Unable to authenticate using Apache and authnz_mod_ldap in Active Directory

apache-2.2 active-directory ldap debian-squeeze

I have a problem with Apache2 authentication using authnz_ldap_module in order to authenticate users from Active Directory. My Apache version is 2.2.16-6+squeeze10.

Here is the configuration I am trying to use with no luck (one of many combinations, to be precise):

AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthType Basic
AuthName "Active Directory"
AuthLDAPURL "ldap://server1.my.company.tld:3268 server2.my.company.tld:3268/dc=my,dc=company,dc=tld?sAMAccountName?sub"
AuthLDAPBindDN "uid=my_user,dc=my,dc=company,dc=tld"
AuthLDAPBindPassword "mypassword"
Require valid-user

And I get following entries in Apache's error.log:

[debug] mod_authnz_ldap.c(379): [client some_ip_here] [12391] auth_ldap authenticate: using URL ldap://server1.my.company.tld:3268 server2.my.company.tld:3268/dc=my,dc=company,dc=tld?sAMAccountName?sub
[info] [client some_ip_here] [12391] auth_ldap authenticate: user my_user authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[error] [client some_ip_here] user my_user: authentication failure for "/": Password Mismatch

Of course I enter correct password each time, I would get blocked in AD about hundred times already, didn't happen single time so far.

I cannot verify, that I can connect to my AD controller, because when I try:

ldapsearch -h server1.my.company.tld -p 3268 -D "dc=my,dc=company,dc=tld"

I get following error:

text: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

I have absolutely no idea how to bind with ldapsearch and manual didn't help me so far.

What am I doing wrong with Apache2 configuration and how can I bind with ldapsearch?

I will provide additional information, if these are needed.


The most problematic case was AuthLDAPBindDN, which had to be in syntax of "[email protected]" and not of syntax "domain\user" neither simply "user" nor "uid=my_user,dc=my,dc=company,dc=tld". Below is the proper configuration that did work for me, which I provide here as solution for the case.

            AuthzLDAPAuthoritative off
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "Active Directory"
            AuthLDAPURL "ldap://server1.my.company.tld:3268 server2.my.company.tld:3268/DC=ad,DC=upos,DC=pl?sAMAccountName?sub?(objectClass=*)"
            AuthLDAPBindDN "[email protected]"
            AuthLDAPBindPassword "some_random_password"
            Require valid-user

It has taken me long time to provide the answer, what I am sorry for.


You have to tell ldapsearch who you are binding as so, per ldapsearch --help, use the -U switch and give it a user name... i.e.

ldapsearch -h server1.my.company.tld -p 3268 -D "dc=my,dc=company,dc=tld" -U <username>

Related

Securing NFS against SSH tunneling
Could not call sign: Could not find certificate request for puppet
What steps are necessary to apply an Enterprise license to an iDRAC7 that shipped with a different license?
What is the difference between init 6 and reboot on Red Hat / RHEL / CentOS?
Can a high load cause a system to reboot?
Wireshark filtering-trying to filter out my own local ip
how does NewRelic work by simply installing .Net agent?
IIS7.5 App Pool recycles - .Net OutOfMemoryException
How do I get the full parent path of an Exchange public folder in Exchange 2010?
Can the iPad remember the iTunes password when using Meraki MDM?
pg_dump: [archiver (db)] connection to database failed: FATAL: Peer authentication failed for user "postgres"
Mysterious memory usage in Linux