If you have a new account but are having problems posting or verifying your account, please email us on for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact

Authenticating Apache against Active Directory

  • 31-08-2009 11:58am
    Moderators, Music Moderators Posts: 23,361 Mod ✭✭✭✭

    I've been racking my brains over this for the past week or so and I still haven't managed to get it right. I'm trying to get Apache to authenticate against my AD domain and then to check if the user is a member of a group or not. If they are, allow them access.

    This is my ldap.conf file:
    <Location /private>
            AuthName "Protected Page"
            AuthType Basic
            AuthBasicProvider ldap
            AuthzLDAPAuthoritative on  
    	AuthLDAPUrl "ldap://,dc=domain?sAMAccountName"
            AuthLDAPBindDN ""
            AuthLDAPBindPassword "{P@55w0rd}"
            AuthLDAPGroupAttribute memberOf
            AuthLDAPGroupAttributeIsDN on     
            Require ldap-group CN=Admins,CN=Users,DC=domain,DC=com
            allow from all

    It seems that it can't find the memberOf attribute in the group:
    [Mon Aug 31 11:57:11 2009] [debug] mod_authnz_ldap.c(713): [client] [21441] auth_ldap authorise: require group "CN=Admins,CN=Users,DC=domain,DC=com": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
    [Mon Aug 31 11:57:11 2009] [debug] mod_authnz_ldap.c(826): [client] [21441] auth_ldap authorise: authorisation denied

    It's driving me up the wall. Anyone have any ideas?


  • Moderators, Music Moderators Posts: 23,361 Mod ✭✭✭✭feylya

    Everyone as confused as I am? I think it's something to do with getting the uid for the user from AD and comparing that to memberUID in the groups but I can't get the uid for the user for some reason.

  • Registered Users Posts: 6,762 ✭✭✭WizZard

    Have you tried using just "member" instead of "memberOf"?

    (I don't have an LDAP server handy so can't verify anything myself :()

  • Moderators, Music Moderators Posts: 23,361 Mod ✭✭✭✭feylya

    Yup, tried member, memberof, memberuid... At the moment, I using an ldap filter to get a user that is a user but also a member of the group. Remove the use of ldap-group. No luck so far :(

  • Registered Users Posts: 6,762 ✭✭✭WizZard

    Can you see/export what is stored in the LDAP record for the group and user?

    Maybe try using the GID instead?
    Require ldap-attribute gidNumber=XX

  • Moderators, Music Moderators Posts: 23,361 Mod ✭✭✭✭feylya

    It's finding the group fine. It just can't compare attributes from the user account to it's members

  • Advertisement