Mailing List Archive

OpenLDAP to Active Directory Authentication
Hello,

I'm trying to get OpenLDAP based Apache2 modules to authenticate against an
Windows 2000 Active Directory Server. Software used:

Operating System Gentoo Linux (kernel v2.6.8)
OpenLDAP v2.1.30
Apache HTTPD v2.0.52
Apache Module ModAuthLDAP from muquit.com v2.12
I've also tried the bundled version of mod_auth_ldap that comes with apache2
with the exact same results (described below).

Here is my .htaccess file settings for authenticating a user:

LDAP_Server ad.company.com
LDAP_Port 389
Bind_DN "cn=jmassara,ou=users,dc=ad,dc=company,dc=com"
Bind_Pass "mypasswd"
Base_DN "dc=corp,dc=ad,dc=company,dc=com"
UID_Attr sAMAccountName

When trying to authenticate I get the following error message:

[Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] [mod_auth_ldap.c] -
Error: Operations error
ldap_search_s: Operations error (1)
additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece

Also, the jmassara user in the Bind_DN setting has full read access
throughout the AD tree. If I change the Base_DN setting to
"cn=users,dc=corp,dc=ad,dc=company,dc=com", it works fine. However, our
user accounts are being move out of "cn=users" to something like
"ou=users,ou=city,dc=corp,dc=ad,dc=company,dc=com" so this isn't a viable
solution for me.

The function the muquit.com apache2 module is using is "ldap_search_s".
When I run the same query that the apache2 module uses via ldapsearch it
works fine. I see that the ldapsearch binary uses "ldap_search_ext" to do
its searching. The filter being used is "(sAMAccountName=userid)" -- where
userid is the person trying to authenticate.

Why does one ldap_search function work fine but the other fail (unless
explicitly defining the path to the user accounts)?

Any help is greatly appreciated. Thanks for your time,
-James

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: OpenLDAP to Active Directory Authentication [ In reply to ]
Hi!

If you use the bundled LDAP authentication module you specify in AuthLDAPURL to
explictly search recursive.

Example:
AuthLDAPURL
ldap://ad.company.com:389/dc=corp,dc=ad,dc=company,dc=com?sAMAccountName?sub?(objectClass=user)
require valid-user

It's the "sub" keyword that specifies the scope of the search. Please see:
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for more examples and
further documentation.

//Dri

Quoting James Massara <james.massara@digitalinsight.com>:

> Hello,
>
> I'm trying to get OpenLDAP based Apache2 modules to authenticate against an
> Windows 2000 Active Directory Server. Software used:
>
> Operating System Gentoo Linux (kernel v2.6.8)
> OpenLDAP v2.1.30
> Apache HTTPD v2.0.52
> Apache Module ModAuthLDAP from muquit.com v2.12
> I've also tried the bundled version of mod_auth_ldap that comes with apache2
> with the exact same results (described below).
>
> Here is my .htaccess file settings for authenticating a user:
>
> LDAP_Server ad.company.com
> LDAP_Port 389
> Bind_DN "cn=jmassara,ou=users,dc=ad,dc=company,dc=com"
> Bind_Pass "mypasswd"
> Base_DN "dc=corp,dc=ad,dc=company,dc=com"
> UID_Attr sAMAccountName
>
> When trying to authenticate I get the following error message:
>
> [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] [mod_auth_ldap.c] -
> Error: Operations error
> ldap_search_s: Operations error (1)
> additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
>
> Also, the jmassara user in the Bind_DN setting has full read access
> throughout the AD tree. If I change the Base_DN setting to
> "cn=users,dc=corp,dc=ad,dc=company,dc=com", it works fine. However, our
> user accounts are being move out of "cn=users" to something like
> "ou=users,ou=city,dc=corp,dc=ad,dc=company,dc=com" so this isn't a viable
> solution for me.
>
> The function the muquit.com apache2 module is using is "ldap_search_s".
> When I run the same query that the apache2 module uses via ldapsearch it
> works fine. I see that the ldapsearch binary uses "ldap_search_ext" to do
> its searching. The filter being used is "(sAMAccountName=userid)" -- where
> userid is the person trying to authenticate.
>
> Why does one ldap_search function work fine but the other fail (unless
> explicitly defining the path to the user accounts)?
>
> Any help is greatly appreciated. Thanks for your time,
> -James
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: OpenLDAP to Active Directory Authentication [ In reply to ]
Hi Michael, thanks for the response. I've tried it with the bundled
software and here's my .htaccess file settings:

AuthName "DI Admin Platform"
AuthType Basic
AuthLDAPURL
ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?(objectClas
s=user)
AuthLDAPBindDN cn=jmassara,ou=users,dc=ad,dc=company,dc=com
AuthLDAPBindPassword mypasswd
require valid-user

I get the same results as described in my original email.

