apache config below to use a Domain Admin account, then all works well.
Heres the Apache config:
<Directory "/var/www/html/wiki">
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "test server"
AuthLDAPURL "ldap://ubiq-serv1.companyname.local:389/DC=companyname,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=ldap45457,CN=Users,DC=companyname,DC=local"
AuthLDAPBindPassword *********
require valid-user
</Directory>
heres the error when I tried to login as me, note the bind failure.
[Mon Mar 24 12:32:38 2008] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Mon Mar 24 12:32:41 2008] [warn] [client 192.168.117.1] [16839] auth_ldap authenticate: user marsh authentication failed; URI /wiki/index.php [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Mon Mar 24 12:32:41 2008] [error] [client 192.168.117.1] user marsh: authentication failure for "/wiki/index.php": Password Mismatch
[Mon Mar 24 12:32:43 2008] [warn] [client 192.168.117.1] [16836] auth_ldap authenticate: user marsh authentication failed; URI /wiki/index.php [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Mon Mar 24 12:32:43 2008] [error] [client 192.168.117.1] user marsh: authentication failure for "/wiki/index.php": Password Mismatch
Dana Epp [Security MVP] wrote:
You can start by looking in /var/log to see what the bind failure error is. On the apache side, it might be as easy as /var/log/apache/error.log..
Depending how you have LDAP set up, remember that the user you configure must have privileges to query AD. But before we try to tackle the permission problems, lets see what the error is. If you don't see it in the error.log, check /var/log/syslog and /var/log/messages. Paste what you see in reference to your LDAP query, and we can go from there.
Regards,
Dana Epp [Microsoft Security MVP]
"Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:u8JguRXlIHA.3512@xxxxxxxxxxxxxxxxxxxxxxxHi All,
I'm trying to implement a secure authentication from an apache2 server across to my SBS2003 server.
I've configured LDAP in apache, and if I bind using a Domain Admin account then all is well and I can login.
However, I don't really want to use a domain admin account for this. So I setup a new user account, and have tried using that but the bind fails. I'm guessing its a permissions issue, but am not sure where to start to look.
Second, am I using the right mechanism here? Isn't LDAP for directory lookups and Kerberos for authentication??
Adrian
- Follow-Ups:
- Re: LDAP Authentication from Linux
- From: Adrian Marsh (NNTP)
- Re: LDAP Authentication from Linux
- References:
- LDAP Authentication from Linux
- From: Adrian Marsh (NNTP)
- Re: LDAP Authentication from Linux
- From: Dana Epp [Security MVP]
- LDAP Authentication from Linux
- Prev by Date: Re: Initial browse to a web site is painfully slow
- Next by Date: SSL Problems With OWA
- Previous by thread: Re: LDAP Authentication from Linux
- Next by thread: Re: LDAP Authentication from Linux
- Index(es):
Relevant Pages
|
