Join Log in
Score:0
Marek avatar Server

Apache - Active Directory LDAP authorization

th flag
Marek

I'm running Apache 2.4 on Fedora 34.
I've configured user authorization based on Active Directory usernames and passwords with "ldap_module" and "authnz_ldap_module" and this entry is working:

AuthLDAPBindDN "CN=ldap_bind,CN=Users,DC=domain,DC=com,DC=pl"

When I move "ldap_bind" user to another OU in AD and change the configuration like this:

AuthLDAPBindDN "CN=ldap_bind,OU=Tech users,OU=MyOU,DC=domain,DC=com,DC=pl"

then I get "password mismatch" or 500 errors in Apache log and users can't log in.
The new path is correct because I've copied it from the AD "distinguishedName" field after moving the user.
What's wrong with the new user location or the modified entry?
This is the whole configuration:

<Location />
    AuthType Basic
    AuthName "Active Directory login"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://host.domain.com.pl/dc=domain,dc=com,dc=pl?sAMAccountname" TLS
    AuthLDAPBindDN "CN=ldap_bind,CN=Users,DC=domain,DC=com,DC=pl"
    AuthLDAPBindPassword password
    AuthLDAPMaxSubGroupDepth 10
    <RequireAny>
        Require ldap-group CN=ro_group,OU=Access groups,OU=MyOU,DC=domain,DC=com,DC=pl
        Require ldap-group CN=rw_group,OU=Access groups,OU=MyOU,DC=domain,DC=com,DC=pl
    </RequireAny>
</Location>
40
0 + 0
mx flag
strongline
If pwd wrong msg was what AD returned, then it was wrong pwd. Absolutely no reason for change of DN to cause pwd error.
0
Reply
Marek avatar
th flag
Marek
@strongline My username and password are saved in the browser, so there's no way they're incorrect. Besides the errors occur only after moving the "ldap_user" in AD structure. Updating DN in Apache configuration is necessary because this users' DN is being changed after changing it's location in AD.
0
Reply
mx flag
strongline
Of course you can change DN, what I meant was that changing DN will not cause authentication error such as for AD to report pwd error
0
Reply
Score:0
Marek avatar Server
th flag
Marek

I've figured it out.
There was nothing wrong with this users' new location or DN.
It was the web application error because I forgot to set the new DN in the application configuration.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.