-----Original Message-----
From: Michael Mattsson [mailto:apache-list@phrenetic.to]
Sent: Monday, December 20, 2004 10:42 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication


Hi!

If you use the bundled LDAP authentication module you specify in AuthLDAPURL
to explictly search recursive.

Example:
AuthLDAPURL
ldap://ad.company.com:389/dc=corp,dc=ad,dc=company,dc=com?sAMAccountName?sub
?(objectClass=user)
require valid-user

It's the "sub" keyword that specifies the scope of the search. Please see:
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for more examples
and further documentation.

//Dri

Quoting James Massara <james.massara@digitalinsight.com>:

> Hello,
>
> I'm trying to get OpenLDAP based Apache2 modules to authenticate
> against an Windows 2000 Active Directory Server. Software used:
>
> Operating System Gentoo Linux (kernel v2.6.8)
> OpenLDAP v2.1.30
> Apache HTTPD v2.0.52
> Apache Module ModAuthLDAP from muquit.com v2.12
> I've also tried the bundled version of mod_auth_ldap that comes with
> apache2 with the exact same results (described below).
>
> Here is my .htaccess file settings for authenticating a user:
>
> LDAP_Server ad.company.com
> LDAP_Port 389
> Bind_DN "cn=jmassara,ou=users,dc=ad,dc=company,dc=com"
> Bind_Pass "mypasswd"
> Base_DN "dc=corp,dc=ad,dc=company,dc=com"
> UID_Attr sAMAccountName
>
> When trying to authenticate I get the following error message:
>
> [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> [mod_auth_ldap.c] -
> Error: Operations error
> ldap_search_s: Operations error (1)
> additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In
order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
>
> Also, the jmassara user in the Bind_DN setting has full read access
> throughout the AD tree. If I change the Base_DN setting to
> "cn=users,dc=corp,dc=ad,dc=company,dc=com", it works fine. However,
> our user accounts are being move out of "cn=users" to something like
> "ou=users,ou=city,dc=corp,dc=ad,dc=company,dc=com" so this isn't a
> viable solution for me.
>
> The function the muquit.com apache2 module is using is
> "ldap_search_s". When I run the same query that the apache2 module
> uses via ldapsearch it works fine. I see that the ldapsearch binary
> uses "ldap_search_ext" to do its searching. The filter being used is
> "(sAMAccountName=userid)" -- where userid is the person trying to
> authenticate.
>
> Why does one ldap_search function work fine but the other fail (unless
> explicitly defining the path to the user accounts)?
>
> Any help is greatly appreciated. Thanks for your time, -James
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: OpenLDAP to Active Directory Authentication [ In reply to ]
Has anyone experienced/fixed the problem described below?

