On Fri, 19 Jan 2007 09:19:03 -0600
"Thommes, Michael M." <[EMAIL PROTECTED]> wrote:
> We have an application that is using an Apache server to do LDAP
> authentications against our active directory. (Yeah, I know; if only I
> were king! LOL!) The application developer tells me that if he tries
> doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If
> he uses a search base of "ou=xxx,dc=yyy,dc=zzz", the auth works. The
> user account that is being tested is some OU levels below this. He is
> coding a subtree scope and he is filtering on (objectclass=user and
> objectcategory=person).
>
>
>
> It's like Apache needs to start at an OU structure. I couldn't find
> much on Google about this other than someone else was having the same
> issue last Fall and just gave up in frustration. The Apache
> documentation I could find seemed to indicate that a search of
> "dc=yyy,dc=zzz" SHOULD work.
What Apache LDAP authentication are you using? Is it one of those
ldap_authz modules or a scripted ldap_bind hack?
A network capture would tell you definitively what authentication
mechanism is being used and at which end the problem resides. If you
have tcpdump on the web server this is simply:
# tcpdump -s 0 -w mycapture.pcap 'port 389 | port 80'
<run the test>
<ctrl-c to stop>
Ldapsearch queries from the Apache machine might also help debug
the problem. For example, the following ldapsearch query gets the
CN=Users,DC=win,DC=net container (obvoiusly you would need to adjust
things a little):
$ ldapsearch -h 192.168.2.104 -p 389 -Y digest-md5 -U mthommes \
-w thepass -b "DC=foo,DC=net" -s one -z 100 '(CN=User)'
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
