Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Authenticating Apache against Active Directory

  • 31-08-2009 11:58AM
    #1
    feylya
    Moderators, Music Moderators Posts: 23,363 Mod ✭✭✭✭


    I've been racking my brains over this for the past week or so and I still haven't managed to get it right. I'm trying to get Apache to authenticate against my AD domain and then to check if the user is a member of a group or not. If they are, allow them access.

    This is my ldap.conf file:
    <Location /private>
        AuthName "Protected Page"
        AuthType Basic
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on  

	AuthLDAPUrl "ldap://global-catalogue.domain.com:3268/dc=com,dc=domain?sAMAccountName"

        AuthLDAPBindDN "apache@domain.com"
        AuthLDAPBindPassword "{P@55w0rd}"
        AuthLDAPGroupAttribute memberOf
        AuthLDAPGroupAttributeIsDN on     
        Require ldap-group CN=Admins,CN=Users,DC=domain,DC=com
        allow from all
</Location>

    It seems that it can't find the memberOf attribute in the group:
    [Mon Aug 31 11:57:11 2009] [debug] mod_authnz_ldap.c(713): [client xx.xxx.xxx.xxx] [21441] auth_ldap authorise: require group "CN=Admins,CN=Users,DC=domain,DC=com": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
[Mon Aug 31 11:57:11 2009] [debug] mod_authnz_ldap.c(826): [client xx.xxx.xxx.xxx] [21441] auth_ldap authorise: authorisation denied

    It's driving me up the wall. Anyone have any ideas?


Comments

  • #2
    feylya
    Moderators, Music Moderators Posts: 23,363 Mod ✭✭✭✭feylya


    Everyone as confused as I am? I think it's something to do with getting the uid for the user from AD and comparing that to memberUID in the groups but I can't get the uid for the user for some reason.


  • #3
    WizZard
    Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Have you tried using just "member" instead of "memberOf"?

    (I don't have an LDAP server handy so can't verify anything myself :()


  • #4
    feylya
    Moderators, Music Moderators Posts: 23,363 Mod ✭✭✭✭feylya


    Yup, tried member, memberof, memberuid... At the moment, I using an ldap filter to get a user that is a user but also a member of the group. Remove the use of ldap-group. No luck so far :(


  • #5
    WizZard
    Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Can you see/export what is stored in the LDAP record for the group and user?

    Maybe try using the GID instead? 
    Require ldap-attribute gidNumber=XX


  • #6
    feylya
    Moderators, Music Moderators Posts: 23,363 Mod ✭✭✭✭feylya


    It's finding the group fine. It just can't compare attributes from the user account to it's members


  • Advertisement
Advertisement