> -----Original Message-----
> From: James Massara
> Sent: Monday, December 20, 2004 1:31 PM
> To: 'users@httpd.apache.org'
> Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication
>
>
> Hi Michael, thanks for the response. I've tried it with the
> bundled software and here's my .htaccess file settings:
>
> AuthName "DI Admin Platform"
> AuthType Basic
> AuthLDAPURL
> ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
> ub?(objectClas
> s=user)
> AuthLDAPBindDN cn=jmassara,ou=users,dc=ad,dc=company,dc=com
> AuthLDAPBindPassword mypasswd
> require valid-user
>
> I get the same results as described in my original email.
>
> -----Original Message-----
> From: Michael Mattsson [mailto:apache-list@phrenetic.to]
> Sent: Monday, December 20, 2004 10:42 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication
>
>
> Hi!
>
> If you use the bundled LDAP authentication module you specify
> in AuthLDAPURL to explictly search recursive.
>
> Example:
> AuthLDAPURL
> ldap://ad.company.com:389/dc=corp,dc=ad,dc=company,dc=com?sAMA
> ccountName?sub
> ?(objectClass=user)
> require valid-user
>
> It's the "sub" keyword that specifies the scope of the
> search. Please see:
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for
> more examples and further documentation.
>
> //Dri
>
> Quoting James Massara <james.massara@digitalinsight.com>:
>
> > Hello,
> >
> > I'm trying to get OpenLDAP based Apache2 modules to authenticate
> > against an Windows 2000 Active Directory Server. Software used:
> >
> > Operating System Gentoo Linux (kernel v2.6.8)
> > OpenLDAP v2.1.30
> > Apache HTTPD v2.0.52
> > Apache Module ModAuthLDAP from muquit.com v2.12
> > I've also tried the bundled version of mod_auth_ldap that comes with
> > apache2 with the exact same results (described below).
> >
> > Here is my .htaccess file settings for authenticating a user:
> >
> > LDAP_Server ad.company.com
> > LDAP_Port 389
> > Bind_DN "cn=jmassara,ou=users,dc=ad,dc=company,dc=com"
> > Bind_Pass "mypasswd"
> > Base_DN "dc=corp,dc=ad,dc=company,dc=com"
> > UID_Attr sAMAccountName
> >
> > When trying to authenticate I get the following error message:
> >
> > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> > [mod_auth_ldap.c] -
> > Error: Operations error
> > ldap_search_s: Operations error (1)
> > additional info: 00000000: LdapErr: DSID-0C0905FF,
> comment: In
> order
> > to perform this operation a successful bind must be
> completed on the
> > connection., data 0, vece
> >
> > Also, the jmassara user in the Bind_DN setting has full read access
> > throughout the AD tree. If I change the Base_DN setting to
> > "cn=users,dc=corp,dc=ad,dc=company,dc=com", it works fine.
> However,
> > our user accounts are being move out of "cn=users" to
> something like
> > "ou=users,ou=city,dc=corp,dc=ad,dc=company,dc=com" so this isn't a
> > viable solution for me.
> >
> > The function the muquit.com apache2 module is using is
> > "ldap_search_s". When I run the same query that the apache2 module
> > uses via ldapsearch it works fine. I see that the
> ldapsearch binary
> > uses "ldap_search_ext" to do its searching. The filter
> being used is
> > "(sAMAccountName=userid)" -- where userid is the person trying to
> > authenticate.
> >
> > Why does one ldap_search function work fine but the other
> fail (unless
> > explicitly defining the path to the user accounts)?
> >
> > Any help is greatly appreciated. Thanks for your time, -James
> >
> >


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: OpenLDAP to Active Directory Authentication [ In reply to ]
> Has anyone experienced/fixed the problem described below?

I haven't had direct experience with Apache/LDAP but have you tried
binding with the UPN login? IE user@company.com? (or
user\@company.com)

Chris

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: OpenLDAP to Active Directory Authentication [ In reply to ]
The bind works when I do:

AuthLDAPURL
ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccountName?s
ub?(objectClass=user)

But not when I do:

AuthLDAPURL
ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?(objec
tClass=user)

That's why the following error seems misleading:

[Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] [mod_auth_ldap.c] -
Error: Operations error
ldap_search_s: Operations error (1)
additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece

I would try what you suggested but I don't see how I can bind as
user@company.com with the module.

> -----Original Message-----
> From: Covington, Chris [mailto:ccovington@plusone.com]
> Sent: Tuesday, December 21, 2004 11:40 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication
>
>
> > Has anyone experienced/fixed the problem described below?
>
> I haven't had direct experience with Apache/LDAP but have you
> tried binding with the UPN login? IE user@company.com? (or
> user\@company.com)
>
> Chris
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project. See
> <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: OpenLDAP to Active Directory Authentication [ In reply to ]
perhaps you want to try the following:
go to a windows box in the domain of the ad. there is a tool called ldp.exe
in the windows 2k resource kit, use this to connect to the ad via ldap. bind
to the ad, then you can search in the ad just as apache would do. if you
continue to have problems, perhaps you could send a detailed description
about your setup.
ralf

----- Original Message -----
From: "James Massara" <james.massara@digitalinsight.com>
To: <users@httpd.apache.org>
Sent: Tuesday, December 21, 2004 8:57 PM
Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication


