# Please HELP! Apache2 and mod_auth_ldap

## rinacabj

I'm trying to use Apache2 with mod_auth_ldap to authenticate against a Windows 2003 Enterprise server's Active Directory.

i've got

```
net-www/apache-2.0.49-r3  +berkdb -doc +gdbm -ipv6 +ldap +ssl -static -threads

net-nds/openldap-2.1.26  +berkdb +crypt -debug +gdbm -ipv6 +kerberos -odbc +perl +readline +samba -sasl -slp +ssl +tcpd

```

in apache2.conf

```
LoadModule ldap_module                  extramodules/mod_ldap.so

LoadModule auth_ldap_module             extramodules/mod_auth_ldap.so

```

in commonapache2.conf

```
<Directory /var/www/localhost/htdocs/downloads>

  AuthLDAPEnabled On

  <IfModule mod_access.c>

    Order allow,deny

    Allow from all

  </IfModule>

  AuthName "AD.SERVER.ADDRESS"

  AuthType Basic

  AuthLDAPUrl ldap://ad.server.address/dc=ad.server.address?uid?sub?(objectClass=*)

  require valid-user

</Directory>

```

Apache works fine and when I go to the /downloads folder it asks me for a username and password. No matter what domain/user combination I put in I always get this:

```
Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Apache/2.0.49 (Gentoo/Linux) mod_ssl/2.0.49 OpenSSL/0.9.7d Server at web.server.address Port 80

```

and my error_log outputs (including the startup output for reference and the error when it tries to authenticate):

```
[Mon Jun 28 12:53:05 2004] [notice] LDAP: Built with OpenLDAP LDAP SDK

[Mon Jun 28 12:53:05 2004] [notice] LDAP: SSL support unavailable

[Mon Jun 28 12:53:05 2004] [notice] Digest: generating secret for digest authentication ...

[Mon Jun 28 12:53:05 2004] [notice] Digest: done

[Mon Jun 28 12:53:09 2004] [notice] Apache/2.0.49 (Gentoo/Linux) mod_ssl/2.0.49 OpenSSL/0.9.7d configured -- resuming normal operations

[Mon Jun 28 12:53:13 2004] [warn] [client myipaddress] [30022] auth_ldap authenticate: user myusername authentication failed; URI /downloads [ldap_search_ext_s() for user failed][Operations error]

```

I have searched high and low for help on the forums and must say I found a lot of little tips and things that were very helpful and got me as far as I am now. But now I'm stuck here and I've been pulling my hair out on it for the past week. Please, at least could someone just tell me its possible to make it work?Last edited by rinacabj on Thu Jul 01, 2004 6:57 pm; edited 1 time in total

----------

## rinacabj

I thought I might add that I have set up Samba and have joined the machine to the domain. I can kinit Admin blah blah and read user lists and everything off the server.

----------

## rinacabj

I was just thinking that maybe it isn't working because only Administrator has access to verify against AD. I was wrong. I tried 'kinit myusername' and put in my password and it worked fine. Proves that authentication IS working for the system. However, I must be incorrect in setting up the auth module for apache becuse that still doesn't work. Not even with administrator. Any ideas anyone? Please?

----------

## rinacabj

I tried adding these to the commonapache2.conf:

```
AuthLDAPBindDN "<ad-domain>\Administrator"

AuthLDAPBindPassword <password>
```

as well as:

```
AuthLDAPBindDN Administrator@AD.DOMAIN
```

and still get the same results in the error_log.

----------

## bin-doph

well, my herodays are pretty over I guess, but maybe I'll hit the road again  :Wink: 

I have absolutly no experience with win2k3 (and I personaly prefer apache1.3x) but I would change my LDAP-url in ur case from

 *rinacabj wrote:*   

> AuthLDAPUrl ldap://ad.server.address/dc=ad.server.address?uid?sub?(objectClass=*) 

 

to

```
AuthLDAPUrl ldap://ad.server.address/dc=ad,dc=server,dc=address?sAMAccountName?sub?(objectClass=user)
```

did u tested ur queries with ldapsearch from openldap? maybe try that too

hth

-fe

----------

## rinacabj

Thanks for the reply! I don't have any experience with LDAP so I'm not sure what ldapsearch is all about. Do I want to enable kerberos for the search? How do I specify what to search for? I imagine I'm using ldapsearch to scan the AD for a username I'd like to be able to authenticate with. I just don't know how to feed it to the ldapsearch command. I hate asking all these questions, sorry.

