De Filippo Andrea [mailto:[EMAIL PROTECTED] said:
My question is how to authenticate apache2 via LDAP on Active
Directory.
This is my configuration in
/etc/apache2/sites-enabled/000-default:
# LDAP Authentication
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
<Location /prova>
Options Indexes FollowSymLinks
#AllowOverride None
order allow,deny
Allow from all
AuthType Basic
AuthName "Autenticazione utente"
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL
ldap://gc2kwive01:389/dc=wind,dc=root,DC=it?sAMAccountName?sub?(objectCl
ass=user)
require valid-user
</Location>
But I have this error in /var/log/apache2/error.log:
[Thu Jun 19 12:54:30 2008] [warn] [client 10.73.5.119] [22817]
auth_ldap authenticate: user windroot\\de filippo authentication failed;
URI /prova/index.html [User not found][No such object]
[Thu Jun 19 12:54:30 2008] [crit] [client 10.73.5.119]
configuration error: couldn't check user. No user file?:
/prova/index.html
I'm still fighting with some of my Active Directory authentication
needs, but I did get my subversion repository working correctly, so
maybe what I have here will help.
AD needs you to bind before it lets you search. Also, it sometimes
segments the information weirdly and uses redirects weirdly, so you
sometimes have to use port 3268 which is a magic merged global view of
the directory.
So here's what I have currently working, with obvious secret stuff
overwritten:
AuthName "Pine River Capital Windows Logon"
AuthType basic
AuthLDAPEnabled on
AuthLDAPURL
"ldap://dc1.ourinternaldomain.local:3268/dc=pinerivercapital,dc=local?sA
MAccountName?sub?(objectClass=user)(objectCategory=person
<ldap://dc1.ourinternaldomain.local:3268/dc=pinerivercapital,dc=local?sA
MAccountName?sub?(objectClass=user)(objectCategory=person> )"
# Suitable user with read access
AuthLDAPBindDN "CN=accounttobindwith,OU=Service
Accounts,OU=MPLS,DC=pinerivercapital,DC=local"
AuthLDAPBindPassword "itsasecret"
# Non-Authoritative lets it also look in .htpasswd; must config user
file
AuthLDAPAuthoritative off
#AuthLDAPGroupAttributeIsDN on
AuthUserFile /home/svn/access/users
Require valid-user
---
The contents of this message and its attachments, if any, are meant for the
sole use of the intended recipient and may be confidential, privileged, or
otherwise protected from disclosure. If you are not the intended recipient of
this message or have received this message in error, please delete it,
immediately alert the sender by reply e-mail, and do not read, disclose,
distribute, or otherwise use the information contained herein. If this message
was misdirected, neither Pine River nor its affiliates waives any
confidentiality or privilege. Pine River retains and monitors e-mail
communications sent through its network. This e-mail does not constitute or
form part of any offer or invitation to sell, or the solicitation of an offer
to purchase any investment and is provided for information purposes only. Pine
River believes that the information it provides is accurate and complete as at
the date of publication, but does not grant any warranty of such and neither
Pine River nor its affiliates accepts any liability in respect of errors or
omissions. Past performance is not necessarily a guide to future results.
---
