htaccess with ldap authentication problem

Problems with the Windows version of XAMPP, questions, comments, and anything related.

htaccess with ldap authentication problem

Postby browolf » 02. July 2010 11:36

Trying to secure a wordpress install with active directory authentication using htaccess. I only want certain groups to even see the site.
it's not working and apache log files are no help.

htaccess file:
Code: Select all
# Authentication realm and method:
AuthType Basic
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthBasicAuthoritative Off

# DN of Active Directory server
AuthLDAPUrl ldap://server.domain.lancs.sch.uk:389/DC=domain,DC=lancs,DC=sch,DC=uk??base?(objectClass=*)

# An account in the AD that has enough permissions to perform an LDAP search
AuthLDAPBindDN "CN=domainadminaccount,ou=admins,DC=domain,DC=lancs,DC=sch,DC=uk"
AuthLDAPBindPassword password

# When checking for group membership, use the DN of the user, not the HTTP entry
AuthLDAPGroupAttributeIsDN on

# Require groups, specifying the DN of the security group
require group CN=teachergroup,OU=teacherou,DC=domain,DC=lancs,DC=sch,DC=uk
require group CN=Domain Admins,OU=Adminsou,DC=domain,DC=lancs,DC=sch,DC=uk


apache log:
[Fri Jul 02 10:58:42 2010] [warn] [client 192.168.0.8] [6848] auth_ldap authenticate: user sophos@domain.lancs.sch.uk authentication failed; URI /wordpress/ [ldap_search_ext_s() for user failed][Operations Error]
[Fri Jul 02 10:58:42 2010] [error] [client 192.168.0.8] access to /wordpress/ failed, reason: verification of user id 'sophos@domain.lancs.sch.uk' not configured


looking at the ldap requests in wireshark

bindrequest(187) "<root>" simple
bindresponse(187) success
searchrequest (6710905) dc=domaindnszones, dc=domain, dc=lancs, dc=sch,dc=uk" wholesubtree filter: (&(objectclass=*)(uid=username@domain.etc))
searchresdone(67109056) operations error ldaperr: DSID-0c090627 in orderr to perform this op a successful bind must be completed

bindrequest(188) "<root" simple
bindresponse(188) success
searchrequest (100663488) dc=configuration, dc=domain, dc=lancs, dc=sch,dc=uk" wholesubtree filter: (&(objectclass=*)(uid=username@domain.etc))
searchresdone(100663488) operations error ldaperr: DSID-0c090627 in orderr to perform this op a successful bind must be completed

I think the problem is its not binding with the account details in the htaccess file. i have no idea why tho.
browolf
 
Posts: 3
Joined: 02. July 2010 10:41

Re: htaccess with ldap authentication problem

Postby JonB » 02. July 2010 11:53

my guess is that your problem is centered on this item: "client 192.168.0.8"

That is likley the IP that the LDAP response is being routed to. You may need port forwarding. I also think you may need to set your server up so it has a fixed IP visible on the internet (or better a real hostname), and use that IP or hostname to run the server. The best way would likely be to run in a DMZ.

Just my geek guess.

Its also possible that the LDAP server has restrictions on its use (where requests originate from), you would need to enquire on that, but I don't think that is the problem in this case.

Good Luck
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: htaccess with ldap authentication problem

Postby browolf » 02. July 2010 12:19

JonB wrote:my guess is that your problem is centered on this item: "client 192.168.0.8"

That is likley the IP that the LDAP response is being routed to. You may need port forwarding. I also think you may need to set your server up so it has a fixed IP visible on the internet (or better a real hostname), and use that IP or hostname to run the server. The best way would likely be to run in a DMZ.

Just my geek guess.

Its also possible that the LDAP server has restrictions on its use (where requests originate from), you would need to enquire on that, but I don't think that is the problem in this case.

Good Luck


thanks but that's the ip of my computer which is opening the website that the ldap authentication is occurring. all the computers concerned (my pc, the domain controller, the server 2003 hosting xampp) are all present on internally on the same domain on the 192.168 subnet
browolf
 
Posts: 3
Joined: 02. July 2010 10:41

Re: htaccess with ldap authentication problem

Postby browolf » 02. July 2010 14:22

I've discovered I need

Require valid-user

in htaccess to force it to use specific credentials when binding

however now everything succeeds with no errors, it comes back with 0 results and apache logs say [User not found][No Such Object]
browolf
 
Posts: 3
Joined: 02. July 2010 10:41

Re: htaccess with ldap authentication problem

Postby JonB » 02. July 2010 15:32

is this domain on your local loop "domain.lancs.sch.uk" and resolvable as a local address through DNS (or a hosts file)?

:?:
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 117 guests