> The bind works when I do:
>
> AuthLDAPURL
> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccountName?s
> ub?(objectClass=user)
>
> But not when I do:
>
> AuthLDAPURL
> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?(objec
> tClass=user)
>
> That's why the following error seems misleading:
>
> [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1] [mod_auth_ldap.c] -
> Error: Operations error
> ldap_search_s: Operations error (1)
> additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In
> order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
>
> I would try what you suggested but I don't see how I can bind as
> user@company.com with the module.
>
>> -----Original Message-----
>> From: Covington, Chris [mailto:ccovington@plusone.com]
>> Sent: Tuesday, December 21, 2004 11:40 AM
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication
>>
>>
>> > Has anyone experienced/fixed the problem described below?
>>
>> I haven't had direct experience with Apache/LDAP but have you
>> tried binding with the UPN login? IE user@company.com? (or
>> user\@company.com)
>>
>> Chris
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP
>> Server Project. See
>> <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: OpenLDAP to Active Directory Authentication [ In reply to ]
The search works fine from the Windows ldp tool. It also works fine from
the OpenLDAP ldapsearch tool:

ldapsearch -h ad.company.com -D
'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b 'DC=ad,DC=company,DC=com'
-x -W "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName

Details of my setup:

Operating System Gentoo Linux (kernel v2.6.8)
OpenLDAP v2.1.30
Apache HTTPD v2.0.52 using the bundled mod_auth_ldap

My .htaccess file settings are:

AuthName "DI Admin Platform"
AuthType Basic
AuthLDAPURL
ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?(&(objectCl
ass=user)(!(objectClass=computer)))
AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
AuthLDAPBindPassword mypasswd

This using this setup generates the following error:

[Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968]
auth_ldap authenticate: user testuser authentication failed; URI /aptest/
[ldap_search_ext_s() for user failed][Operations error]
ldap_search_ext_s: Operations error (1)
additional info: 00000000: LdapErr: DSID-0C0905FF, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece

However, if I change the AuthLDAPURL to this:

AuthLDAPURL
ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccountName?sub?(&
(objectClass=user)(!(objectClass=computer)))

It works just fine. This solution doesn't work for me, though, because the
MIS team is moving users out of cn=users and into
ou=users,ou=city_of_office. And I can't specify multiply AuthLDAPURL
variables to search the possible cities where users might reside.

The part I don't understand is why it complains about binding to the ADS
_unless_ I specify cn=users in the AuthLDAPURL variable.

Thank you for the continued help, very much appreciated.
James

> -----Original Message-----
> From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
> Sent: Wednesday, December 22, 2004 9:18 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] OpenLDAP to Active Directory Authentication
>
>
> perhaps you want to try the following:
> go to a windows box in the domain of the ad. there is a tool
> called ldp.exe
> in the windows 2k resource kit, use this to connect to the ad
> via ldap. bind
> to the ad, then you can search in the ad just as apache would
> do. if you
> continue to have problems, perhaps you could send a detailed
> description
> about your setup.
> ralf
>
> ----- Original Message -----
> From: "James Massara" <james.massara@digitalinsight.com>
> To: <users@httpd.apache.org>
> Sent: Tuesday, December 21, 2004 8:57 PM
> Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication
>
>
> > The bind works when I do:
> >
> > AuthLDAPURL
> >
> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
> > Name?s
> > ub?(objectClass=user)
> >
> > But not when I do:
> >
> > AuthLDAPURL
> >
> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
> > (objec
> > tClass=user)
> >
> > That's why the following error seems misleading:
> >
> > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> > [mod_auth_ldap.c] -
> > Error: Operations error
> > ldap_search_s: Operations error (1)
> > additional info: 00000000: LdapErr: DSID-0C0905FF,
> comment: In
> > order
> > to perform this operation a successful bind must be completed on the
> > connection., data 0, vece
> >
> > I would try what you suggested but I don't see how I can bind as
> > user@company.com with the module.
> >
> >> -----Original Message-----
> >> From: Covington, Chris [mailto:ccovington@plusone.com]
> >> Sent: Tuesday, December 21, 2004 11:40 AM
> >> To: users@httpd.apache.org
> >> Subject: Re: [users@httpd] OpenLDAP to Active Directory
> >> Authentication
> >>
> >>
> >> > Has anyone experienced/fixed the problem described below?
> >>
> >> I haven't had direct experience with Apache/LDAP but have
> you tried
> >> binding with the UPN login? IE user@company.com? (or
> >> user\@company.com)
> >>
> >> Chris
> >>
> >>
> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP Server
> >> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> >> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project. See <URL:http://httpd.apache.org/userslist.html> for more
> > info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project. See
> <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: OpenLDAP to Active Directory Authentication [ In reply to ]
Does anyone have any insight into this problem?

Thanks,
James

> -----Original Message-----
> From: James Massara
> Sent: Wednesday, December 22, 2004 10:45 AM
> To: 'users@httpd.apache.org'
> Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication
>
>
> The search works fine from the Windows ldp tool. It also
> works fine from the OpenLDAP ldapsearch tool:
>
> ldapsearch -h ad.company.com -D
> 'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b
> 'DC=ad,DC=company,DC=com' -x -W
> "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
>
> Details of my setup:
>
> Operating System Gentoo Linux (kernel v2.6.8)
> OpenLDAP v2.1.30
> Apache HTTPD v2.0.52 using the bundled mod_auth_ldap
>
> My .htaccess file settings are:
>
> AuthName "DI Admin Platform"
> AuthType Basic
> AuthLDAPURL
> ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
> ub?(&(objectCl
> ass=user)(!(objectClass=computer)))
> AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
> AuthLDAPBindPassword mypasswd
>
> This using this setup generates the following error:
>
> [Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254]
> [1400968] auth_ldap authenticate: user testuser
> authentication failed; URI /aptest/
> [ldap_search_ext_s() for user failed][Operations error]
> ldap_search_ext_s: Operations error (1)
> additional info: 00000000: LdapErr: DSID-0C0905FF,
> comment: In order to perform this operation a successful bind
> must be completed on the connection., data 0, vece
>
> However, if I change the AuthLDAPURL to this:
>
> AuthLDAPURL
> ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
> untName?sub?(&
> (objectClass=user)(!(objectClass=computer)))
>
> It works just fine. This solution doesn't work for me,
> though, because the MIS team is moving users out of cn=users
> and into ou=users,ou=city_of_office. And I can't specify
> multiply AuthLDAPURL variables to search the possible cities
> where users might reside.
>
> The part I don't understand is why it complains about binding
> to the ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
>
> Thank you for the continued help, very much appreciated.
> James
>
> > -----Original Message-----
> > From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
> > Sent: Wednesday, December 22, 2004 9:18 AM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] OpenLDAP to Active Directory
> Authentication
> >
> >
> > perhaps you want to try the following:
> > go to a windows box in the domain of the ad. there is a tool
> > called ldp.exe
> > in the windows 2k resource kit, use this to connect to the ad
> > via ldap. bind
> > to the ad, then you can search in the ad just as apache would
> > do. if you
> > continue to have problems, perhaps you could send a detailed
> > description
> > about your setup.
> > ralf
> >
> > ----- Original Message -----
> > From: "James Massara" <james.massara@digitalinsight.com>
> > To: <users@httpd.apache.org>
> > Sent: Tuesday, December 21, 2004 8:57 PM
> > Subject: RE: [users@httpd] OpenLDAP to Active Directory
> Authentication
> >
> >
> > > The bind works when I do:
> > >
> > > AuthLDAPURL
> > >
> >
> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
> > > Name?s
> > > ub?(objectClass=user)
> > >
> > > But not when I do:
> > >
> > > AuthLDAPURL
> > >
> >
> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
> > > (objec
> > > tClass=user)
> > >
> > > That's why the following error seems misleading:
> > >
> > > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> > > [mod_auth_ldap.c] -
> > > Error: Operations error
> > > ldap_search_s: Operations error (1)
> > > additional info: 00000000: LdapErr: DSID-0C0905FF,
> > comment: In
> > > order
> > > to perform this operation a successful bind must be
> completed on the
> > > connection., data 0, vece
> > >
> > > I would try what you suggested but I don't see how I can bind as
> > > user@company.com with the module.
> > >
> > >> -----Original Message-----
> > >> From: Covington, Chris [mailto:ccovington@plusone.com]
> > >> Sent: Tuesday, December 21, 2004 11:40 AM
> > >> To: users@httpd.apache.org
> > >> Subject: Re: [users@httpd] OpenLDAP to Active Directory
> > >> Authentication
> > >>
> > >>
> > >> > Has anyone experienced/fixed the problem described below?
> > >>
> > >> I haven't had direct experience with Apache/LDAP but have
> > you tried
> > >> binding with the UPN login? IE user@company.com? (or
> > >> user\@company.com)
> > >>
> > >> Chris
> > >>
> > >>
> >
> ---------------------------------------------------------------------
> > >> The official User-To-User support forum of the Apache HTTP Server
> > >> Project. See
> <URL:http://httpd.apache.org/userslist.html> for more
> > >> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >> For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project. See <URL:http://httpd.apache.org/userslist.html>
> for more
> > > info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project. See
> > <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: OpenLDAP to Active Directory Authentication [ In reply to ]
I think that I have found the solution to my problem :-D

