David Nalley
2007-Oct-25 19:21 UTC
[CentOS] apache mod_authnzldap against Active Directory
Hey guys I am running CentOS 5 with httpd 2.2.3
I am trying to configure mod_authnzldap authing against Active Directory and I
have it working about 50% of the
time.
About 50% of the time this works with no issue, the rest of the time it fails.
Sometimes it fails and notes the following in the error log:
[Mon Oct 22 15:58:03 2007] [debug] mod_authnz_ldap.c(373): [client
10.XXX.XX.XXX] [13379] auth_ldap authenticate: using URL
ldap://10.XX.XX.XXX:389/DC=centos,DC=org?sAMAccountName?sub?(objectClass=*)
[Mon Oct 22 15:58:03 2007] [warn] [client 10.xxx.xx.xxx] [13379] auth_ldap
authenticate: user special authentication failed; URI /logo.gif
[ldap_search_ext_s() for user failed][Operations error]
Other times it printsthe following, but nothing after that (and CPU usage
skyrockets to 100% of a single CPU)
[Mon Oct 22 16:08:11 2007] [debug] mod_authnz_ldap.c(373): [client
10.XX.XXX.XX] [13437] auth_ldap authenticate: using URL
ldap://10.XX.X.XXX:389/DC=centos,DC=org?sAMAccountName?sub?(objectClass=*)
In capturing the packets I see that it binds successfully several times and
then tries to authenticate. The AD box returns:
LDAPMessage searchResDone(5) operationsError (00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, vece) [0 results]
None of the binds that occur in the capture failed though. (all the bind
responses reported success)
The appropriate (anonymized) lines from httpd.conf are:
<Location /logo.gif> # <--- change path as needed
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthType Basic
AuthzLdapAuthoritative off
AuthName "BackupPC login"
AuthLDAPBindDN ldapb at centos.org
AuthLDAPBindPassword myformerlysecretpasswordpostedtoworld
AuthLDAPURL "ldap://10.XX.XX.XXX:389/DC=centos,DC=org?sAMAccountName?sub?
(objectClass=*)" NONE
require valid-user
</Location>
I have debug turned on. On startup I get:
[root at backuppc httpd]# service httpd start
Starting httpd: [Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(849):
[13375] auth_ldap url parse:
`ldap://10.XX.X.XXX:389/DC=centos,DC=org?sAMAccountName?sub?(objectClass=*)'
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(858): [13375] auth_ldap
url parse: Host: 10.XX.XX.XXX:389
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(860): [13375] auth_ldap
url parse: Port: 389
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(862): [13375] auth_ldap
url parse: DN: DC=centos,DC=org
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(864): [13375] auth_ldap
url parse: attrib: sAMAccountName
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(866): [13375] auth_ldap
url parse: scope: subtree
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(871): [13375] auth_ldap
url parse: filter: (objectClass=*)
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(951): LDAP: auth_ldap not
using SSL connections
[ OK ]
Reasonably Related Threads
- CentOS-announce Digest, Vol 11, Issue 5
- CESA-2006:0179-01: Critical CentOS 2 i386 auth_ldap security update
- apache mod_authnz_ldap: multiple servers syntaxes
- Need help with spec file for Apache-2.4.7
- winbind-client: irregular "Connection reset by peer" errors when using Win 2003 server
Wisdom of the Ancients
