I'm using Centos / RHEL 5.2 using the stock LDAP.. I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the user 'bob'.
Here is my Apache config:
<VirtualHost *:443> ServerName addressbook-stage.acme.com AllowEncodedSlashes on ProxyPass / http://domu-140.acme.com/ ProxyPassReverse / http://domu-140.acme.com/ <Proxy *> allow from all </Proxy> <Location /> AuthType Basic AuthName "Login with your Acme ID" #AuthLDAPEnabled on AuthBasicProvider ldap AuthLDAPURL ldap://192.168.150.140:389/ou=People,dc=acme,dc=com AuthLDAPBindDN uid=root,ou=People,dc=acme,dc=com AuthLDAPBindPassword passwd #require group cn=it,ou=groups,dc=acme,dc=com require valid-user bob </Location> </VirtualHost>
Here is my LDAP config:
access to attrs=userPassword by anonymous auth by self write by * none
# private LDAP Addressbook is readable and writable for the owner only access to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$" by dn.regex="uid=$2,ou=People,$3" write by * none
# global LDAP Addressbook is writable for all authenticated users # This entry has to be _before_ any other entry that matches the contact # tree eg. the * entry access to dn.subtree="ou=Contacts,dc=acme,dc=com" by users write by users read
# The admin dn has full write access access to * by users read by peername="IP=192.168.150.5" read
Here is the error from from OpenLDAP:
Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from IP= 192.168.150.5:59041 (IP=0.0.0.0:389) Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))" Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP= 192.168.150.5:59042 (IP=0.0.0.0:389) Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))" Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text=
Michael March wrote:
I'm using Centos / RHEL 5.2 using the stock LDAP.. I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the user 'bob'.
Here is my Apache config:
Here is the error from from OpenLDAP:
In all of these log messages the result is consistently "err=0" which means Success. So, I don't see any error here, seems to be a problem with your Apache config.
Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from IP=192.168.150.5:59041 http://192.168.150.5:59041 (IP=0.0.0.0:389 http://0.0.0.0:389) Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))" Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP=192.168.150.5:59042 http://192.168.150.5:59042 (IP=0.0.0.0:389 http://0.0.0.0:389) Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))" Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text=
Here is from my Apache error log:
[Mon Aug 24 03:56:55 2009] [warn] [client 5.5.5.5] [26803] auth_ldap authenticate: user bob authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Invalid credentials] [Mon Aug 24 03:56:55 2009] [error] [client 5.5.5.5] user bob: authentication failure for "/": Password Mismatch
On Mon, Aug 24, 2009 at 1:29 AM, Howard Chu hyc@symas.com wrote:
Michael March wrote:
I'm using Centos / RHEL 5.2 using the stock LDAP.. I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the user 'bob'.
Here is my Apache config:
Here is the error from from OpenLDAP:
In all of these log messages the result is consistently "err=0" which means Success. So, I don't see any error here, seems to be a problem with your Apache config.
Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from
IP=192.168.150.5:59041 http://192.168.150.5:59041 (IP=0.0.0.0:389 http://0.0.0.0:389) Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))" Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP=192.168.150.5:59042 http://192.168.150.5:59042 (IP=0.0.0.0:389 http://0.0.0.0:389) Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))" Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text=
--On Monday, August 24, 2009 01:36:40 AM -0700 Michael March mmarch@gmail.com wrote:
Here is from my Apache error log:
[Mon Aug 24 03:56:55 2009] [warn] [client 5.5.5.5] [26803] auth_ldap authenticate: user bob authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Invalid credentials] [Mon Aug 24 03:56:55 2009] [error] [client 5.5.5.5] user bob: authentication failure for "/": Password Mismatch
Well, I still don't get why you think this is an OpenLDAP problem. If the bind is failing it should be in the ldap log. But, it doesn't see like you have matched up the Apache log with the ldap log unless the clocks are your systems are off.
