Hi Junaid, this is not really a LAM issue but I think you will need to configure the trusted certificates for Apache with option "LDAPTrustedGlobalCert".
"Can't contact LDAP server" means that the server is not reachable or
SSL certificate was not trusted.
Best regards
Roland
On 07.05.2014 16:33, Junaid Shah wrote:
> Hi Roland,
>
> I have managed to get the password self reset and Self services working
> fine now. I am not trying to use my ldap for apache authentication for
> nagios.
>
> I created a user for binding and gave it read access as well. But I am not
> able to get Apache to authenticate through my Ldap.
>
> Here's what I have in apache configuration,
> --------
> ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
>
>
> <Directory "/usr/lib64/nagios/cgi-bin/">
> # SSLRequireSSL
> Options ExecCGI
> AllowOverride None
> # Order allow,deny
> # Allow from all
> # Allow from 127.0.0.1
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthName "LAM"
> AuthLDAPURL "ldaps://example.com:636/ou=Users,dc=example,dc=com?uid"SSL
> AuthLDAPBindDN uid=binduser,ou=Generalusers,ou=Users,dc=example,dc=com
> AuthLDAPBindPassword SECRET
> Require valid-user
> </Directory>
>
> Alias /nagios "/usr/share/nagios/html"
>
> <Directory "/usr/share/nagios/html">
> # SSLRequireSSL
> Options None
> AllowOverride None
> # Order allow,deny
> Allow from all
> # Allow from 127.0.0.1
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthName "LAM"
> AuthLDAPURL "ldaps://example.com:636/ou=Users,dc=example,dc=com?uid"SSL
> AuthLDAPBindDN uid=binduser,ou=Generalusers,ou=Users,dc=example,dc=com
> AuthLDAPBindPassword SECRET
> Require valid-user
> </Directory>
>
> ------------
>
> I have added this in the /etc/openldap/slapd.conf file to add the bind user,
> -------------
> #######################################################################
> # database definitions
> #######################################################################
>
> database bdb
> suffix "dc=example,dc=com"
> checkpoint 1024 15
> rootdn "cn=Manager,dc=example,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> # rootpw secret
> # rootpw {crypt}ijFYNcSNctBYg
> rootpw SECRET
>
> defaultaccess none
> access to attr=userPassword
> by dn="cn=Manager,dc=example,dc=com" write
> by self write
> by * auth
> access to *
> by dn="cn=Manager,dc=example,dc=com" write
> by dn="uid=binduser,ou=Generalusers,ou=Users,dc=example,dc=com" read
> by users read
> by self write
> by * auth
>
> --------
>
> I then created the user account binduser and restarted slapd.
>
> Here is the error I am seeing in the logs,
> ---------
> [Wed May 07 07:25:31 2014] [info] [client IPADDRESS [4158] auth_ldap
> authenticate: user tester authentication failed; URI / [LDAP:
> ldap_simple_bind_s() failed][Can't contact LDAP server]
> ---------
>
> The user tester is inside the Admins,Users,example,com directory.
>
> What do you think I'm missing?Any ideas?
>
> Thanks,
>
>
>
> On Wed, Apr 30, 2014 at 1:18 AM, Roland Gruber <[email protected]> wrote:
>
>> Hi Junaid,
>>
>> On 29.04.2014 07:24, Junaid Shah wrote:
>>> 2014-04-28 22:02:55: LDAP Account Manager (kui1ucm5i76bmmc68ohumteaj3 -
>>> 10.4.3.20) - ERROR: [uid=bhkwan,ou=Admins,ou=Users,dc=go,dc=cd] Unable to
>>> add attributes to DN: uid=student1,ou=Generalusers,ou=Users,dc=go,dc=cd
>>> (Insufficient access).
>>
>> looks like uid=bhkwan,ou=Admins,ou=Users,dc=go,dc=cd has not the right to
>> change the student entries.
>> You can setup ACLs in slapd.d to change that.
>>
>> LAM also allows to do all write operations with the bind user. There is an
>> option "Use for all operations":
>>
>>
>> https://www.ldap-account-manager.org/static/doc/manual/ch06s03.html#selfServiceBasicSettings
>>
>>
>> --
>>
>> Best regards
>>
>> Roland
>>
>>
>> LDAP Account Manager
>> http://www.ldap-account-manager.org/
>>
>> Want more? Get LDAP Account Manager Pro!
>> https://www.ldap-account-manager.org/lamcms/lamPro
>>
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Lam-public mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/lam-public
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
> • 3 signs your SCM is hindering your productivity
> • Requirements for releasing software faster
> • Expert tips and advice for migrating your SCM now
> http://p.sf.net/sfu/perforce
>
>
>
> _______________________________________________
> Lam-public mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/lam-public
>
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