When I do

```
ldapsearch -h AD.SERVER.ADDRESS -k
```

i get

```
ldapsearch: not compiled with Kerberos support
```

And when I do

```
ldapsearch -h AD.SERVER.ADDRESS
```

i get

```
# extended LDIF

#

# LDAPv3

# base <> with scope sub

# filter: (objectclass=*)

# requesting: ALL

#

# search result

search: 2

result: 1 Operations error

text: 00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this ope

 ration a successful bind must be completed on the connection., data 0, vece

# numResponses: 1
```

kerberos is un my USE flags. Shouldn't this be enabled for AD authentication to work at all? Maybe thats my problem.

----------

## rinacabj

I found some more info on ldapsearch and understand it now. Still can't get it working though. Is it necessary to have anything other than "out of the box" settings in my slapd.conf?

```
ldapsearch -D "dc=ad,dc=server,dc=address" -W "uid=myusername" -h ad.server.address
```

now gives me

```
ldap_bind: Invalid credentials (49)

        additional info: 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece
```

And yes, I'm using the correct password when it prompts.

----------

## rinacabj

I'm thinking about going ahead and dropping this machine and starting again on a different one. I just wanted to get a heads up if there should be an order in installing packages, and if I should go with apache1 or apache2. I was using apache2 on an Sun Ultra5 before.

Is it necessary to set up Samba and have the machine joined to the domain?

Are there any USE flags I should set besides kerberos and ldap?

----------

## bin-doph

I do not use kerberos for with my ldap but as I said, I don't know much about win2k3 (maybe they have enhanced "security" *woooohooo*). Check the security-settings for the domain-container in AD usermanager and see if "Everybody" has read access on the objects. If not, u can't connect to that AD server without proper credentials (thats what error 49 is about)

If u don't want to go on with ldapsearch maybe try a little perl-script with Net::LDAP. The perldoc is pretty selfexplaining and a basic search shouldn't be that hard. What your basic problem is IMHO is that u don't have the permission to read from AD. Starting all over won't solve that problem

cheers

-fe

----------

## rinacabj

Thanks for the reply again. Sorry about my last post, I'm just getting frustrated with this. I did check the read permissions on Active Directory and everyone has permission to read. I'm gonna go snoop around on some other forums. I think Gentoo is just too good for this question so I'll try something like....Red Hat forums.   :Wink: 

----------

## rinacabj

All I could find on other forums was people having the same problem with no solutions. This is insane because I know people have this set up all over the place.

I changed my directory config a little to

```
<Directory /var/www/localhost/htdocs/downloads>

  SetHandler ldap-status

  Order deny,allow

  Deny from all

  Allow from AD.SEVER.DOMAIN

  AuthLDAPEnabled on

  AuthLDAPAuthoritative on

  AuthName "Password Access"

  AuthType Basic

  AuthLDAPUrl ldap://ad.server.address/cn=%AUTH_NAME%?uid

  require valid-user

  AuthLDAPBindDN Administrator@AD.SERVER.DOMAIN

  AuthLDAPBindPassword mypassword

</Directory>
```

so i get a new error:

```
[Thu Jul 01 13:46:13 2004] [warn] [client myipaddress] [25775] auth_ldap authenticate: user myusername authentication failed; URI /downloads [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
```

I can't help but think its got to be a problem with my ldapurl string or something. I'm replacing ad.server.address with the active directory server's IP address and AD.DOMAIN with the domain that the active directory server is a member of.

----------

## rinacabj

LDAP is working!!  :Smile: 

my ldapsearch command:

```
ldapsearch -W -l 10 -D "cn=Administrator,cn=Users,dc=ad,dc=server,dc=domain"
```

will return the full list of active directory info. However, I can only connect by binding to my administrator password. The Active Directory has read access to everyone so I don't see why I can't even read it with my userid (in the administrators group). 

