StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POmod_authz_ldap subtree query configuration failing, searching root of LDAP tree instead
text
Body
copied!<p>I am trying to query a strange LDAP structure, which I need to authenticate against. Our app uses the REMOTE_USER variable to determine the user. I do not have access to the LDAP directory hence can't see it's logs.</p> <p>The structure needs me query a sub part of the tree, demonstrated by this Perl script written to test the LDAP query (which works and returns a list of Users as expected)</p> <pre><code>use Net::LDAP; use Net::LDAP::Entry; $ldap = Net::LDAP->new( 'ldapdevel.my.edu.au' ) or die "$@"; $mesg = $ldap->bind( 'uid=binduser,o=my.edu.au', password => 'bindpass' ); if( $mesg->code ) { die $mesg->error; } $mesg = $ldap->search( # perform a search base => "o=my.edu.au", filter => "cn=devraj" ); $mesg->code && die $mesg->error; foreach $entry ($mesg->entries) { $entry->dump; } </code></pre> <p>My Apache configuration has the following in the VirtualHost entry, which aims to mimic the same query as described in the Perl script.</p> <pre><code><Location /> AuthType Basic AuthName "My Application" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindPassword bindpass AuthLDAPBindDN "uid=binduser,o=my.edu.au" AuthLDAPUrl "ldap://ldapdevel.my.edu.au/o=my.edu.au?cn?one" Require valid-user </Location> </code></pre> <p>I can also confirm that Apache does successfully bind to the LDAP directory.</p> <p>Apache error log, messages for LDAP authentication, which indicates that the URI is / hence Apache is searching the top of the directory and not the subtree of o=my.edu.au</p> <pre><code>[Tue Sep 04 16:22:01 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Tue Sep 04 16:22:20 2012] [info] [client xxx.xxx.xxx.xxx] [26064] auth_ldap authenticate: user devraj authentication failed; URI / [User not found][No such object] [Tue Sep 04 16:22:20 2012] [error] [client xxx.xxx.xxx.xxx] user devraj not found: </code></pre> <p>I realise that the issue is the AuthLDAPUrl, my question is what am I doing wrong in my AuthLDAPUrl , or should I be using another directive?</p> <p>I've also tried to configure each parameter to mod_authz_ldap individually as follows:</p> <pre><code><Location /> AuthType Basic AuthName "My LDAP authenticated app" AuthzLDAPLogLevel debug AuthBasicProvider ldap AuthBasicAuthoritative off AuthzLDAPAuthoritative off AuthzLDAPBindPassword bindpass AuthzLDAPBindDN "uid=binduser,o=my.edu.au" AuthzLDAPMethod ldap AuthzLDAPServer ldapdevel.my.edu.au AuthzLDAPUserBase o=my.edu.au AuthzLDAPUserKey cn AuthzLDAPUserScope base AuthLDAPRemoteUserAttribute cn Require valid-user </Location> </code></pre> <p>this actually works! BUT... Apache tried to bind as the user that's trying to log in, which obviously fails. If I login with the bind user credentials it passes the auth, Error log extract:</p> <pre><code>[Fri Sep 07 14:14:27 2012] [error] [client xxx.xxx.xxx.xxx] [15628] bind as cn=devraj,l=X,ou=Students,o=my.edu.au failed: 49 [Fri Sep 07 14:14:27 2012] [error] [client xxx.xxx.xxx.xxx] [15628] basic LDAP authentication of user 'devraj' failed [Fri Sep 07 14:14:27 2012] [error] [client xxx.xxx.xxx.xxx] access to / failed, reason: verification of user id 'devraj' not configured </code></pre> <p>Thanks for your time.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload