Apache, LDAP, ActiveDirectory
November 1, 2004 3:13 PM Subscribe
Apache, LDAP, ActiveDirectory and You: I have an application running on Apache. I would like to restrict access to the folder(s) it runs in by authenticating users against our Windows ActiveDirectory server, but I'm having trouble crafting the right URL.
I have mod_auth_ldap up and running and I'm blocking access to a given folder with a block in my httpd2.conf file. I'm providing a AuthLDAPBindDN and password combo in that block and providing a URL to the AD/LDAP server. It looks something like this:
AuthLDAPURL ldap://location.company.com:389/
and I've tried any number of things after that. I don't really understand how to form the rest of the URL to tell it "search this AD server for the name the user provides inside the Users subtree." I've tried using a Windows utility called "ldp.exe" to form queries, but it's less than helpful. It provides some feedback, but doesn't let you build actual URLs, forcing you to use its form inputs. I tried connecting with Thunderbird's address book as it provides a bit more of a "raw" interface, but I couldn't even connect with that.
I have mod_auth_ldap up and running and I'm blocking access to a given folder with a
AuthLDAPURL ldap://location.company.com:389/
and I've tried any number of things after that. I don't really understand how to form the rest of the URL to tell it "search this AD server for the name the user provides inside the Users subtree." I've tried using a Windows utility called "ldp.exe" to form queries, but it's less than helpful. It provides some feedback, but doesn't let you build actual URLs, forcing you to use its form inputs. I tried connecting with Thunderbird's address book as it provides a bit more of a "raw" interface, but I couldn't even connect with that.
Best answer: First of all, congrats on getting mod_auth_ldap going. At least on Solaris, it was like ramming bamboo shoots under my nails.
OK, now this is all from a Solaris/iPlanet LDAP perspective, but it should all be more-or-less the same for you. The key thing you need to know is your search base- basically, the org unit everything is under. If you have any other apps configured to talk to LDAP, you can probably find this- they all ask for it.
My company's, for example, is "o=cdm,c=us". So, my URL is:
AuthLDAPURL ldap://location.company.com/o=cdm,c=us?uid?sub
(the 389 is assumed and not needed)
Good luck. Feel free to email me via my profile page if you have further questions... I know your pain...
posted by mkultra at 6:39 AM on November 2, 2004
OK, now this is all from a Solaris/iPlanet LDAP perspective, but it should all be more-or-less the same for you. The key thing you need to know is your search base- basically, the org unit everything is under. If you have any other apps configured to talk to LDAP, you can probably find this- they all ask for it.
My company's, for example, is "o=cdm,c=us". So, my URL is:
AuthLDAPURL ldap://location.company.com/o=cdm,c=us?uid?sub
(the 389 is assumed and not needed)
Good luck. Feel free to email me via my profile page if you have further questions... I know your pain...
posted by mkultra at 6:39 AM on November 2, 2004
Response by poster: Thanks to both of you (esp. for the sympathy since I don't feel completely stupid). I've made some advances, but still not there. Apparently I'm making a connection as the error logs now say the credentials I typed in failed for authentication ("Invalid credentials"), but I have a feeling this is due to me querying the wrong place on the tree. Here's the relevant block from my conf file:
AllowOverride None
Order deny,allow
AuthLDAPEnabled on
AuthLDAPURL ldap://192.168.1.25:389/CN=schema/CN=configuration/OU=Users,DC=location,DC=company,DC=com?sAMAccountName?sub
AuthLDAPBindDN uid=username,dc=company,dc=com
AuthLDAPBindPassword userpassword
AuthType Basic
AuthName "Mefi LDAP"
require valid-user
posted by yerfatma at 7:36 AM on November 2, 2004
AllowOverride None
Order deny,allow
AuthLDAPEnabled on
AuthLDAPURL ldap://192.168.1.25:389/CN=schema/CN=configuration/OU=Users,DC=location,DC=company,DC=com?sAMAccountName?sub
AuthLDAPBindDN uid=username,dc=company,dc=com
AuthLDAPBindPassword userpassword
AuthType Basic
AuthName "Mefi LDAP"
require valid-user
posted by yerfatma at 7:36 AM on November 2, 2004
Take out the "AuthLDAPBindDN" and "AuthLDAPBindPassword" attributes- you're binding as whatever the client enters, not a specified fixed user- apache uses the result of that auth attempt to validate its own auth.
I don't think you need "Order" either. I don't in mine, and it's fine.
posted by mkultra at 8:23 AM on November 2, 2004
I don't think you need "Order" either. I don't in mine, and it's fine.
posted by mkultra at 8:23 AM on November 2, 2004
Response by poster: Ok, so I commented out the "AuthLDAPBindDN" and "AuthLDAPBindPassword", killed the Order directive and removed the port (just for kicks) and now I get a different error:
auth_ldap authenticate: user username authentication failed; URI /ldap/ [ldap_search_ext_s() for user failed][Operations error]
Any idea if that's better or worse? The lack of useful documentation is amazing: the Apache mod_auth_ldap stuff assumes you know all about LDAP. The MS stuff assumes you're the AD administrator and accessing it through an MMC-snapin. Everything else just doesn't apply right.
posted by yerfatma at 8:33 AM on November 2, 2004
auth_ldap authenticate: user username authentication failed; URI /ldap/ [ldap_search_ext_s() for user failed][Operations error]
Any idea if that's better or worse? The lack of useful documentation is amazing: the Apache mod_auth_ldap stuff assumes you know all about LDAP. The MS stuff assumes you're the AD administrator and accessing it through an MMC-snapin. Everything else just doesn't apply right.
posted by yerfatma at 8:33 AM on November 2, 2004
Best answer: Sorry, I've reached about the limit of my knowledge, 'cause yeah, the documentation truly is teh suck. One thing you may want to check is if your query string is correct. Again, I'm not an AD guy, so I don't know how they create their URLs. Though, I'm pretty sure that
ldap://192.168.1.25:389/CN=schema/CN=configuration,OU=Users,DC=location,DC=company,DC=com?sAMAccountName?sub
should be
ldap://192.168.1.25:389/CN=schema,CN=configuration/OU=Users,DC=location,DC=company,DC=com?sAMAccountName?sub
if not
ldap://192.168.1.25:389/DC=location,DC=company,DC=com?sAMAccountName?sub
posted by mkultra at 9:20 AM on November 2, 2004
ldap://192.168.1.25:389/CN=schema/CN=configuration,OU=Users,DC=location,DC=company,DC=com?sAMAccountName?sub
should be
ldap://192.168.1.25:389/CN=schema,CN=configuration/OU=Users,DC=location,DC=company,DC=com?sAMAccountName?sub
if not
ldap://192.168.1.25:389/DC=location,DC=company,DC=com?sAMAccountName?sub
posted by mkultra at 9:20 AM on November 2, 2004
Response by poster: I cut it back to the barest-bones example above. It's still not working, but it's throwing the exact same error as above, so I feel more comfortable working with that. Honestly, there's a decent chance our IT has a completely screwed up AD; it's not used for anything other than saying "We have ActiveDirectory set up" at this point, so I think that's my next step.
There's nothing to apologize for here. Thanks for the help.
posted by yerfatma at 10:01 AM on November 2, 2004
There's nothing to apologize for here. Thanks for the help.
posted by yerfatma at 10:01 AM on November 2, 2004
This thread is closed to new comments.
posted by j.edwards at 4:51 PM on November 1, 2004