Re: [Cherokee] LDAP auth bound to Microsoft Active Directory

Thu, 31 Jan 2013 05:12:08 -0800 

Okay, now I understand how the LDAP module ist working and I figured out how to 
authenticate with LDAP.

The full final working config for LDAP authentication with Active Directory is:

> vserver!10!rule!105!auth = ldap
> vserver!10!rule!105!auth!base_dn = OU=SUPPORT,OU=USERS,DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_dn = 
> CN=ldap-connector,OU=SERVICEACCOUNTS,OU=USERS,DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_pw = <password-for-user_ldap-connector>
> vserver!10!rule!105!auth!filter = (sAMAccountName=${user})
> vserver!10!rule!105!auth!methods = basic
> vserver!10!rule!105!auth!port = 389
> vserver!10!rule!105!auth!realm = contoso.local
> vserver!10!rule!105!auth!server = contoso.local
> vserver!10!rule!105!auth!tls = 0
> vserver!10!rule!105!disabled = 0
> vserver!10!rule!105!match = directory
> vserver!10!rule!105!match!directory = /
> vserver!10!rule!105!match!final = 0

However, the LDAP modul lacks of NTLM authentication. :-(

Stadtpirat




________________________________
 Von: - - <[email protected]>
An: [email protected] 
Gesendet: 23:07 Mittwoch, 30.Januar 2013
Betreff: Re: [Cherokee] LDAP auth bound to Microsoft Active Directory
 


Sent those mails to the wrong recipient, so now again to the correct one. Hope 
to find help here!! :-)


------------------------------
On Tue, Jan 29, 2013 4:23 PM CET - - wrote:

>Yay! I got it working!
>
>I changed 
> vserver!10!rule!105!auth!base_dn = DC=contoso,DC=local
>to
> vserver!10!rule!105!auth!base_dn = OU=SUPPORT,OU=USERS,DC=contoso,DC=local
>
>Looks like the search is not recursive, like in the AD-Snapin. So it really 
>finds only all objects where (sn=${user}) _IF_ they are exactly in 
>"OU=SUPPORT,OU=USERS,DC=contoso,DC=local".
>
>That's a problem for me, because we organized our user objects in different 
>OUs like SUPPORT, SALES, etc. And as I just said, if base_dn is 
>"OU=USERS,DC=contoso,DC=local", I get no results! If I include SUPPORT, the 
>sales team won't be able to authenticate :-(
>
>Any ideas?
>
>
>
>
>----- Ursprüngliche Message -----
>Von: - - <[email protected]>
>An: "[email protected]" <[email protected]>
>CC: 
>Gesendet: 15:49 Dienstag, 29.Januar 2013
>Betreff: LDAP auth bound to Microsoft Active Directory
>
>Hello,
>
>I need help configuring LDAP authentication! When I open the web page, it asks 
>for my credentials. When I enter valid credentials, the same window pops up 
>over and over and I cannot continue. When I leave the fields blank, or press 
>escape, it correctly returns a 401. The log cherokee.error shows no error.
>
>I have an Active-Directory domain named contoso.local that I access by user 
>"Admin" and password "MyPassword".
>I want that any user in the AD is able to access the web page.
>
>This is my Config:
>
> vserver!10!rule!105!auth = ldap
> vserver!10!rule!105!auth!base_dn = DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_dn = 
> CN=Admin,OU=SUPPORT,OU=USERS,DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_pw = MyPassword
> vserver!10!rule!105!auth!filter = (sn=${user})
> vserver!10!rule!105!auth!methods = basic
> vserver!10!rule!105!auth!port = 389
> vserver!10!rule!105!auth!realm = contoso.local
> vserver!10!rule!105!auth!server = contoso.local
> vserver!10!rule!105!auth!tls = 0
> vserver!10!rule!105!disabled = 0
> vserver!10!rule!105!match = directory
> vserver!10!rule!105!match!directory = /
> vserver!10!rule!105!match!final = 0
>
>
>
>
>To see if the server binds to the AD, I changed bind_dn to CN=NONEXISTENT,... 
>and received this error message.
>
>
> {'type': "critical", 'time': "29/01/2013 16:38:43.060", 'title': "Could not 
> bind (contoso.local:389): 
> CN=NONEXISTENT,OU=SUPPORT,OU=USERS,DC=contoso,DC=local:MyPassword : Invalid 
> credentials", 'code': "validator_ldap.c:213", 'error': "28", 'description': 
> "The issue seems to be related to your system.", 'version': "1.2.103", 
> 'compilation_date': "Jan 29 2013 13:18:06", 'configure_args': " 
> '--with-wwwuser=www-data' '--with-wwwgroup=www-data' 
> '--with-wwwuser=www-data' '--with-wwwgroup=www-data'", 'backtrace': "}
>
>
>To see if my filter is correct, I used the Active-Directory-Snapin and did a 
>custom search for "(sn=Admin)", which then returned the correct user account. 
>Long: the user account with the attribute sn=admin.
>
>Help is very much appreciated.
>
>
>Stadtpirat


_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee

Reply via email to