Reputation: 6711
Why is my LDAP authentication/url not working?
I am configuring Apache2 to require valid LDAP credentials for a specific resource. I have for example the following AuthnProviderAlias
<AuthnProviderAlias ldap users>
AuthLDAPURL "ldap://ldap.devops.ok/dc=devops,dc=ok?uid?sub?(&(objectClass=organizationalPerson)(isMemberOf=cn=users,dc=groups,dc=devops,dc=ok))"
AuthLDAPBindDN "cn=admin"
AuthLDAPBindPassword ****
</AuthnProviderAlias>
Basic authentication is configured, there is a prompt for credentials but users cannot get in. Apache reports internal server 500 response code.
When I add LogLevel debug log shows that user is not valid
[Thu Sep 01 08:57:37.878815 2016] [authz_core:debug] [pid 3501] mod_authz_core.c(809): [client 10.0.2.2:34163] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Sep 01 08:57:37.878887 2016] [authz_core:debug] [pid 3501] mod_authz_core.c(809): [client 10.0.2.2:34163] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
My suspicion is that AuthLDAPURL is not correct.
How can I check if this URL is correct? The URL is simple now but it will be more complex. Is there a better way coming up with a valid URL other than trial and error, reloading Apache service? What tools can I use?
Upvotes: 0
Views: 3119
Answers (2)
Reputation: 141
I suggest using the ldapsearch utility to check to ensure you can successfully bind search using the filter.
ldapsearch -x -H ldap://ldap.devops.ok -b dc=devops,dc=ok -D "cn=Admin" -w yourpassword "(&(objectClass=organizationalPerson)(isMemberOf=cn=users,dc=groups,dc=devops,dc=ok))" uid
Also like jwilleke suggests double check your BindDN to ensure it's correct.
It's not good security practice to use your "cn=Admin" or "cn=Directory Manager" (your admin accounts for your Directory Server) to bind to a directory server. Create an unprivileged service account to perform these tasks.
Upvotes: 1
Reputation: 11046
I am guessing that cn=admin is the issue. Is that the Fully Distinguished name of the admin user?
"no authenticated user yet" implies the LDAP server implementation is not accepting the bind request.
Try the connection with a KNOW good LDAP browser. (We like APache Studio)
Upvotes: 0
Related Questions
- How to make LAMP LDAPS authentication work?
- Apache LDAP auth
- Apache 2.4 and LDAP
- Apache2.4 ldap authentication causes 500 error
- Apache 24 with openldap fail to prompt user login
- Apache mod auth_ldap won't work if ssl turned on
- LDAP Authentication not working for login page
- Apache Active Directory mod_authnz_ldap not working
- Apache LDAP Authentication Keeps Giving HTTP 500
- PHP LDAP authentication NOT WORKING