12 June 2007
Apache 2.2 – authnz_ldap – Active Directory
Posted by Michele Baldessari under: en; tech .
The other day I had to authenticate web clients on apache 2.2 (debian etch) to our corporate Active Directory (Windows 2003R2) and I constantly kept getting an error like the following:
[Wed Jun 06 19:08:56 2007] [warn] [client 10.10.1.2] [3574] auth_ldap authenticate: user foo authentication failed; URI /secret [ldap_search_ext_s() for user failed][Operations error]
Only after a couple of google searches, a couple of network sniffs (which all seemed to go well – bind and then search both successful) and a bit of trial and error I found out that I had to turn off referrals in /etc/ldap/ldap.conf :
REFERRALS off
For the record this is the configuration snippet in apache:
<Directory /var/www/secret> AuthBasicProvider ldap AuthType Basic AuthName "Ldap Test Area" AuthLDAPURL "ldap://pdc.domain.msft:389/DC=DOMAIN,DC=MSFT?sAMAccountName?sub?(objectClass=user)" NONE AuthLDAPBindDN "LDAPROUser@DOMAIN" AuthLDAPBindPassword "foo" require ldap-attribute objectClass=user </Directory>
49 Comments so far...
kai Says:
4 July 2007 at 7:02 pm.
thank you very much for that piece of code !
it was the last brick in the wall to make apache (win32) working and authenticating against active directory.
It’s very time consuming to find a really working solution.
Greetings from Germany
Steve Says:
16 January 2008 at 4:46 pm.
Interesting, running into the exact same error, but this didnt’ fix it for me. Using FC7, which didn’t have a /etc/ldap/ldap.conf, but did have a /etc/ldap.conf.
Doug Says:
17 March 2008 at 2:58 pm.
Thank you Michele, this change worked for me as well.
In case someone runs into this issue on FC7 or RHEL5, the file to change is /etc/openldap/ldap.conf. The /etc/ldap.conf file is for nsswitch and pam_ldap and is not used by mod_authnz_ldap.
Eric Says:
31 March 2008 at 2:44 pm.
Thanks a lot ! I had an headache due to this LDAP configuration, and now it is solved, thanks to you.
Now next step for me, succeed in linking Apache/AD & SVN… where are my drugs ? 
João Sena Ribeiro Says:
7 April 2008 at 5:00 pm.
Aha!! Thank you… This post has been the culmination of a couple of hours hitting my head against a wall…
Finally working… Thanks.
Timo Says:
17 April 2008 at 8:51 am.
Just noticed this config using basic ldap, not ldap-ssl, so passwords a send to AD in clear text. Also, the pre-bind password doesn’t appear to be hashed in the conf.
Michele’s blog » Apache 2.2 - authnz_ldap - Active Directory (follow-up) Says:
28 April 2008 at 9:05 pm.
[...] that I’ve had quite a few comments about my last post on authnz_ldap and Active Directory, I thought I’d summarize the issues involved a little. [...]
Michele Baldessari Says:
28 April 2008 at 9:07 pm.
Hi Timo,
I’ve done a small follow-up on that post with an SSL example. I haven’t had the need yet to do other “fancier” authentications so there is still the “cleartext password in a conf file” problem. HTH.
Hugh Fraser Says:
20 May 2008 at 9:45 pm.
I’m having a problem with authnz_ldap against AD when AuthLDAPURL starts with DC=DOMAIN, rather than something like OU=xxxx,DC=DOMAIN. I cannot identify users unless I specify the OU they belong in, but our users are scattered among many OU’s. This problem’s been mentioned on other web sites, and the solution generally seems to be to add the OU, but it’s not always possible.
Your example shows a configuration that’s similar, except that I use require ldap-group. Any suggestions?
Chester McLaughlin Says:
10 June 2008 at 11:10 am.
I can finally go to sleep! Thank you for this info. I’m running Cent OS and Apache 2.2. Adding REFERRALS off to /etc/openldap/ldap.conf did the trick perfectly. (thanks doug)
Christian’s blog » subversion on WebDAV with Actice Directory authorization on SUSE Linux Enterprise Says:
29 June 2008 at 7:49 pm.
[...] Now, that itself does tell you what is happening, but not why. So again, I ended up googling till I found this: [...]
Dapo Olatunbosun Says:
4 July 2008 at 7:36 pm.
Good lawd, thank you very much! That single line fixed my issue. I needed to specify the OU that users were in in order for the search to work. Didn’t quite work for us as we’ve got different branches and users are sorted per branch. I didn’t have to touch the /etc/ldap.conf but rather the /etc/openldap/ldap.conf file. This is using apache 2.2 on FC8.
Hugh Fraser, you should be able to use this fix and then just turn authzldapauthoritative on and use the appropriate require ldap-group.
Thanks everyone for this fix!
Paul McDowell Says:
11 September 2008 at 4:22 am.
Thanks so much for posting this solution!
Robert Says:
6 November 2008 at 9:25 am.
I can find the prayer I want. I thank God for this website.c
Jiggie Says:
14 November 2008 at 12:22 am.
My hair will grow back now. Thanks for this post. I cant believe that there is no official documentation on how to do this process, even the one i got from redhat didnt work. We need more documentation like yours in the linux world. BTW i figured out before i found you page, but if i had founded earlier it would have saved me 2 days of work.
Mike Says:
19 November 2008 at 10:44 pm.
Thanks so much for posting this. I never would have figured this out.
Mauricio Mejia Says:
12 December 2008 at 9:54 pm.
Hey man! thank you so much, I really works… is so simple… jejejeje
JR Says:
19 December 2008 at 10:12 pm.
This was the first place I found when searching for a solution to this problem. However, my ldap.conf file was entirely commented out so I assumed this fix didn’t apply. After a few more hours of searching and attempts I finally added this line to my ldap.conf and it worked like a charm.
