http://qs321.pair.com?node_id=11115401

vinoth.ree has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

Sorry if it is OP topic, forgive me! I am implementing a web based service using PerlCGI + Apache +Ldap authentication. I successfully implemented the service with PerlCGI with Apache and able to access the webpage, to allow the access for only authenticated users I am trying to integrate apache with ldap server.

<Directory "/home/xxxxx/apache2/cgi-bin"> AllowOverride None Options +ExecCGI AddHandler cgi-script .cgi .py .pl order allow,deny allow from all AuthName "DOMAIN Active Directory" AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://xxx.xx.xxx.xx:389/DC=DOMAIN,dc=com?sAMAccountN +ame?sub?(objectClass=Person)" AuthLDAPBindDN "CN=user_id,DC=DOMAIN,DC=com" AuthLDAPBindPassword "XXXXXXXXXXXXXXXXXX" Require valid-user </Directory>

When I hit the url it prompts for username and password, but its not authenticating successfully.

In error.log I see below error,

[Sun Apr 12 17:06:25.112467 2020] [authnz_ldap:debug] [pid 26287:tid 2 +7] mod_authnz_ldap.c(522): [client xx.xx.xx.xx:53875] AH01691: auth_l +dap authenticate: using URL ldap://xx.xx.xx.xx:389/DC=DOMAIN,dc=com?s +AMAccountName?sub?(objectClass=Person) [Sun Apr 12 17:06:25.593392 2020] [authnz_ldap:info] [pid 26287:tid 27 +] [client xx.xx.xx.xx:53875] AH01695: auth_ldap authenticate: user us +er_id authentication failed; URI / [LDAP: ldap_simple_bind() failed][ +Invalid credentials] [Sun Apr 12 17:06:25.593410 2020] [auth_basic:error] [pid 26287:tid 27 +] [client xx.xx.xx.xx:53875] AH01617: user user_id: authentication fa +ilure for "/": Password Mismatch

It seems the authentication password is wrong, but I am using the same password with ldapsearch it successfully fetches the account details from the ldap server.

ldapsearch -H ldap://xx.xx.xx.xx:389 -x -D "DOMAIN\user_id" -W -b "dc= +DOMAIN,dc=com" -s sub "(&(sAMAccountName=user_id)(objectClass=Person) +)"

Could somebody help me out here. Thanks in advance.


All is well. I learn by answering your questions...

Replies are listed 'Best First'.
Re: PerlCGI + Apache ldap authentication configuration
by haukex (Archbishop) on Apr 12, 2020 at 18:48 UTC

    I'm not an expert on LDAP so I don't know if the differences between the Apache config and your command-line version are relevant? (In particular, -D "DOMAIN\user_id" -W vs. AuthLDAPBindDN "CN=user_id,DC=DOMAIN,DC=com".) mod_authnz_ldap also has a whole bunch more configuration options. Anyway, since you don't appear to be using an encrypted LDAP connection (?), could you try just sniffing it using Wireshark or tcpdump and compare what Apache is doing with what ldapsearch is doing.

Re: PerlCGI + Apache ldap authentication configuration
by soonix (Canon) on Apr 12, 2020 at 18:56 UTC
    • The user to be authenticated and the user to bind are usually different, and so are the password that you enter on the webpage and the AuthLDAPBindPassword
    • also note the AuthLDAPBindPassword example in the docs doesn't have quotes, so probably your server thinks the quotes in your AuthLDAPBindPassword directive are part of the bind user's password
      Hi soonex

      1.Yes, I have configured my credentials to bind with ldap server and trying to authenticate with my colleagues credentials, and getting the same password mismatch erro.r

      2.I already tried the AuthLDAPBindPassword without the double quotes. Seems quoting does not matter.


      All is well. I learn by answering your questions...

        Hmmm. In this case, my next step would be to look in the DC's event log. (Ours is configured to log failed authentication attempts, I suppose yours does this, too)

        And, although the last message says "Password Mismatch", theoretically it could be a misspelt username as well, or even a wrong domain.