Searching Active Directory root with Apache’s mod_authnz_ldap

While setting up an Apache server for authenticating users accessing a Subversion repository using mod_authnz_ldap, I came across a problem previously reported by phiroc on the users@httpd mailing list:

Hi,

when I use the following AuthLDAPURL

“ldap://adserver/ou=city1,dc=abc,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))” NONE

I can authenticate any user in “ou” city1.

If I replace the AuthLDPAURL by

“ldap://adserver/dc=abc,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))” NONE

I get an Apache 2.2 internal error and in the error log the following message:

[debug] mod_authnz_ldap.c(379): [client xxxx] [8655] auth_ldap authenticate: using URL ldap://adserver/dc=abc,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))
[info] [client xxxx] [8655] auth_ldap authenticate: user myusername authentication failed; URI /test/ [ldap_search_ext_s() for user failed][Operations error]

When I do ldapsearch … -b ‘dc=abc,dc=com’ ‘(&(objectClass=user)(!(objectClass=computer))(samaccountname=myusername)’, the Active Directory server returns data, which seems to imply that there’s something wrong with the mod_authnz_ldap module, or with the way I set it up or use it.

Has anyone encountered this problem before?

Is there a solution?

Many thanks.

Best regards,

p

It turns out that this problem can occur if the Active Directory has been partitioned among several domain servers in a so-called forest. The solution appears to be to query the Global Catalog instead of the domain server. To do this, access the domain server using TCP port 3268 instead of the standard port 389. Continuing the example given by phiroc, the AuthLDAPURL should be changed to:

“ldap://adserver:3268/dc=abc,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))” NONE

  • Print
  • email
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks
  • Google Buzz
  • Posterous
This entry was posted in Configuration. Bookmark the permalink.

3 Responses to Searching Active Directory root with Apache’s mod_authnz_ldap

  1. Daniel Jarboe says:

    Thank you for this post. I was just burned by this Global Catalog distinction when trying to change my AuthLDAPURL from one that specified an OU to now one that will search any OU in the domain. What a difference a port makes… your post (and google) saved me a lot of time.

  2. Aaron C says:

    This absolutely made my day. Too bad it took me 5 hours of troubleshooting before I found it!

  3. ilya golikov says:

    Thank you so much

Leave a Reply

Your email address will not be published. Required fields are marked *