In my configuration, the “search_bind_rdn” includes the full DN path of the
user account for binding to work. For example:
‘search_bind_rdn =>
‘cn=racktables-user,OU=ServiceAccounts,OU=Users,DC=Redacted,DC=Local’,
Some code performs a search to find the DN, but I think the RackTables bind
needs it up front. It might be worth checking the tails of your
/var/log/httpd/error_log (assuming apache on linux) - the errors there are what
led me to the fix for my problem.
--
Anthony Pereira
Systems Administrator
Wellesley Public Schools
On May 3, 2017, at 14:15, CLSA Mcmaster <clsamcmaster@xxxxxxxxx> wrote:
Try this link:
http://www.gavinwill.me.uk/2012/03/active-directory-authentication-with-racktables/
<http://www.gavinwill.me.uk/2012/03/active-directory-authentication-with-racktables/>
With AD it has been my experience you want to prepend CN=Users to your search
base DN. So in your case it would look like this:
'search_dn' => 'CN=Users,DC=redacted,DC=local',
I got it working on my site, just now, with the following:
$user_auth_src = 'ldap';
$require_local_account = FALSE;
$LDAP_options = array
(
'server' => 'ad.sub.directory.com <http://ad.sub.directory.com/>',
'domain' => 'AD',
'search_attr' => 'sAMAccountName',
'search_dn' => 'cn=Users,dc=ad,dc=sub,dc=directory,dc=com',
// The following credentials will be used when searching for the user's DN:
'search_bind_rdn' => NULL,
'search_bind_password' => NULL,
'displayname_attrs' => 'displayName',
'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3),
'use_tls' => 0, // 0 == don't attempt, 1 == attempt, 2 ==
require
);
Good luck.
--
Sean Hurley
On Wed, May 3, 2017 at 1:19 PM, King, Mike <Mike.King@xxxxxxxxxxx
<mailto:Mike.King@xxxxxxxxxxx>> wrote:
So I’m another Active Directory LDAP authentication problem child.
I followed along Anthony’s thread from a few a few days ago, but I’m still
being stumped.
Using the checklist he’s provided:
- php_ldap is installed,
- I can’t tell if mod_ldap is installed. (how do I check this?)
- ldap.so is enabled as a module via /etc/php.d/ldap.ini
- selinux is not installed.
- PHP has no trouble reading LDAP information or binding, based on testing
using the code from
https://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/
<https://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/>
(This is complete success here as well)
- I have filled out all of the relevant details in my secret.php file to
point to my ldap server.
I’ve even removed all the TLS stuff just in case I was having the same issue.
$user_auth_src = 'ldap';
$require_local_account = FALSE;
# Default setting is to authenticate users locally, but it is possible to
# employ existing LDAP or Apache user accounts. Check RackTables wiki for
# more information, in particular, this page for LDAP configuration details:
# http://wiki.racktables.org/index.php?title=LDAP ;
<http://wiki.racktables.org/index.php?title=LDAP>
$LDAP_options = array
(
'server' => 'ldap://ad1.redacted.local',
'domain' => 'redacted.local',
'search_attr' => 'sAMAccountName',
'search_dn' => 'DC=redacted,DC=local',
// The following credentials will be used when searching for the user's DN:
'search_bind_rdn' => 'racktables-user',
'search_bind_password' => 'redactedpassword',
'displayname_attrs' => 'givenname sn',
'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3),
'use_tls' => 0, // 0 == don't attempt, 1 == attempt, 2 ==
require
);
In Configuration -> Permissions, I’ve created the following entry:
allow {$lgcn_racktables-users}
where the group membership I want to allow is racktables-user (Per email
https://www.freelists.org/post/racktables-users/how-to-enable-ad-ldap,4 ;
<https://www.freelists.org/post/racktables-users/how-to-enable-ad-ldap,4>)
Anyplace I can see what the error is? Syslog/apache logs have nothing.
I had initially started with the server as ldaps://, and use_tls =>2 . Which
according to a googling LDAP and racktables, points out this is an
incompatible setting. Switching to ldap://, and use_tls=>1 and 0 have not
helped me.
Current behavior is the “Authentication Required” box pops up, I enter the
username / password, and it takes a very long time (30-60 seconds) and I get
the dialog box again.
Thanks,
Mike
The information contained in this message may be confidential and legally
protected under applicable law. The message is intended solely for the
addressee(s). If you are not the intended recipient, you are hereby notified
that any use, forwarding, dissemination, or reproduction of this message is
strictly prohibited and may be unlawful. If you are not the intended
recipient, please contact the sender by return e-mail and destroy all copies
of the original message.
