[SOLVED] Can I (really) authenticate .htaccess with ldap?

[goldie113]

I am using mod_authnz_ldap on an apache web server trying to authenticate with zimbra's LDAP I have read all the post and wiki's what am I doing wrong. when I enter my crendentials in the prompt I get the error below user id not configured. I turned ldap logging on and it doesn't log anything (like no attempt is being made).

AuthType Basic
AuthName Internal
AuthBasicProvider ldap
AuthLDAPURL ldap://75.XXX.XXX.XXX/ou=people,dc=midchurch,dc=com
require valid-user



error_log

[Wed Nov 19 11:07:35 2008] [error] [client 12.196.129.66] access to /members failed, reason: verification of user id 'goldie113' not configured

[quanah]

What does the LDAP log show? You don't really give much detail in the way of configuration, so there's really not much feedback I can give, except that it probably should work if configured correctly.

[goldie113]

Quote:

Originally Posted by quanah

What does the LDAP log show? You don't really give much detail in the way of configuration, so there's really not much feedback I can give, except that it probably should work if configured correctly.

the LDAP log doesn't show anything that's the problem it seems there is no attempt to authenticate to the LDAP. I can access the LDAP with LDAP admin so what is keeping me from getting to it? It is not a firewall issue for they (web and mail server) are on the private side of any firewall. What configuration info will you need?

Should there be entries made in the httpd.conf file? pertaining to allow/deny/override things along those lines?

[quanah]

Quote:

Originally Posted by goldie113

AuthLDAPURL ldap://75.XXX.XXX.XXX/ou=people,dc=midchurch,dc=com

This doesn't look quite right, actually. Have you read the page on how this is formed?

authldapurl doc

I would guess it should be something more like:

Code:

AuthLDAPURL ldap://75.XXX.XXX.XXX:389/ou=people,dc=midchurch,dc=com?uid?sub?(objectClass=zimbraAccount)

[goldie113]

I have tried that line and just about every different form with every different attribute on that line, It acts as though it doesn't know to access that LDAP

[gnyce]

Here is what seems to work for me.... you will have to test whether you need an actual account to login/bind with, or if anonymous bind is ok... I disremember, it has been awhile since I did this


AuthType Basic
Authname "Trac Login"
AuthBasicProvider "ldap"
AuthLDAPURL "ldap://10.0.0.5/ou=people,dc=OUR_DOMAIN,dc=com?uid?sub?(objectClas s=organizationalPerson)"
AuthLDAPBindDN uid=USERNAME,ou=people,dc=OUR_DOMAIN,dc=com
AuthLDAPBindPassword PASSWORDHERE
authzldapauthoritative Off
require valid-user
</Location>

[gnyce]

not sure why, but it is displaying a space in objectClas s... should be objectClass

[goldie113]

gnyce Thanks so much your .htaccess also works for me! You have taken such a monkey off my back!

[Jesster]

Quote:

Originally Posted by gnyce

Here is what seems to work for me.... you will have to test whether you need an actual account to login/bind with, or if anonymous bind is ok... I disremember, it has been awhile since I did this
</Location>

Is there any way to also filter the approved users via LDAP?

Maybe something like "and is also a member of staff@example.org distribution list" ?

I played with this awhile ago using ldapsearch tool but couldn't figure it out. Here's what I had, but it's not correct:

Code:

ldapsearch -LLL -x -h zldap.example.org -D cn=config -w password -b '' '(&(zimbraMailForwardingAddress=$USERNAME@$DOMAIN)(zimbraMailAlias=staff@example.org)(objectClass=zimbraDistributionList)(zimbraMailStatus=enabled))'