Problem with mod_auth_ldap

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
tcauduro
Posts: 9
Joined: Fri Sep 12, 2014 10:45 pm

Problem with mod_auth_ldap

Postby tcauduro » Wed Sep 19, 2007 8:55 am

Hello,
I am currently testing out zimbra for use as our potential mail server. The mail features work great, I'm very impressed. The feature that I would like to take advantage of is the LDAP component. We currently do not have a centralized user store, but rather a few servers with duplicate accounts on each (File Server, Mail Server, Intranet, etc) I am really looking to establish a central point to manage account info and zimbra's openldap implementation seems like a good place to start.
I'm able to access the LDAP info from our web programming fine (php ldap libraries work great), but where my problem lies is using a .htaccess file with mod_auth_ldap for our intranet authentication. We are currently setup on a FC4 web server with Apache 2.0.54 and mod_auth_ldap and mod_ldap are both loaded from the modules directory via the LoadModule directive in the httpd.conf file.
My .htaccess files reads as follows:



AuthName Zimbra

AuthType Basic

AuthLDAPUrl "ldap://servername/ou=people,dc=servername,dc=com?uid?sub?(objectClass=organizationalPerson)"

require valid-user


When I access the directory this is applied to I do not get a login prompt and anyone can access the page.
I have tried modifying it to bind to a dn as shown:


AuthName Zimbra

AuthType Basic

AuthLDAPUrl "ldap://servername/ou=people,dc=servername,dc=com?uid?sub?(objectClass=organizationalPerson)"

AuthLDAPBindDN "uid=admin, ou=people,dc=server,dc=com"

AuthLDAPBindPassword "password"

require valid-user


Still nothing.
I have tried putting the configuration into the httpd.conf file itself.




AllowOverride None

Order allow,deny

Allow from all

AuthName "Zimbra"

AuthType Basic

AuthLDAPURL

"ldap://servername/ou=people,dc=servername,dc=com?uid?sub?(objectClass=organizationalPerson)"

AuthLDAPBindDn "uid=admin, ou=people, dc=server, dc=com"

AUthLDAPBindPassword "password"

require valid-user




This does not seem to work either..
If anyone can give me any insight on what I'm doing wrong I would greatly appreciate it.


jdell
Outstanding Member
Outstanding Member
Posts: 201
Joined: Fri Sep 12, 2014 10:13 pm

Problem with mod_auth_ldap

Postby jdell » Wed Sep 19, 2007 9:27 am

Hi,
I spent alot of time playing around (banging head) trying to get this work and finally figured it out. Actually, I think you had it except the 'AuthzLDAPAuthoritative off'. You need that in there or it will try to do more than just authenticate. Read the apache docs for a better description of that.
Zimbra allows anonymous bind, so you don't need the binding stuff.
Here is my working .htaccess for an intranet site that authenticates against zimbra (note the 'TLS' at the end of the AuthLDAPURL line - this forces SSL):
Edit: I'm using apache 2.2, YMMV with apache 2.0 (I believe their is a mod_LDAP change between 2.0 and 2.2)
AuthName "Staff Only"

AuthType Basic

AuthBasicProvider ldap

AuthLDAPURL ldap://zimbra.mydomain.com:389/ou=people,dc=mydomain,dc=com?uid?sub?(objectClass=organizationalPerson) TLS

AuthzLDAPAuthoritative off

Require valid-user

If you are using a self-signed certificate but still want SSL, you will need to add 'TLS_REQCERT never' to your /etc/openldap/ldap.conf. This causes ldap to not try and verify the certificate chain, but it will still communicate via SSL.
Hope that helps!
John
tcauduro
Posts: 9
Joined: Fri Sep 12, 2014 10:45 pm

Problem with mod_auth_ldap

Postby tcauduro » Wed Sep 19, 2007 11:51 am

I have tried what you said, unfortunately I do not believe Apache 2.0.54 supports the AuthBasicProvider as it threw a server error. Log states its an unrecognized directive. Also the TLS parameter doesn't seem to be supported either in the 2.0.54 version as that also threw and error.
I tried the AuthLDAPAuthoritative off, but that didn't seem to make any difference.
Is there some kind of global directive I'm missing to turn this on?
jdell
Outstanding Member
Outstanding Member
Posts: 201
Joined: Fri Sep 12, 2014 10:13 pm

Problem with mod_auth_ldap

Postby jdell » Wed Sep 19, 2007 12:11 pm

[quote user="tcauduro"]I have tried what you said, unfortunately I do not believe Apache 2.0.54 supports the AuthBasicProvider as it threw a server error. Log states its an unrecognized directive. Also the TLS parameter doesn't seem to be supported either in the 2.0.54 version as that also threw and error.
I tried the AuthLDAPAuthoritative off, but that didn't seem to make any difference.
Is there some kind of global directive I'm missing to turn this on?[/QUOTE]
Ok, yea I see now, Apache 2.0 uses mod_auth_ldap, Apache 2.2 uses mod_authnz_ldap, which is a bit different. Here are the relevant apache docs.
mod_auth_ldap - Apache HTTP Server

mod_authnz_ldap - Apache HTTP Server
I can't recall if I ever tried ldap auth with Apache 2.0, but it definitely works with Apache 2.2, so if you can upgrade apache, that may be your best option.
regards,

John
pillerk
Posts: 9
Joined: Fri Sep 12, 2014 11:16 pm

Problem with mod_auth_ldap

Postby pillerk » Fri Sep 17, 2010 3:33 am

This .htaccess content its working perfectly for me on Debian with mailman:

mailserver: mail.domain.com
.htaccess content:

_________________________________________________

AuthName "Zimbra login (without domain name)"

AuthType Basic

AuthBasicProvider ldap

AuthLDAPURL "ldap://mail.domain.com:389/ou=people,dc=domain,dc=com?uid?sub?(objectClass=organizationalPerson)"

AuthLDAPBindDn "uid=zimbra,cn=admins,cn=zimbra"

AUthLDAPBindPassword "ldappassword"

require valid-user

__________________________________________________

Requiered packages on debian:

libapache2-webauth

a2enmod mod_rewrite

a2enmod mod_ldap

and successfully integrated Maliman to the Zimbra (mailman on external server)

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 20 guests