Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Authenticating Apache against Active Directory

  • 31-08-2009 11:58am
    #1
    feylya
    Moderators, Music Moderators Posts: 23,362 Mod ✭✭✭✭


    I've been racking my brains over this for the past week or so and I still haven't managed to get it right. I'm trying to get Apache to authenticate against my AD domain and then to check if the user is a member of a group or not. If they are, allow them access.

    This is my ldap.conf file:
    <Location /private>
        AuthName "Protected Page"
        AuthType Basic
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on  

	AuthLDAPUrl "ldap://global-catalogue.domain.com:3268/dc=com,dc=domain?sAMAccountName"

        AuthLDAPBindDN "apache@domain.com"
        AuthLDAPBindPassword "{P@55w0rd}"
        AuthLDAPGroupAttribute memberOf
        AuthLDAPGroupAttributeIsDN on     
        Require ldap-group CN=Admins,CN=Users,DC=domain,DC=com
        allow from all
</Location>

    It seems that it can't find the memberOf attribute in the group:
    [Mon Aug 31 11:57:11 2009] [debug] mod_authnz_ldap.c(713): [client xx.xxx.xxx.xxx] [21441] auth_ldap authorise: require group "CN=Admins,CN=Users,DC=domain,DC=com": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
[Mon Aug 31 11:57:11 2009] [debug] mod_authnz_ldap.c(826): [client xx.xxx.xxx.xxx] [21441] auth_ldap authorise: authorisation denied

    It's driving me up the wall. Anyone have any ideas?


Comments

  • #2
    feylya
    Moderators, Music Moderators Posts: 23,362 Mod ✭✭✭✭feylya


    Everyone as confused as I am? I think it's something to do with getting the uid for the user from AD and comparing that to memberUID in the groups but I can't get the uid for the user for some reason.


  • #3
    WizZard
    Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Have you tried using just "member" instead of "memberOf"?

    (I don't have an LDAP server handy so can't verify anything myself :()


  • #4
    feylya
    Moderators, Music Moderators Posts: 23,362 Mod ✭✭✭✭feylya


    Yup, tried member, memberof, memberuid... At the moment, I using an ldap filter to get a user that is a user but also a member of the group. Remove the use of ldap-group. No luck so far :(


  • #5
    WizZard
    Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Can you see/export what is stored in the LDAP record for the group and user?

    Maybe try using the GID instead? 
    Require ldap-attribute gidNumber=XX


  • #6
    feylya
    Moderators, Music Moderators Posts: 23,362 Mod ✭✭✭✭feylya


    It's finding the group fine. It just can't compare attributes from the user account to it's members


  • Advertisement
Advertisement