I am using the following conf on apache and it works fine.
AuthName " Users Only" AuthBasicProvider ldap AuthLDAPURL "ldap://xena.research.phg.com.au/ou=People,dc=research,dc=dbc,dc=com,dc=au?uid"
AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off
#AuthzLDAPAuthoritative off #require valid-user require ldap-group cn=svnusers,ou=group,dc=res,dc=dbc,dc=com,dc=au #require ldap-user peter
Regards Nazeer ________________________________ From: openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org [mailto:openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org] On Behalf Of Michael March Sent: Monday, 24 August 2009 6:16 PM To: openldap-technical@openldap.org Subject: Not able to authenticate Apache against OpenLDAP
I'm using Centos / RHEL 5.2 using the stock LDAP.. I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the user 'bob'.
Here is my Apache config:
<VirtualHost *:443> ServerName addressbook-stage.acme.comhttp://addressbook-stage.acme.com AllowEncodedSlashes on ProxyPass / http://domu-140.acme.com/ ProxyPassReverse / http://domu-140.acme.com/ <Proxy *> allow from all </Proxy> <Location /> AuthType Basic AuthName "Login with your Acme ID" #AuthLDAPEnabled on AuthBasicProvider ldap AuthLDAPURL ldap://192.168.150.140:389/ou=People,dc=acme,dc=comhttp://192.168.150.140:389/ou=People,dc=acme,dc=com AuthLDAPBindDN uid=root,ou=People,dc=acme,dc=com AuthLDAPBindPassword passwd #require group cn=it,ou=groups,dc=acme,dc=com require valid-user bob </Location> </VirtualHost>
Here is my LDAP config:
access to attrs=userPassword by anonymous auth by self write by * none
# private LDAP Addressbook is readable and writable for the owner only access to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$" by dn.regex="uid=$2,ou=People,$3" write by * none
# global LDAP Addressbook is writable for all authenticated users # This entry has to be _before_ any other entry that matches the contact # tree eg. the * entry access to dn.subtree="ou=Contacts,dc=acme,dc=com" by users write by users read
# The admin dn has full write access access to * by users read by peername="IP=192.168.150.5" read
Here is the error from from OpenLDAP:
Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from IP=192.168.150.5:59041http://192.168.150.5:59041 (IP=0.0.0.0:389http://0.0.0.0:389) Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))" Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP=192.168.150.5:59042http://192.168.150.5:59042 (IP=0.0.0.0:389http://0.0.0.0:389) Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))" Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text=
-- <admiral>
Michael F. March ----- mmarch@gmail.commailto:mmarch@gmail.com Ph: (415)462-1910 ---- Fax: (602)296-0400 P.O. Box 2254 ---- Phoenix, AZ 85002-2254 "Seriously" - HSR
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************