Re: LDAP Authentication from Linux

---

• From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 03 Apr 2008 16:49:30 +0100

---

I've also just tried this:

Moving the ldap45457 user into the same OU as the rest of my normal users, and then changing apache to the below, and also adding "List Contents" Read permissions to that OU, as per what I read here for anonymous access. But still failed.. :(

http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm

AuthLDAPURL "ldap://ubiq-serv1.companyname.local:389/OU=SBSUsers,OU=Users,OU=Corporate,DC=companyname,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=ldap45457,OU=SBSUsers,OU=Users,OU=Corporate,OU=MyBusiness,DC=companyname,DC=local"
AuthLDAPBindPassword ********

Adrian


Adrian Marsh (NNTP) wrote:

Hi Dana,

I think you're right about the Query privileges. What I would like is a user specifically used for the binding, so restricted in other things. I'm not sure how to set those privileges though. I know that if I change the apache config below to use a Domain Admin account, then all works well.

Heres the Apache config:

<Directory "/var/www/html/wiki">
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "test server"

AuthLDAPURL "ldap://ubiq-serv1.companyname.local:389/DC=companyname,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=ldap45457,CN=Users,DC=companyname,DC=local"
AuthLDAPBindPassword *********
require valid-user
</Directory>

heres the error when I tried to login as me, note the bind failure.

[Mon Mar 24 12:32:38 2008] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Mon Mar 24 12:32:41 2008] [warn] [client 192.168.117.1] [16839] auth_ldap authenticate: user marsh authentication failed; URI /wiki/index.php [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Mon Mar 24 12:32:41 2008] [error] [client 192.168.117.1] user marsh: authentication failure for "/wiki/index.php": Password Mismatch
[Mon Mar 24 12:32:43 2008] [warn] [client 192.168.117.1] [16836] auth_ldap authenticate: user marsh authentication failed; URI /wiki/index.php [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Mon Mar 24 12:32:43 2008] [error] [client 192.168.117.1] user marsh: authentication failure for "/wiki/index.php": Password Mismatch


Dana Epp [Security MVP] wrote:

You can start by looking in /var/log to see what the bind failure error is. On the apache side, it might be as easy as /var/log/apache/error.log.

Depending how you have LDAP set up, remember that the user you configure must have privileges to query AD. But before we try to tackle the permission problems, lets see what the error is. If you don't see it in the error.log, check /var/log/syslog and /var/log/messages. Paste what you see in reference to your LDAP query, and we can go from there.

Regards,
Dana Epp [Microsoft Security MVP]


"Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:u8JguRXlIHA.3512@xxxxxxxxxxxxxxxxxxxxxxx

Hi All,

I'm trying to implement a secure authentication from an apache2 server across to my SBS2003 server.

I've configured LDAP in apache, and if I bind using a Domain Admin account then all is well and I can login.

However, I don't really want to use a domain admin account for this. So I setup a new user account, and have tried using that but the bind fails. I'm guessing its a permissions issue, but am not sure where to start to look.

Second, am I using the right mechanism here? Isn't LDAP for directory lookups and Kerberos for authentication??

Adrian

.

---

• Follow-Ups:
  • Re: LDAP Authentication from Linux
    • From: Dana Epp [Security MVP]

• References:
  • LDAP Authentication from Linux
    • From: Adrian Marsh (NNTP)
  • Re: LDAP Authentication from Linux
    • From: Dana Epp [Security MVP]
  • Re: LDAP Authentication from Linux
    • From: Adrian Marsh (NNTP)

• Prev by Date: Re: Exchange locks up after opening
• Next by Date: How to setup VPN on Win2K3 SBS behind D-Link VPN router
• Previous by thread: Re: LDAP Authentication from Linux
• Next by thread: Re: LDAP Authentication from Linux
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: LDAP Authentication from Linux ... doesn't the LDAP module in Apache require a secure connection on most recent Linux systems? ... Moving the ldap45457 user into the same OU as the rest of my normal users, and then changing apache to the below, and also adding "List Contents" Read permissions to that OU, as per what I read here for anonymous access. ... user marsh authentication failed; ... (microsoft.public.windows.server.sbs) [VulnWatch] Digital Armaments: Apache auth_ldap module Multiple Format Strings Vulnerability ... Apache auth_ldap module Multiple Format Strings Vulnerability ... popular web server. ... It also has support for LDAP over SSL, ... permissions while still using LDAP for authentication. ... (VulnWatch) Re: Use Windows 2000 User Authentication for Apache ... auth_ldap works perfectly with apache and win2000. ... With ldap, no problem at all. ... stores the queried credentials in a cache and accelerates the whole authentication ... >> worth a try), Win2K Domain Controllers run an LDAP server, Apache may be ... (comp.os.linux.security) Re: problem with AuthCookieName and Apache ... > I has a problem with my configuration of AuthCookieName and Apache, ... This is due to the stack-like module semantics in apache 1.3. ... As mod_auth_cookie fakes basic authentication information, ... Have you checked the cookie is actually available? ... (Debian-User) Re: Mod_python vs. application server like CherryPy? ... WSGI being portability it effectively ignores practically everything ... that Apache has to offer. ... WSGI auth middleware already supports more auth methods than apache2 itself. ... authentication mechanisms, both of which are in Apache by default. ... (comp.lang.python)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)