Tom's FreeBSD blog

July 15, 2010

mod_auth_kerb + AD and LDAP authorization

Filed under: Active Directory,Apache — tmclaugh @ 12:34 pm

It’s not enough to authenticate a user.

11 Comments »

  1. Thanks for the great. I set my own system up like you did, but I dont get it to work.

    The apache log file says:

    [Fri Jul 23 16:35:48 2010] [info] [client 10.49.14.116] Applying pattern ‘^(.*)@(.*)$’ to user ‘[email protected]’, mech:’Any’
    [Fri Jul 23 16:35:48 2010] [info] [client 10.49.14.116] Pattern matched
    [Fri Jul 23 16:35:48 2010] [notice] [client 10.49.14.116] User name ‘[email protected]’ rewritten to ‘schul2′
    [Fri Jul 23 16:35:48 2010] [debug] mod_authnz_ldap.c(582): [client 10.49.14.116] ldap authorize: Creating LDAP req structure
    [Fri Jul 23 16:35:48 2010] [debug] mod_authnz_ldap.c(594): [client 10.49.14.116] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed

    I guess the entry “User DN not found, LDAP: ldap_simple_bind_s() failed” is the cause of the issue.

    Heres the directive for the directory which should be secure:

    # Kerberos Auth
    AuthType Kerberos
    KrbAuthRealms FOO.COM
    KrbServiceName HTTP
    Krb5Keytab /etc/apache2/dokuwiki.HTTP.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    MapUsernameRule (.*)@(.*) “$1″
    AuthLDAPURL ldap://arsv0048.foo.com/cn=Users,dc=foo,dc=com?sAMAccountName
    AuthLDAPBindDN cn=wiki-sso-auth,ou=Administration,dc=foo,dc=com
    AuthLDAPBindPassword wiki-sso-auth
    Require ldap-group cn=g_edv,ou=Gruppen,ou=Users,dc=foo,dc=com

    Do you have any suggestions where the error could be or some hints for further investigations?

    Thanks in advance.

    (The Kerberos Authentification is working. If I comment out the LDAP-Authorization the browser is doing a sso.)

    Comment by ms — July 23, 2010 @ 10:49 am

  2. The problem is with your AuthLDAPBindDN/AuthLDAPBindPassword. The user/pass combo is failing to bind to the directory.

    Try this:

    $ ldapsearch -H ldap://arsv0048.foo.com -x -D cn=wiki-sso-auth,ou=Administration,dc=foo,dc=com -W sAMAccountName=wiki-sso-auth

    That should prompt you for a password. Enter your pass and see if it works.

    By the way, I found out about the userPrincipalName attribute in AD. If you use that instead of sAMAccountName in AuthLDAPURL you won’t need the MapUsernameRule. The caveat is not all users may have it populated. If the domain was an NT4 -> to AD conversion then users created in the NT4 period will not have this attribute. If that’s not the situation then you’re good. I’m going to update this post with a new one after I get some other questions answered and write a powershell script to sanitize my users at work.

    Comment by tmclaugh — July 23, 2010 @ 12:21 pm

  3. Thanks for the quick reply.

    I tried your ldapsearch and i get the error, that the credentials are wrong (as you said already).

    The password must be correct (i reset it in AD console). Does the same error occurs, if the ldap-path (e.g. cn-name) is wrong?

    Comment by ms — July 24, 2010 @ 4:50 am

  4. Got it. You have to care about the cn-value in the ldap search path. I set every account property to “wiki-sso-auth” (e.g. display name) in AD “Users and Groups” and now the ldapsearch accepts the password.

    Comment by ms — July 24, 2010 @ 4:55 am

  5. I had problems with MapUsernameRule – sometimes it rewrote random symbols one or many like + end of the sAMAcccuntName.
    So there is the solution worked for me better:

    1. comment out MapUsernameRule
    2. search the line that begins AuthLDAPURL, replace sAMAcccuntName with userPrincipalName.
    3. reload apache

    PS: big thanks for the author

    Comment by c4406319 — January 28, 2011 @ 3:40 am

  6. Have you also managed to set up AuthLDAP using Kerberos/gssapi, instead of binddn?

    Greets
    Marcus

    Comment by Marcus — August 4, 2011 @ 11:51 am

  7. Btw. recent versions of mod_auth_kerb support the option:

    KrbLocalUserMapping on

    to map user names, so mod_map_user (or using userPrincipalName) is not necessary anymore.

    Comment by Marcus — August 5, 2011 @ 4:30 am

  8. Unfortunately I haven’t set it up to use GSSAPI instead of a binddn though that would be kind of cool. Unfortunately I don’t administer SVN where I’m at now so I haven’t tried or looked at newer options in the module.

    Comment by tmclaugh — August 23, 2011 @ 2:59 pm

  9. Trackback Link…

    [...]Here are some of the sites we recommend for our visitors[...]…

    Trackback by Buy Guaranteed Facebook Fans — November 30, 2011 @ 8:28 am

  10. Related.. Trackback…

    [...]the time to read or visit the content or sites we have linked to below the[...]…

    Trackback by Guaranteed Facebook Fans — December 10, 2011 @ 11:48 am

  11. Great Guide, helped me a lot, but:
    I got a problem with this

    MapUsernameRule (.*)@(.*) “$1″

    If you implant this in your conf, then you have afterwards a problem with your Username containing dots like “.Klaus.”

    In order to get this right, delete the quotation marks.

    MapUsernameRule (.*)@(.*) $1

    That way, you dont have these nasty dots around your samaccountname.

    Comment by KLaus — February 27, 2012 @ 5:59 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress