Mailing List Archive: Cherokee: users

Re: LDAP auth bound to Microsoft Active Directory

Index | Next | Previous | View Threaded

stadtpirat11 at ymail

Jan 30, 2013, 2:07 PM

Post #1 of 2 (246 views)
Permalink

Re: LDAP auth bound to Microsoft Active Directory

Sent those mails to the wrong recipient, so now again to the correct one. Hope to find help here!! :-)

------------------------------
On Tue, Jan 29, 2013 4:23 PM CET - - wrote:

>Yay! I got it working!
>
>I changed
> vserver!10!rule!105!auth!base_dn = DC=contoso,DC=local
>to
> vserver!10!rule!105!auth!base_dn = OU=SUPPORT,OU=USERS,DC=contoso,DC=local
>
>Looks like the search is not recursive, like in the AD-Snapin. So it really finds only all objects where (sn=${user}) _IF_ they are exactly in "OU=SUPPORT,OU=USERS,DC=contoso,DC=local".
>
>That's a problem for me, because we organized our user objects in different OUs like SUPPORT, SALES, etc. And as I just said, if base_dn is "OU=USERS,DC=contoso,DC=local", I get no results! If I include SUPPORT, the sales team won't be able to authenticate :-(
>
>Any ideas?
>
>
>
>
>----- Ursprüngliche Message -----
>Von: - - <stadtpirat11 [at] ymail>
>An: "cherokee-owner [at] lists" <cherokee-owner [at] lists>
>CC:
>Gesendet: 15:49 Dienstag, 29.Januar 2013
>Betreff: LDAP auth bound to Microsoft Active Directory
>
>Hello,
>
>I need help configuring LDAP authentication! When I open the web page, it asks for my credentials. When I enter valid credentials, the same window pops up over and over and I cannot continue. When I leave the fields blank, or press escape, it correctly returns a 401. The log cherokee.error shows no error.
>
>I have an Active-Directory domain named contoso.local that I access by user "Admin" and password "MyPassword".
>I want that any user in the AD is able to access the web page.
>
>This is my Config:
>
> vserver!10!rule!105!auth = ldap
> vserver!10!rule!105!auth!base_dn = DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_dn = CN=Admin,OU=SUPPORT,OU=USERS,DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_pw = MyPassword
> vserver!10!rule!105!auth!filter = (sn=${user})
> vserver!10!rule!105!auth!methods = basic
> vserver!10!rule!105!auth!port = 389
> vserver!10!rule!105!auth!realm = contoso.local
> vserver!10!rule!105!auth!server = contoso.local
> vserver!10!rule!105!auth!tls = 0
> vserver!10!rule!105!disabled = 0
> vserver!10!rule!105!match = directory
> vserver!10!rule!105!match!directory = /
> vserver!10!rule!105!match!final = 0
>
>
>
>
>To see if the server binds to the AD, I changed bind_dn to CN=NONEXISTENT,... and received this error message.
>
>
> {'type': "critical", 'time': "29/01/2013 16:38:43.060", 'title': "Could not bind (contoso.local:389): CN=NONEXISTENT,OU=SUPPORT,OU=USERS,DC=contoso,DC=local:MyPassword : Invalid credentials", 'code': "validator_ldap.c:213", 'error': "28", 'description': "The issue seems to be related to your system.", 'version': "1.2.103", 'compilation_date': "Jan 29 2013 13:18:06", 'configure_args': " '--with-wwwuser=www-data' '--with-wwwgroup=www-data' '--with-wwwuser=www-data' '--with-wwwgroup=www-data'", 'backtrace': "}
>
>
>To see if my filter is correct, I used the Active-Directory-Snapin and did a custom search for "(sn=Admin)", which then returned the correct user account. Long: the user account with the attribute sn=admin.
>
>Help is very much appreciated.
>
>
>Stadtpirat

_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

stadtpirat11 at ymail

Jan 31, 2013, 5:12 AM

Post #2 of 2 (217 views)
Permalink

Re: LDAP auth bound to Microsoft Active Directory [In reply to]

Okay, now I understand how the LDAP module ist working and I figured out how to authenticate with LDAP.

