0

I am configuring Apache2 to require valid LDAP credentials for a specific resource. I have for example the following AuthnProviderAlias

<AuthnProviderAlias ldap users>
AuthLDAPURL "ldap://ldap.devops.ok/dc=devops,dc=ok?uid?sub?(&(objectClass=organizationalPerson)(isMemberOf=cn=users,dc=groups,dc=devops,dc=ok))"
AuthLDAPBindDN "cn=admin"
AuthLDAPBindPassword ****
</AuthnProviderAlias>

Basic authentication is configured, there is a prompt for credentials but users cannot get in. Apache reports internal server 500 response code.

When I add LogLevel debug log shows that user is not valid

[Thu Sep 01 08:57:37.878815 2016] [authz_core:debug] [pid 3501] mod_authz_core.c(809): [client 10.0.2.2:34163] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Sep 01 08:57:37.878887 2016] [authz_core:debug] [pid 3501] mod_authz_core.c(809): [client 10.0.2.2:34163] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

My suspicion is that AuthLDAPURL is not correct.

How can I check if this URL is correct? The URL is simple now but it will be more complex. Is there a better way coming up with a valid URL other than trial and error, reloading Apache service? What tools can I use?

Improve this question

2 Answers 2

Reset to default
1

I suggest using the ldapsearch utility to check to ensure you can successfully bind search using the filter. 

ldapsearch -x -H ldap://ldap.devops.ok -b dc=devops,dc=ok -D "cn=Admin" -w yourpassword "(&(objectClass=organizationalPerson)(isMemberOf=cn=users,dc=groups,dc=devops,dc=ok))" uid

Also like jwilleke suggests double check your BindDN to ensure it's correct.

It's not good security practice to use your "cn=Admin" or "cn=Directory Manager" (your admin accounts for your Directory Server) to bind to a directory server. Create an unprivileged service account to perform these tasks.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I am guessing that cn=admin is the issue. Is that the Fully Distinguished name of the admin user?

"no authenticated user yet" implies the LDAP server implementation is not accepting the bind request.

Try the connection with a KNOW good LDAP browser. (We like APache Studio)

Improve this answer

1 Comment

I used LDAP browser feature in Eclipse which I think is more or less the same as Apache Studio. This allows me to build LDAP url easily using filter editor.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.