Also, it may be useful to know that our LDAP authentication was working fine until I ran adprep /forestprep and adprep /domainprep on the Windows 2000 domain which modifies the AD schema for compatibility with 2003 R2 domain controllers. So along with the other amazing features of Windows 2003 R2 Actice Directory domains comes the LDAP requirement of a ‘REFERRALS off’ line added to the /etc/ldap/ldap.conf.
Jarranz Says:
3 February 2009 at 2:30 pm.
Thanks a lot!!!!
Cullin Wible Says:
5 March 2009 at 3:51 am.
Interesting. This worked – thanks. A few more notes.
1. A number of people have suggested connecting to the GCS Port (3268) instead of 389. This DID NOT HELP.
2. We tried to use “require valid-user” instead of “require ldap-attribute …”. This does NOT WORK.
3. We found that the value of “REFERRALS OFF” in /etc/ldap/ldap.conf does not matter.
Yranac Says:
5 March 2009 at 11:44 am.
Thank’u so much, just a week looking for this, many solutions in many webs, no one working, your works yust in a minute
Thank you and congratulations.
Greynier Fuentes Says:
12 April 2009 at 7:12 am.
Everything works fine for me without using the REFERRALS off provided that I specify an OU in the url. When I just use DC it won’t work at all.
Any ideas?
thank you very much
Michele Baldessari Says:
13 April 2009 at 10:50 pm.
Hi Greyner,
the problem with referrals is that nowhere in the LDAP drafts it is defined how the client chasing the referrals should re-authenticate itself. I guess when specifying the OU the AD LDAP simply does not refer the client to other DCs in the domain/forest.
hth,
Michele
Greynier Fuentes Says:
14 April 2009 at 1:33 am.
Michele,
Thank you for the prompt reply. I finally got it working by pointing the LDAP URL to the following port 3268 which is the Global Catalog in a Windows Domain and it doesn’t return any referrals.
Hope it helps others… and thank you again.
Greynier,
Andrew Says:
2 June 2009 at 10:21 pm.
Thanks! You are awesome.
Aaron Says:
29 July 2009 at 12:48 am.
Oh, for the love of god!
This is the second time I’ve had this issue and found this exact web page via Google. Apparently I didn’t learn my lesson the first time.
I won’t be fooled again.
niall Says:
26 August 2009 at 4:43 pm.
Thanks for the post. I spent most of the day finding this one line. Would still be climbing the walls if you hadn’t posted this.
Anonymous Says:
14 September 2009 at 6:51 am.
U save my day!!!! Thanks
Luis Says:
14 September 2009 at 6:51 am.
U Saved my day. Thanks
Sbali Says:
23 September 2009 at 5:49 pm.
A thoudand thanks!!
This was what messed me up!
REFERRALS off
alex dekker Says:
28 September 2009 at 12:03 am.
It would be nice if at least a few of the millions of hits you get when searching for “apache ldap ad” mentioned the whole referrals thing. Or if the ldap.conf that ships with various distros could have “REFERRALS off” commented out in it, with some explanation that it might be necessary if you’re unfortunate enough to need to auth against AD. Or if the error message generated by Apache mentioned that the problem it’s experiencing is due to referrals rather than the pathologically vague “[Operations error]“.
OK, rant over, thanks for your help Michele, this was a massive noodle-scratcher until I found your page!
Bruno Galindro Says:
5 November 2009 at 9:25 pm.
Thankyou very much!!!!!!!!
Mindsurfer Says:
21 November 2009 at 4:23 am.
Thank you!!! 7 hours of looking for the right config, only your worked!!!! Thank you very very much!
Shivashankar Says:
15 December 2009 at 12:37 pm.
Thanks a lot Michele, I spent 2 days for the same problem
eiya Says:
28 January 2010 at 12:24 pm.
Nice! Thanks a lot.
Vijji Says:
15 February 2010 at 4:09 pm.
Thanks a lot for this suggestion. I would have never thought this could have been the issue.
JC Says:
5 March 2010 at 12:23 am.
no idea why this works, dont really care anymore, but referrals off did the trick
thanks so much
Jimmy Says:
26 March 2010 at 12:23 am.
I have the same error but my Apache is in Windows…
Any thoughts?
Chandler Says:
22 April 2010 at 7:24 am.
It’s very very very helpful
Michele Baldessari Says:
26 April 2010 at 10:50 pm.
Hi Jimmy,
I don’t have direct experience with apache on windows. I’d look exactly at what ldap libraries are used (if any) when apache is compiled on the windows platform
Ciao,
Michele
Kerberized SSO from Windows to Apache on CentOS | Ben Chapman Says:
17 June 2010 at 2:25 am.
[...] Apache 2.2 – authnz_ldap – Active Directory [...]
ckpinguin Says:
24 June 2010 at 1:30 pm.
I bow before you as you found a solution which I didn’t eventhough I was searching google for HOURS…Thanks a very lot!
Sylvain Rousseau Says:
9 August 2010 at 11:06 am.
Many thanks for this solution !
In addition, a safer solution exists, which is to connect to the Global Catalog of your LDAP Active Directory, using the port 3268. It allows to not use the REFERRALS when connecting to the LDAP server.
Refers to http://technet.microsoft.com/fr-fr/library/cc978012(en-us).aspx for more details.
It worked fine in my environment.
Kevin Says:
16 August 2010 at 3:52 pm.
This will be bookmarked!
3 days wasted, I knew I was getting closer but the REFERRALS off trick finally made it work. This was one Fedora Core 13 and the change was made inside /etc/openldap/ldap.conf
Thanks!
