Re: [ActiveDir] OT: Apache LDAP authentication oddity
On Fri, 19 Jan 2007 09:19:03 -0600 "Thommes, Michael M." <[EMAIL PROTECTED]> wrote: > We have an application that is using an Apache server to do LDAP > authentications against our active directory. (Yeah, I know; if only I > were king! LOL!) The application developer tells me that if he tries > doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If > he uses a search base of "ou=xxx,dc=yyy,dc=zzz", the auth works. The > user account that is being tested is some OU levels below this. He is > coding a subtree scope and he is filtering on (objectclass=user and > objectcategory=person). > > > > It's like Apache needs to start at an OU structure. I couldn't find > much on Google about this other than someone else was having the same > issue last Fall and just gave up in frustration. The Apache > documentation I could find seemed to indicate that a search of > "dc=yyy,dc=zzz" SHOULD work. What Apache LDAP authentication are you using? Is it one of those ldap_authz modules or a scripted ldap_bind hack? A network capture would tell you definitively what authentication mechanism is being used and at which end the problem resides. If you have tcpdump on the web server this is simply: # tcpdump -s 0 -w mycapture.pcap 'port 389 | port 80' Ldapsearch queries from the Apache machine might also help debug the problem. For example, the following ldapsearch query gets the CN=Users,DC=win,DC=net container (obvoiusly you would need to adjust things a little): $ ldapsearch -h 192.168.2.104 -p 389 -Y digest-md5 -U mthommes \ -w thepass -b "DC=foo,DC=net" -s one -z 100 '(CN=User)' Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Apache LDAP authentication oddity
Get a network trace of the LDAP calls and responses. Possibly it is an apache issue, possibly the developer is a knucklehead. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Apache LDAP authentication oddity We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of "ou=xxx,dc=yyy,dc=zzz", the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of "dc=yyy,dc=zzz" SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
RE: [ActiveDir] OT: Apache LDAP authentication oddity
Also try this, on a Windows 2003 box use the dsquery command and issue the following. ( as the same account you are using to do the Authentication) dsquery * CN=Users,DC=Your_Account_Domain,DC=Your_Parent_Domain,DC=COM you should get a dump of the first 1000 users in the Users container. If you get this then you done an Authenticated LDAP query to AD and dumped accounts. You can also use the same LDAP Construct in the Custom Searches within Windows 2003 ADUC to see if this will also give you the information you are looking for. Also note that your developer might need to page his queries, because AD is only going to return the first 1000, of you get an error 4 that is a indicative of a paging issue with the query. HTH, Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 19, 2007 10:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Apache LDAP authentication oddity So you're describing searching for something and talking about authentication. Which is it? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Apache LDAP authentication oddity We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of "ou=xxx,dc=yyy,dc=zzz", the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of "dc=yyy,dc=zzz" SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
RE: [ActiveDir] OT: Apache LDAP authentication oddity
So you're describing searching for something and talking about authentication. Which is it? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Apache LDAP authentication oddity We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of "ou=xxx,dc=yyy,dc=zzz", the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of "dc=yyy,dc=zzz" SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