Besides getting the Active Directory read fixed, I just need to find out why my auth_ldap mod won't read the Active Directory through ldap. Could someone PLEASE show an example of a commonapache2.conf and apache2.conf with working urls and everything?

----------

## nextgen

Oh,  I would love to see those examples too!

-nextgen

----------

## rinacabj

Does anyone else out there believe that this must not be impossible?

----------

## michip

Hi,

not that problem   :Smile:   ...

I use a .htaccess to allow access to AD. You don't need Kerberos etc. ,however password goes in Cleartext, don't forget that - maybe use stunnel on AD-Server and than ldaps://..

OK, here it goes:

```

AuthType Basic

AuthName "LDAP TEST"

AuthLDAPBindDN cn=anaccount,cn=Users,dc=xxx,dc=yyy,dc=zz

AuthLDAPBindPassword verysecretpassword

AuthLDAPURL ldap://the-server:389/dc=xxx,dc=yyy,dc=zz?cn?sub?(&(cn=*)(objectclass=user)(!(objectclass=computer)))

require valid-user

```

Does it solve your Problem ? Looks just to simple. BTW, I tried to manage Groups (aka OU), but it seems unimpossible currently.

CU

Michael

----------

## rinacabj

Thanks, I'll give that a try. What should it expect in the login ID box?

Username@AD.DOMAIN

ADDOMAIN\Username

Username

----------

## nextgen

I've successfully done webdavs (webdav secure) with ldap authentication using this URL in my 45_mod_dav.conf file:

```
AuthLDAPURL ldap://example.com/dc=example,dc=com?cn
```

That works! All I have to do is to enter the "cn" and password corresponding to that "cn".

But when I replace "ldap" by "ldaps":

```
AuthLDAPURL ldaps://example.com/dc=example,dc=com?cn
```

the authentication will never accept my (correctly entered) password.  :Sad: 

What am I forgetting to setup? My /etc/conf.d/slapd file shows:

```
OPTS="-h 'ldaps:// ldap://'"
```

----------

## rinacabj

Thanks a lot for your help. I got the authentication working over mod_auth_ldap using my Active Directory username. Just one more question, and it's more of a convenience thing, but can you use the the username and password the user enters as the bind user?

Maybe something like this:

```
AuthLDAPBindDN "sAMAccountName=%AUTH_NAME%,dc=ad,dc=domain"

AuthLDAPBindPassword %AUTH_PASS%
```

Also, when I go to http://serverIP/folder it says the page cannot be displayed. I have to go to http://serverIP/folder/ to have it come up. That's got to be an easy fix but I don't know what it is.

----------

## michip

Hi, 

second part of your question:

 *Quote:*   

>  http://serverIP/folder

 

is not a valid URL, because auf the missing / at the end. Apache sends a 301 Moved Permanently  to your browser, with the URL completed. Thats why you have to authenticate twice.

CU

Michael

----------

## dvc5

 *rinacabj wrote:*   

> Also, when I go to http://serverIP/folder it says the page cannot be displayed. I have to go to http://serverIP/folder/ to have it come up. That's got to be an easy fix but I don't know what it is.

 

Just use a rewrite rule to append the "/" to the end. I forget, but it's in the apache documentation. "RewriteEngine" or something like that. I'm curious, are you able to extract passwords with your ldap authentication? Or are you merely doing a boolean check for a successful bind? I'm trying to figure out how to replicate the AD to an openldap server and can't extract the passwords since they don't show up in insecure ldapsearches.

----------

## michip

Hi,

I've never seen the passwords of AD - they are not part of the visible LDAP of AD, they still are kept in the registry.  You can't read them; the only way I know is to boot Linux with ntfs and to copy the SAM* file to something else to hack it (well this was NT4, I've forgotten the password..ahem). Look for the Lopht utils   :Razz:  :

http://www.evadenet.com/downloads/lophtcrack.shtml

The check in bind is boolean, I think.

CU

Michael

----------