The full final working config for LDAP authentication with Active Directory is:

> vserver!10!rule!105!auth = ldap
> vserver!10!rule!105!auth!base_dn = OU=SUPPORT,OU=USERS,DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_dn = CN=ldap-connector,OU=SERVICEACCOUNTS,OU=USERS,DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_pw = <password-for-user_ldap-connector>
> vserver!10!rule!105!auth!filter = (sAMAccountName=${user})
> vserver!10!rule!105!auth!methods = basic
> vserver!10!rule!105!auth!port = 389
> vserver!10!rule!105!auth!realm = contoso.local
> vserver!10!rule!105!auth!server = contoso.local
> vserver!10!rule!105!auth!tls = 0
> vserver!10!rule!105!disabled = 0
> vserver!10!rule!105!match = directory
> vserver!10!rule!105!match!directory = /
> vserver!10!rule!105!match!final = 0

However, the LDAP modul lacks of NTLM authentication. :-(

Stadtpirat

________________________________
Von: - - <stadtpirat11 [at] ymail>
An: cherokee [at] lists
Gesendet: 23:07 Mittwoch, 30.Januar 2013
Betreff: Re: [Cherokee] LDAP auth bound to Microsoft Active Directory

Sent those mails to the wrong recipient, so now again to the correct one. Hope to find help here!! :-)

------------------------------
On Tue, Jan 29, 2013 4:23 PM CET - - wrote:

>Yay! I got it working!
>
>I changed
> vserver!10!rule!105!auth!base_dn = DC=contoso,DC=local
>to
> vserver!10!rule!105!auth!base_dn = OU=SUPPORT,OU=USERS,DC=contoso,DC=local
>
>Looks like the search is not recursive, like in the AD-Snapin. So it really finds only all objects where (sn=${user}) _IF_ they are exactly in "OU=SUPPORT,OU=USERS,DC=contoso,DC=local".
>
>That's a problem for me, because we organized our user objects in different OUs like SUPPORT, SALES, etc. And as I just said, if base_dn is "OU=USERS,DC=contoso,DC=local", I get no results! If I include SUPPORT, the sales team won't be able to authenticate :-(
>
>Any ideas?
>
>
>
>
>----- Ursprüngliche Message -----
>Von: - - <stadtpirat11 [at] ymail>
>An: "cherokee-owner [at] lists" <cherokee-owner [at] lists>
>CC:
>Gesendet: 15:49 Dienstag, 29.Januar 2013
>Betreff: LDAP auth bound to Microsoft Active Directory
>
>Hello,
>
>I need help configuring LDAP authentication! When I open the web page, it asks for my credentials. When I enter valid credentials, the same window pops up over and over and I cannot continue. When I leave the fields blank, or press escape, it correctly returns a 401. The log cherokee.error shows no error.
>
>I have an Active-Directory domain named contoso.local that I access by user "Admin" and password "MyPassword".
>I want that any user in the AD is able to access the web page.
>
>This is my Config:
>
> vserver!10!rule!105!auth = ldap
> vserver!10!rule!105!auth!base_dn = DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_dn = CN=Admin,OU=SUPPORT,OU=USERS,DC=contoso,DC=local
> vserver!10!rule!105!auth!bind_pw = MyPassword
> vserver!10!rule!105!auth!filter = (sn=${user})
> vserver!10!rule!105!auth!methods = basic
> vserver!10!rule!105!auth!port = 389
> vserver!10!rule!105!auth!realm = contoso.local
> vserver!10!rule!105!auth!server = contoso.local
> vserver!10!rule!105!auth!tls = 0
> vserver!10!rule!105!disabled = 0
> vserver!10!rule!105!match = directory
> vserver!10!rule!105!match!directory = /
> vserver!10!rule!105!match!final = 0
>
>
>
>
>To see if the server binds to the AD, I changed bind_dn to CN=NONEXISTENT,... and received this error message.
>
>
> {'type': "critical", 'time': "29/01/2013 16:38:43.060", 'title': "Could not bind (contoso.local:389): CN=NONEXISTENT,OU=SUPPORT,OU=USERS,DC=contoso,DC=local:MyPassword : Invalid credentials", 'code': "validator_ldap.c:213", 'error': "28", 'description': "The issue seems to be related to your system.", 'version': "1.2.103", 'compilation_date': "Jan 29 2013 13:18:06", 'configure_args': " '--with-wwwuser=www-data' '--with-wwwgroup=www-data' '--with-wwwuser=www-data' '--with-wwwgroup=www-data'", 'backtrace': "}
>
>
>To see if my filter is correct, I used the Active-Directory-Snapin and did a custom search for "(sn=Admin)", which then returned the correct user account. Long: the user account with the attribute sn=admin.
>
>Help is very much appreciated.
>
>
>Stadtpirat

_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads