Score:0

Apache - Active Directory LDAP authorization

th flag

I'm running Apache 2.4 on Fedora 34.
I've configured user authorization based on Active Directory usernames and passwords with "ldap_module" and "authnz_ldap_module" and this entry is working:

AuthLDAPBindDN "CN=ldap_bind,CN=Users,DC=domain,DC=com,DC=pl"

When I move "ldap_bind" user to another OU in AD and change the configuration like this:

AuthLDAPBindDN "CN=ldap_bind,OU=Tech users,OU=MyOU,DC=domain,DC=com,DC=pl"

then I get "password mismatch" or 500 errors in Apache log and users can't log in.
The new path is correct because I've copied it from the AD "distinguishedName" field after moving the user.
What's wrong with the new user location or the modified entry?
This is the whole configuration:

<Location />
    AuthType Basic
    AuthName "Active Directory login"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://host.domain.com.pl/dc=domain,dc=com,dc=pl?sAMAccountname" TLS
    AuthLDAPBindDN "CN=ldap_bind,CN=Users,DC=domain,DC=com,DC=pl"
    AuthLDAPBindPassword password
    AuthLDAPMaxSubGroupDepth 10
    <RequireAny>
        Require ldap-group CN=ro_group,OU=Access groups,OU=MyOU,DC=domain,DC=com,DC=pl
        Require ldap-group CN=rw_group,OU=Access groups,OU=MyOU,DC=domain,DC=com,DC=pl
    </RequireAny>
</Location>
mx flag
If pwd wrong msg was what AD returned, then it was wrong pwd. Absolutely no reason for change of DN to cause pwd error.
Marek avatar
th flag
@strongline My username and password are saved in the browser, so there's no way they're incorrect. Besides the errors occur only after moving the "ldap_user" in AD structure. Updating DN in Apache configuration is necessary because this users' DN is being changed after changing it's location in AD.
mx flag
Of course you can change DN, what I meant was that changing DN will not cause authentication error such as for AD to report pwd error
Score:0
th flag

I've figured it out.
There was nothing wrong with this users' new location or DN.
It was the web application error because I forgot to set the new DN in the application configuration.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.