DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26538>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26538 windows 2003 active directory - [ldap_search_ext_s() for user failed][Referral] Summary: windows 2003 active directory - [ldap_search_ext_s() for user failed][Referral] Product: Apache httpd-2.0 Version: 2.0.48 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Normal Priority: Other Component: mod_auth_ldap AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] I have been chatting with someone on a linux user group about this. It seems that mod_auth_ldap doesn't like multiple references. The email thread follows: I am not sure either. I just set up mod_auth_ldap on the Windows 2000 domain and it works like a champ. :-) I guess mod_auth_ldap doesn't like how Windows 2003 works with returning the three references. :-/ - Andy On Thu, 2004-01-29 at 16:11, Andrew Libby wrote: > I'm unclear about why your directory server is sending > references back when the entry has been located and returned > to you. In my dealings with SunOne (iPlanet) and OpenLDAP, > I've not seen such a thing. > > Andy > > > Andrew Blyler wrote: > > >I just set up a Windows 2000 domain and found that it only returns one > >reference. I didn't test mod_auth_ldap on Windows 2000 just yet, but > >below is the results from my ldapsearch. > > > >[ablyler at laptop ablyler]$ ldapsearch -h domain_controler.domain.com -vx > >-D "ablyler at domain.com" -b DC=domain,DC=com sAMAccountName=ablyler -W > > > ># extended LDIF > ># > ># LDAPv3 > ># base <DC=domain,DC=com> with scope sub > ># filter: sAMAccountName=ablyler > ># requesting: ALL > ># > > > ># Andrew Blyler, Users, domain.com > >dn: CN=Andrew Blyler,CN=Users,DC=domain,DC=com > ># there were a lot of attributes, but I removed them > >whenCreated: 20040129194305.0Z > > > ># search reference > >ref: ldap://domain.com/CN=Configuration,DC=domain,DC=com > > > ># search result > >search: 2 > >result: 0 Success > > > ># numResponses: 3 > ># numEntries: 1 > ># numReferences: 1 > > > > > >On Thu, 2004-01-29 at 14:42, Andrew Blyler wrote: > > > > > >>Okay, it looks like it is returning some references for the forest dns, > >>domain dns, and configuration partitions. I am guessing that > >>mod_auth_ldap doesn't like the fact that it is getting some references. > >>:-( > >> > >>Note: in this email and previous emails I refer to the domain as > >>domain.com and the dc/ldap server as domain_controler. > >> > >>ldapsearch -h domain_controler.domain.com -vx -D "CN=Andrew > >>Blyler,OU=SI,OU=Mechanicsburg,DC=domain,DC=com" -b DC=domain,DC=com > >>sAMAccountName=ablyler -W > >># extended LDIF > >># > >># LDAPv3 > >># base <DC=domain,DC=com> with scope sub > >># filter: sAMAccountName=ablyler > >># requesting: ALL > >># > >> > >># Andrew Blyler, SI, Mechanicsburg, domain.com > >>dn: CN=Andrew Blyler,OU=SI,OU=Mechanicsburg,DC=domain,DC=com > >># there were a lot of attributes, but I removed them > >>msExchMailboxGuid:: z73C+rf14UWMpPR+SkVOjA== > >> > >># search reference > >>ref: ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com > >> > >># search reference > >>ref: ldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com > >> > >># search reference > >>ref: ldap://domain.Com/CN=Configuration,DC=domain,DC=com > >> > >># search result > >>search: 2 > >>result: 0 Success > >> > >># numResponses: 5 > >># numEntries: 1 > >># numReferences: 3 > >> > >> > >>On Thu, 2004-01-29 at 13:33, Andrew Libby wrote: > >> > >> > >>>While I can't say for sure, I'll put in a few cents as to what > >>>may be happening. > >>> > >>>The error message in the error.log indicates that the > >>>client (Apache) got a referral from Active Directory. > >>>Referral responses are provided to LDAP clients when > >>>the DSA (LDAP server) does not have the base indicated > >>>in the search, or if the request is a modification request > >>>and the client is a replica. If the replica case applies, > >>>the referral will suggest the authoratative server to which > >>>the client should issue the modification. My hunch is that > >>>this is not what is happening here. > >>> > >>>The other case is when the DSA does not provide service for the > >>>base dn specified in the search. Looking at the configuration > >>>snippit you supplied, you're LDAP server is domain_controler.domain.com. > >>>Is this valid? It seems so since you're getting a referral back > >>>but I thought I'd ask since it looks a lot like a configuration example > >>>which might be posted in documentation. The base dn you've listed > >>>is DC=domain,DC=com. Does the DSA at domain_controler.domina.com > >>>serve this base dn? If not then we've got the problem. > >>> > >>>To try to verify what's going on you could try some comand line searches > >>>from > >>>another host (provided AD will respond to incomming LDAP search requests > >>>from another host). > >>> > >>>For example try: > >>> > >>>ldapsearch -LLLxh domain_controler.domaiin.com -b DC=domain,DC=com > >>>objectclass=\* > >>> > >>>This should give you lotts of entries. Usually usernames are stored > >>>keyd based > >>>on cn or uid attributes. You could try searching for cn=username or > >>>uid=username > >>>in place of objectclass=\*. Replace 'username' with the username of a > >>>user you're > >>>attempting to authenticate with. > >>> > >>>Depending on what vendor and version of ldapsearch you use, you may need > >>>to drop > >>>the -x, or -LLL from the command line for it to work. Depending on the > >>>version of > >>>the libraries which Apache is linked with, and depending on how the auth > >>>module is > >>>implemented, it may flat out not follow referrals. My guess is that you > >>>don't > >>>really want to follow referrals, you want to find out why you're getting > >>>a referral > >>>and fix the issue. The base dn is my bet. > >>> > >>>Andy > >>> > >>>Andrew Blyler wrote: > >>> > >>> > >>> > >>>>I know I am running this on Windows, but I thought someone might have > >>>>some in sight on the issue. > >>>> > >>>>When tring to use Apache 2.0.48 on Windows 2003 to authenticate users > >>>>in a Windows 2003 Active Directory LDAP server I get the following: > >>>> > >>>>error.log > >>>>[Thu Jan 29 12:26:24 2004] [warn] [client 10.4.2.111] [4608] auth_ldap > >>>>authenticate: user ablyler authentication failed; URI /test/index.html > >>>>[ldap_search_ext_s() for user failed][Referral] > >>>> > >>>>The following is a section of the config: > >>>> > >>>>httpd.conf > >>>><Directory /> > >>>> Options FollowSymLinks > >>>> AllowOverride None > >>>> > >>>> # LDAP Authentication & Authorization is final; do not check other > >>>>databases > >>>> AuthLDAPAuthoritative on > >>>> > >>>> # Do basic password authentication in the clear > >>>> AuthType Basic > >>>> > >>>> # The name of the protected area or "realm" > >>>> AuthName "Test Realm" > >>>> > >>>> # Active Directory requires an authenticating DN to access records > >>>> AuthLDAPBindDN CN=service_account,DC=domain,DC=com > >>>> > >>>> # This is the password for the AuthLDAPBindDN user in Active > >>>>Directory > >>>> AuthLDAPBindPassword service_account_password > >>>> > >>>> # The LDAP query URL > >>>> AuthLDAPURL > >>>>"ldaps://domain_controler.domain.com/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" > >>>></Directory> > >>>> > >>>><Directory "C:/Program Files/Apache Group/Apache2/htdocs/test"> > >>>> AuthName "Special User Area" > >>>> require valid-user > >>>></Directory> > >>>> > >>>>Does anyone have any ideas of what is going on? > >>>> > >>>>Thanks, > >>>>Andy Blyler --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
