Results 1 to 5 of 5

Thread: Problem with mod_auth_ldap

  1. #1
    tcauduro is offline Junior Member
    Join Date
    Sep 2007
    Location
    Ontario, Canada
    Posts
    9
    Rep Power
    7

    Angry Problem with mod_auth_ldap

    Hello,

    I am currently testing out zimbra for use as our potential mail server. The mail features work great, I'm very impressed. The feature that I would like to take advantage of is the LDAP component. We currently do not have a centralized user store, but rather a few servers with duplicate accounts on each (File Server, Mail Server, Intranet, etc) I am really looking to establish a central point to manage account info and zimbra's openldap implementation seems like a good place to start.

    I'm able to access the LDAP info from our web programming fine (php ldap libraries work great), but where my problem lies is using a .htaccess file with mod_auth_ldap for our intranet authentication. We are currently setup on a FC4 web server with Apache 2.0.54 and mod_auth_ldap and mod_ldap are both loaded from the modules directory via the LoadModule directive in the httpd.conf file.

    My .htaccess files reads as follows:
    Code:
    AuthName Zimbra
    AuthType Basic
    AuthLDAPUrl "ldap://servername/ou=people,dc=servername,dc=com?uid?sub?(objectClass=organizationalPerson)"
    require valid-user
    When I access the directory this is applied to I do not get a login prompt and anyone can access the page.

    I have tried modifying it to bind to a dn as shown:

    Code:
    AuthName Zimbra
    AuthType Basic
    AuthLDAPUrl "ldap://servername/ou=people,dc=servername,dc=com?uid?sub?(objectClass=organizationalPerson)"
    AuthLDAPBindDN "uid=admin, ou=people,dc=server,dc=com"
    AuthLDAPBindPassword "password"
    require valid-user
    Still nothing.

    I have tried putting the configuration into the httpd.conf file itself.

    Code:
    <directory /test>
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthName "Zimbra"
    AuthType Basic
    AuthLDAPURL 
    "ldap://servername/ou=people,dc=servername,dc=com?uid?sub?(objectClass=organizationalPerson)"
    AuthLDAPBindDn "uid=admin, ou=people, dc=server, dc=com"
    AUthLDAPBindPassword "password"
    require valid-user
    </directory>
    This does not seem to work either..

    If anyone can give me any insight on what I'm doing wrong I would greatly appreciate it.

  2. #2
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Smile This worked for me.

    Hi,

    I spent alot of time playing around (banging head) trying to get this work and finally figured it out. Actually, I think you had it except the 'AuthzLDAPAuthoritative off'. You need that in there or it will try to do more than just authenticate. Read the apache docs for a better description of that.

    Zimbra allows anonymous bind, so you don't need the binding stuff.

    Here is my working .htaccess for an intranet site that authenticates against zimbra (note the 'TLS' at the end of the AuthLDAPURL line - this forces SSL):

    Edit: I'm using apache 2.2, YMMV with apache 2.0 (I believe their is a mod_LDAP change between 2.0 and 2.2)

    Code:
    AuthName "Staff Only"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPURL ldap://zimbra.mydomain.com:389/ou=people,dc=mydomain,dc=com?uid?sub?(objectClass=organizationalPerson) TLS
    AuthzLDAPAuthoritative off
    Require valid-user
    If you are using a self-signed certificate but still want SSL, you will need to add 'TLS_REQCERT never' to your /etc/openldap/ldap.conf. This causes ldap to not try and verify the certificate chain, but it will still communicate via SSL.

    Hope that helps!

    John
    Last edited by jdell; 09-19-2007 at 07:32 AM.

  3. #3
    tcauduro is offline Junior Member
    Join Date
    Sep 2007
    Location
    Ontario, Canada
    Posts
    9
    Rep Power
    7

    Default

    I have tried what you said, unfortunately I do not believe Apache 2.0.54 supports the AuthBasicProvider as it threw a server error. Log states its an unrecognized directive. Also the TLS parameter doesn't seem to be supported either in the 2.0.54 version as that also threw and error.

    I tried the AuthLDAPAuthoritative off, but that didn't seem to make any difference.

    Is there some kind of global directive I'm missing to turn this on?

  4. #4
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by tcauduro View Post
    I have tried what you said, unfortunately I do not believe Apache 2.0.54 supports the AuthBasicProvider as it threw a server error. Log states its an unrecognized directive. Also the TLS parameter doesn't seem to be supported either in the 2.0.54 version as that also threw and error.

    I tried the AuthLDAPAuthoritative off, but that didn't seem to make any difference.

    Is there some kind of global directive I'm missing to turn this on?
    Ok, yea I see now, Apache 2.0 uses mod_auth_ldap, Apache 2.2 uses mod_authnz_ldap, which is a bit different. Here are the relevant apache docs.

    mod_auth_ldap - Apache HTTP Server
    mod_authnz_ldap - Apache HTTP Server

    I can't recall if I ever tried ldap auth with Apache 2.0, but it definitely works with Apache 2.2, so if you can upgrade apache, that may be your best option.

    regards,
    John

  5. #5
    pillerk is offline Member
    Join Date
    Dec 2007
    Posts
    10
    Rep Power
    7

    Default

    This .htaccess content its working perfectly for me on Debian with mailman:
    mailserver: mail.domain.com

    .htaccess content:
    _________________________________________________
    AuthName "Zimbra login (without domain name)"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://mail.domain.com:389/ou=people,dc=domain,dc=com?uid?sub?(objectClass=or ganizationalPerson)"
    AuthLDAPBindDn "uid=zimbra,cn=admins,cn=zimbra"
    AUthLDAPBindPassword "ldappassword"
    require valid-user
    __________________________________________________
    Requiered packages on debian:
    libapache2-webauth
    a2enmod mod_rewrite
    a2enmod mod_ldap
    and successfully integrated Maliman to the Zimbra (mailman on external server)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra, WM5.0, AS + problem with regional fonts
    By wojo2000 in forum Zimbra Mobile
    Replies: 7
    Last Post: 06-25-2007, 01:04 AM
  2. strange MTA Relay Problem
    By pfuschi in forum Installation
    Replies: 0
    Last Post: 10-31-2006, 11:51 AM
  3. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •