Results 1 to 3 of 3

Thread: apache 2.2 mod_authnz_ldap to zimbra help?

  1. #1
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Question apache 2.2 mod_authnz_ldap to zimbra help?

    Hi,

    I have an apache 2.2 webserver with some private content that I want to use LDAP auth of my zimbra users to authenticate. No reason for another external ldap synced to zimbra ldap for basic authentication which is all I'm after here. However, apache 2.2 keeps giving authorise denied.

    Server is zimbra.mydomain.com, default domain for user accounts in mydomain.com

    .htaccess for directory is very basic :
    Code:
    AuthName "Staff Only"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPURL ldap://zimbra.mydomain.com:389/ou=people,dc=mydomain,dc=com?uid?sub?(objectClass=organizationalPerson)
    require valid-user
    Trying to authenticate this way produces the following on zimbra server (slapd.conf:loglevel 256):
    Note: IPs and domains sanitized.
    Code:
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 fd=46 ACCEPT from IP=xxx.yyy.zzz.aaa:39788 (IP=aaa.bbb.ccc.ddd:389) 
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 op=0 BIND dn="" method=128 
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 op=0 RESULT tag=97 err=0 text= 
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 op=1 SRCH base="ou=people,dc=mydomain,dc=com" scope=2 deref=3 filter="(&(objectClass=organizationalPerson)(uid=jdell))" 
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 op=1 SRCH attr=uid 
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 op=2 BIND dn="uid=jdell,ou=people,dc=mydomain,dc=com" method=128 
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 op=2 BIND dn="uid=jdell,ou=people,dc=mydomain,dc=com" mech=SIMPLE ssf=0 
    Jan 22 22:26:32 zimbra slapd[7931]: conn=16378 op=2 RESULT tag=97 err=0 text=
    From my reading of http://www.redhat.com/docs/manuals/d...i/6.01/log.htm, it seems that the tag=97 is a result from client bind, and err=0 means success, yet it isn't working.

    Apache 2.2 logs show the following (LogLevel=debug):
    Code:
    [Mon Jan 22 22:51:00 2007] [debug] mod_authnz_ldap.c(849): [2525] auth_ldap url parse: `ldap://zimbra.mydomain.com:389/ou=people,dc=mydomain,dc=com?uid?sub?(objectClass=organizationalPerson)'
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(858): [2525] auth_ldap url parse: Host: zimbra.mydomain.com:389
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(860): [2525] auth_ldap url parse: Port: 389
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(862): [2525] auth_ldap url parse: DN: ou=people,dc=mydomain,dc=com
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(864): [2525] auth_ldap url parse: attrib: uid
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(866): [2525] auth_ldap url parse: scope: subtree
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(871): [2525] auth_ldap url parse: filter: (objectClass=organizationalPerson)
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(951): LDAP: auth_ldap not using SSL connections
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(373): [client 69.239.134.73] [2525] auth_ldap authenticate: using URL ldap://zimbra.mydomain.com:389/ou=people,dc=mydomain,dc=com?uid?sub?(objectClass=organizationalPerson)
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(454): [client 69.239.134.73] [2525] auth_ldap authenticate: accepting jdell
    [Mon Jan 22 22:26:32 2007] [debug] mod_authnz_ldap.c(826): [client 69.239.134.73] [2525] auth_ldap authorise: authorisation denied
    So, I can't see anything wrong except that apache 2.2 mod_authnz_ldap doesn't like it. Any ideas?

  2. #2
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Wink amazing really....

    I banged my head on this for more hours than I care to admit, I finally post here describing my efforts, and then like a thunderbolt, it hits me that I'm missing the difference between authentication and authorization.

    Re-reading the mod_authnz_ldap docs explains that for authentication only, I just need to specify 'AuthzLDAPAuthoritative off'.

    Well, at least I have it working now...yay!....argh!....yay!....argh!....yay!

    Hopefully this saves somebody some grief in the future...

    For the sake of thoroughness, here is the whole .htaccess file:

    Code:
    AuthName "Staff Only"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPURL ldap://zimbra.mydomain.com:389/ou=people,dc=mydomain,dc=com?uid?sub?(objectClass=organizationalPerson)
    AuthzLDAPAuthoritative off
    require valid-user
    Last edited by jdell; 01-23-2007 at 12:15 AM. Reason: added htaccess code

  3. #3
    Join Date
    Jun 2008
    Posts
    1
    Rep Power
    7

    Default Thank You!

    I join you in banging my head against the wall and yelling "ARGH!" Such a simple command caused hours of headaches.

    The lesson, as always: RTFM. :-)

    Appreciate you posting your solution!
    Chris

Similar Threads

  1. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 09:55 AM
  2. upgrade woes -made into new thread
    By JustinHarlow in forum Installation
    Replies: 18
    Last Post: 06-08-2007, 01:11 PM
  3. Replies: 8
    Last Post: 02-27-2007, 04:10 AM
  4. zimbra-core missing
    By kinaole in forum Developers
    Replies: 1
    Last Post: 10-02-2006, 12:59 PM
  5. Seeming variety of problems on suse-9.1
    By Crexis in forum Installation
    Replies: 52
    Last Post: 03-04-2006, 12:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •