configuring apache2 - LDAP and understanding LDAP configuration

Question 1

configuring apache2 - LDAP and understanding LDAP configuration

active-directory ldap apache2 apache2-module mod-auth

Yaerox · Jul 14, 2014 · Viewed 7.9k times · Source

Answer

Answer

Just for reference: original documentation (for version 2.4: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapbinddn) has only following about AuthLDAPBindDN:

AuthLDAPBindDN distinguished-name

My experience is that it is necessary to identify binding account exactly, either by exact DN (e.g. CN=...,OU=...) describing this account's exact position within ldap tree or simply by account's userPrincipalName value. (Overuse of term 'exact' is intentional.)

I've seen reports that this parameter may be case sensitive on some platforms.

Question 2

I'm trying to configure and understand apache2 LDAP authorization.

Actual I'm running openSUSE 13.1 64 Bit as an VM and I enabled the required modules and followed those steps: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html

My httpd-local.conf (is included in the original httpd.conf):

 AuthType              Basic
 AuthName              "Mein geschütztes Verzeichnis"
 AuthBasicProvider     ldap
 AuthLDAPURL           "ldap://ldap_server.DOMAIN1.DOMAIN2.de/ou=Test,ou=Benutzer,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de"
 AuthLDAPBindDN        "cn=Firstname Lastname,ou=Test,ou=Benutzer,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de"
 AuthLDAPBindPassword  "MyAccountPassword"
 Require valid-user

When trying to Login with: User: "Firstname Lastname" Password "MyAcountPassword" I'm getting:

[Mon Jul 14 11:05:38.527956 2014] [auth_basic:error] [pid 5318] [client xxx.x.x.xxx:xxxxx] AH01618: user Firstname Lastname not found: /
[Mon Jul 14 11:05:38.528605 2014] [auth_basic:error] [pid 5318] [client xxx.x.x.xxx:xxxxx] AH01618: user Firstname Lastname not found: /error/HTTP_UNAUTHORIZED.html.var

When changing my configuration:

 AuthType              Basic
 AuthName              "Mein geschütztes Verzeichnis"
 AuthBasicProvider     ldap
 AuthLDAPURL           "ldap://ldap_server.DOMAIN1.DOMAIN2.de/ou=Test,ou=Benutzer,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de"
 AuthLDAPBindDN        "cn=username,ou=Test,ou=Benutzer,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de"
 AuthLDAPBindPassword  "MyAccountPassword"
 Require valid-user

and trying to Login with: User: "username" Password "MyAcountPassword" I'm getting:

[Mon Jul 14 11:09:01.972015 2014] [auth_basic:error] [pid 5372] [client xxx.x.x.xxx:xxxxx] AH01617: user username: authentication failure for "/": Password Mismatch
[Mon Jul 14 11:09:01.973896 2014] [auth_basic:error] [pid 5372] [client xxx.x.x.xxx:xxxxx] AH01617: user username: authentication failure for "/error/HTTP_UNAUTHORIZED.html.var": Password Mismatch

~ Edit #1: ~

ldapsearch "ldap://ldap_server.DOMAIN1.DOMAIN2.de/ou=Test,ou=Benutzer,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de"

is getting: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

~~~~~~~~~~~~~~~~~~~~~~~~~~

I can't really debug because I got a couple unanswered questions. I never worked with LDAP before, just to let you know. Why I need to BindDN something, I wanna be able to connect with every user not only with one. When finished I'll create an homepage which needs this LDAP authentication when loggin in, and depending on the user group (I'd like to return this when authenticating) the users are getting shown different content.

Can someone explain this to me, and try to help me out?

Thanks in advice. Best regards.

configuring apache2 - LDAP and understanding LDAP configuration

~~~~~~~~~ Edit #1: ~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~

Answer

Related questions

~ Edit #1: ~