Bill
On Mon, Aug 24, 2009 at 1:29 AM, Howard Chu hyc@symas.com wrote:
Michael March wrote:
I'm using Centos / RHEL 5.2 using the stock LDAP.. I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the user 'bob'.
Here is my Apache config:
Here is the error from from OpenLDAP:
In all of these log messages the result is consistently "err=0" which means Success. So, I don't see any error here, seems to be a problem with your Apache config.
Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from
IP=192.168.150.5:59041 http://192.168.150.5:59041 (IP=0.0.0.0:389 http://0.0.0.0:389) Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))" Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP=192.168.150.5:59042 http://192.168.150.5:59042 (IP=0.0.0.0:389 http://0.0.0.0:389) Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))" Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text=
Yeah.. that was the problem..
Thanks!
On Mon, Aug 24, 2009 at 3:34 AM, Jonathan Clarke jonathan@phillipoux.netwrote:
On 24/08/2009 10:15, Michael March wrote:
require valid-user bobAs indicated by others, this is more of an Apache problem than an OpenLDAP problem.
This line indicates you may be confusing "require valid-user" and "require ldap-user X"?
Jonathan
I am using the following conf on apache and it works fine.
AuthName " Users Only" AuthBasicProvider ldap AuthLDAPURL "ldap://xena.research.phg.com.au/ou=People,dc=research,dc=dbc,dc=com,dc=au?uid"
AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off
#AuthzLDAPAuthoritative off #require valid-user require ldap-group cn=svnusers,ou=group,dc=res,dc=dbc,dc=com,dc=au #require ldap-user peter
Regards Nazeer ________________________________ From: openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org [mailto:openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org] On Behalf Of Michael March Sent: Monday, 24 August 2009 6:16 PM To: openldap-technical@openldap.org Subject: Not able to authenticate Apache against OpenLDAP
I'm using Centos / RHEL 5.2 using the stock LDAP.. I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the user 'bob'.
Here is my Apache config:
<VirtualHost *:443> ServerName addressbook-stage.acme.comhttp://addressbook-stage.acme.com AllowEncodedSlashes on ProxyPass / http://domu-140.acme.com/ ProxyPassReverse / http://domu-140.acme.com/ <Proxy *> allow from all </Proxy> <Location /> AuthType Basic AuthName "Login with your Acme ID" #AuthLDAPEnabled on AuthBasicProvider ldap AuthLDAPURL ldap://192.168.150.140:389/ou=People,dc=acme,dc=comhttp://192.168.150.140:389/ou=People,dc=acme,dc=com AuthLDAPBindDN uid=root,ou=People,dc=acme,dc=com AuthLDAPBindPassword passwd #require group cn=it,ou=groups,dc=acme,dc=com require valid-user bob </Location> </VirtualHost>
Here is my LDAP config:
access to attrs=userPassword by anonymous auth by self write by * none
# private LDAP Addressbook is readable and writable for the owner only access to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$" by dn.regex="uid=$2,ou=People,$3" write by * none
# global LDAP Addressbook is writable for all authenticated users # This entry has to be _before_ any other entry that matches the contact # tree eg. the * entry access to dn.subtree="ou=Contacts,dc=acme,dc=com" by users write by users read
# The admin dn has full write access access to * by users read by peername="IP=192.168.150.5" read
Here is the error from from OpenLDAP:
Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from IP=192.168.150.5:59041http://192.168.150.5:59041 (IP=0.0.0.0:389http://0.0.0.0:389) Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))" Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP=192.168.150.5:59042http://192.168.150.5:59042 (IP=0.0.0.0:389http://0.0.0.0:389) Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))" Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text=
-- <admiral>
Michael F. March ----- mmarch@gmail.commailto:mmarch@gmail.com Ph: (415)462-1910 ---- Fax: (602)296-0400 P.O. Box 2254 ---- Phoenix, AZ 85002-2254 "Seriously" - HSR
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
openldap-technical@openldap.org
-
Bill MacAllister -
Howard Chu -
Jonathan Clarke -
Michael March -
Nazeeruddin Mohammad