LDAP Authentication fails with 500 or 401 depending on bind for Apache2
Solution 1
Turns out I was nearly there. I simply missed the AuthzLDAPAuthoritative off
directive which is specific to my instance.
As a further note we also wanted to limit the repo to only identified users so we chained the authentication with a file as well. Example below:
RedirectMatch ^(/repos)$ $1/
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /repos/>
DAV svn
SVNParentPath /var/svn/repos
SVNListParentPath On
SVNAutoversioning On
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider file ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN "OU=Service Accounts,OU=User Accounts,DC=example,DC=com"
AuthLDAPBindPassword xXxXxXx
AuthLDAPUrl "ldap://ldap.example.com:389/OU=User Accounts,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
AuthzSVNAccessFile /etc/svn-authn
SVNIndexXSLT "/styles/svnindexICore.xsl"
AuthUserFile /etc/svn-auth-file
#AuthBasicProvider file ldap
Require valid-user
</Location>
Solution 2
I had the same problem. The identical configuration i tested on Ubuntu did not work on RHEL5. I ended up changing from port 389 to 3268 after reading this and that fixed my problem.
Solution 3
Comparing your configuration to a working configuration with Active Directory on Apache 2.2.3 the only differences I'm seeing are:
- I am using the "DOMAIN\sAMAccountName" style username for my
AuthLDAPBindDN
- I do not have
NONE
after myAuthLDAPURL
Aside from those suggestions, I'd recommend running tcpdump
on the conversation between Apache and Active Directory to see what might be transpiring there, too.
Related videos on Youtube
Comments
-
Erik almost 2 years
I'm setting up LDAP authentication for our Subversion repository hosted through Apache on a RHEL 5 system. I run into two different issues when I try to authenticate against Active Directory.
<Location /svn/> Dav svn SvnParentPath /srv/subversion SVNListParentPath On AuthType Basic AuthName "Subversion Repository" AuthBasicProvider ldap AuthLDAPBindDN "cn=userfoo,ou=Service Accounts,ou=User Accounts,dc=my,dc=example,dc=com" AuthLDAPBindPassword "mypass" AuthLDAPUrl "ldap://my.example.com:389/ou=User Accounts,dc=my,dc=example,dc=com?sAMAccountName?sub?(objectClass=user)" NONE Require valid-user </Location>
If I use the above configuration it continually prompts me with the Basic prompt and I have to eventually select Cancel, which returns a 401 (Authorization Required). If I comment out the bind parts it returns 500 (Internal Server Error), griping that authentication failed:
[Mon Nov 02 12:00:00 2009] [warn] [client x.x.x.x] [10744] auth_ldap authenticate: user myuser authentication failed; URI /svn [ldap_search_ext_s() for user failed][Operations error]
When I perform the bind using ldapsearch and filter for a simple attribute it returns correctly:
ldapsearch -h my.example.com -p 389 -D "cn=userfoo,ou=Service Accounts,ou=User Accounts,dc=my,dc=example,dc=com" -b "ou=User Accounts,dc=my,dc=example,dc=com" -w - "&(objectClass=user)(cn=myuser)" sAMAccountName
Unfortunately I have no control or insight into the AD part of the system, only the RHEL server. Does anyone know what the hang up is here?
-
Rilindo over 12 yearsWhat does apache error_log say?
-
Erik over 12 yearsIt's the code block just after the griping that authentication failed: statement.
-
-
Erik over 14 yearscn or SAMAccountName are both available, and in the case of our network interchangeable.
-
silk over 14 yearsCan you access the AD logs? It would be good to confront what apache asks the AD. I have similar configuartion with OpenLDAP and it is working fine. So a problem musy lay somewhere else. Maybe some SE extensions or sth? Maybe apache process is not able to open sockets? No other ideas.
-
Erik about 14 yearsI found these docs as well. unfortunately they didn't provide any insight as to the underlying issue
-
Erik about 14 yearsI spoke with the LDAP admin and they couldn't identify anything in the logs. Also problematic is the LDAP instance deals with logins from nearly 13,000 accounts daily. A proverbial needle.
-
silk about 14 yearsCouldn't identify anything? This seems strange :) At least he should be able to tell you if the apach at least connects, and later what queries it issues.
-
voretaq7 over 12 yearsHi Kieren, can you please include some of the salient details of that discussion (like what specific steps you took to resolve the problem) in your answer? This makes your answer useful if that form post ever goes away (see here for more info)