onknows
onknows

Reputation: 6711

Why is my LDAP authentication/url not working?

I am configuring Apache2 to require valid LDAP credentials for a specific resource. I have for example the following AuthnProviderAlias

<AuthnProviderAlias ldap users>
AuthLDAPURL "ldap://ldap.devops.ok/dc=devops,dc=ok?uid?sub?(&(objectClass=organizationalPerson)(isMemberOf=cn=users,dc=groups,dc=devops,dc=ok))"
AuthLDAPBindDN "cn=admin"
AuthLDAPBindPassword ****
</AuthnProviderAlias>

Basic authentication is configured, there is a prompt for credentials but users cannot get in. Apache reports internal server 500 response code.

When I add LogLevel debug log shows that user is not valid

[Thu Sep 01 08:57:37.878815 2016] [authz_core:debug] [pid 3501] mod_authz_core.c(809): [client 10.0.2.2:34163] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Sep 01 08:57:37.878887 2016] [authz_core:debug] [pid 3501] mod_authz_core.c(809): [client 10.0.2.2:34163] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

My suspicion is that AuthLDAPURL is not correct.

How can I check if this URL is correct? The URL is simple now but it will be more complex. Is there a better way coming up with a valid URL other than trial and error, reloading Apache service? What tools can I use?

Upvotes: 0

Views: 3119

Answers (2)

ARPT
ARPT

Reputation: 141

I suggest using the ldapsearch utility to check to ensure you can successfully bind search using the filter.

ldapsearch -x -H ldap://ldap.devops.ok -b dc=devops,dc=ok -D "cn=Admin" -w yourpassword "(&(objectClass=organizationalPerson)(isMemberOf=cn=users,dc=groups,dc=devops,dc=ok))" uid

Also like jwilleke suggests double check your BindDN to ensure it's correct.

It's not good security practice to use your "cn=Admin" or "cn=Directory Manager" (your admin accounts for your Directory Server) to bind to a directory server. Create an unprivileged service account to perform these tasks.

Upvotes: 1

jwilleke
jwilleke

Reputation: 11046

I am guessing that cn=admin is the issue. Is that the Fully Distinguished name of the admin user?

"no authenticated user yet" implies the LDAP server implementation is not accepting the bind request.

Try the connection with a KNOW good LDAP browser. (We like APache Studio)

Upvotes: 0

Related Questions