May 162013

I recently ran into an issue configuring HTTP Basic authentication against Active Directory using Apache httpd.  What was happening was that I’d get a 500 Internal Server Error page every time I hit a location that required Basic authentication.  There wasn’t anything useful in the logs, and I started playing around with the configuration (which, I must point out, was correct in a way).  After about two hours of trial I finally figured out the problem — there appears to be some sort of bug either in the OpenLDAP libraries, Apache httpd, or Active Directory itself, when Apache was trying to connect to AD via LDAP.  I found this only appeared when I had my search base configured to be the top-level DN of my Active Directory.  Changing the search base to an OU lower also resolved the problem, but I couldn’t do that because I have users across several OU’s off the top of the DIT.  The solution I came up with was to connect to port 3268, the Global Catalog, rather than the normal port of 389.

Here’s my mod_authnz_ldap configuration settings:

Hope that helps!

Feb 022013

A new version of AuthLDAP has been released and is ready for consumption.  I’ve put in some more error checking and tried to fix some of the bugs around the group membership checking for users.  I’ve also done some major reworking of the configuration options in order to hopefully allow for better interoperability between directories and to add options that can help with search optimization in some cases.

This has been tested against Active Directory, OpenLDAP, and SunOne Directory Server.  You can download the new library from it’s project page.  I hope you find it useful!

Aug 302012

Lately I’ve been spending a lot of time trying to get a useful combination of LDAP + SSL + Kerberos working on various Unix systems (Linux, Solaris, and AIX specifically).  I’ve had excellent results with Kerberos + LDAP and SSL + LDAP, but combining all three on my CentOS and RHEL systems had me running repeatedly into this error:

I first saw this when I configured my systems to authenticate against Active Directory with SSSD and then I started noticing it with the OpenLDAP clients (ldapadd, ldapmodify, et al) when I began doing more and more work using SASL/GSSAPI authentication. Continue reading »

Jul 032011

Over the past couple years, I’ve written several little php-based application that rely on LDAP for authentication.  More recently, I’ve been using CodeIgniter to write more apps.  I thought it was about time to handle LDAP authentication a little more elegantly.  To handle this, I’ve written a library for CodeIgniter called Ldap_Auth.

Continue reading »