> When I give the following:
> AuthLDAPURL
ldap://servername.com/dc=bk,dc=evdad,dc=admin,dc=ch?name?sub?(objectClass=us
er)
>
> I receive the following error in apache error log:
> [warn] [client 131.102.223.000] [24779] auth_ldap authenticate: user
> isceco-eruf authentication failed; URI /svn/pspmgmt
[LDAP:ldap_simple_bind_s() failed][Can't contact LDAP server]

In this case, ADS returns me a referrals to another "domain controller". The
client tries to connect anonymously to the "domain controller" and it gives
me this error.

A solution is to set LDAP_OPT_REFERRALS to LDAP_OPT_OFF before to perform
the bind. But it means a modification of the code of the module
mod_auth_ldap.

The second solution, which is better in my case, is to connect to the
"global catalog" of ADS, which is a read-only partial replica of the
directory. We can access the global catalog at the port 3268. When I give
the following parameter: AuthLDAPURL
ldap://servername.com:3268/dc=bk,dc=evdad,dc=admin,dc=ch?name?sub?(objectCla
ss=user) I can perform my search without error.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: OpenLDAP to Active Directory Authentication [ In reply to ]
I'm having the exact same problem that was described on December
22nd (and described below).

Has anyone else seen this problem? Is there a workaround, or a
solution? I also turned on LogLevel debug. The AuthLDAPURL is being parsed
correctly... Is there any debugging info I can offer?

.josh

> Does anyone have any insight into this problem?
>
> Thanks,
> James
>
> -----Original Message-----
> From: James Massara
> Sent: Wednesday, December 22, 2004 10:45 AM
> To: 'users@httpd.apache.org'
> Subject: RE: [users@httpd] OpenLDAP to Active Directory Authentication
>
>
> The search works fine from the Windows ldp tool. It also
> works fine from the OpenLDAP ldapsearch tool:
>
> ldapsearch -h ad.company.com -D
> 'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b
> 'DC=ad,DC=company,DC=com' -x -W
> "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
>
> Details of my setup:
>
> Operating System Gentoo Linux (kernel v2.6.8)
> OpenLDAP v2.1.30
> Apache HTTPD v2.0.52 using the bundled mod_auth_ldap
>
> My .htaccess file settings are:
>
> AuthName "DI Admin Platform"
> AuthType Basic
> AuthLDAPURL
> ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
> ub?(&(objectCl
> ass=user)(!(objectClass=computer)))
> AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
> AuthLDAPBindPassword mypasswd
>
> This using this setup generates the following error:
>
> [Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254]
> [1400968] auth_ldap authenticate: user testuser
> authentication failed; URI /aptest/
> [ldap_search_ext_s() for user failed][Operations error]
> ldap_search_ext_s: Operations error (1)
> additional info: 00000000: LdapErr: DSID-0C0905FF,
> comment: In order to perform this operation a successful bind
> must be completed on the connection., data 0, vece
>
> However, if I change the AuthLDAPURL to this:
>
> AuthLDAPURL
> ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
> untName?sub?(&
> (objectClass=user)(!(objectClass=computer)))
>
> It works just fine. This solution doesn't work for me,
> though, because the MIS team is moving users out of cn=users
> and into ou=users,ou=city_of_office. And I can't specify
> multiply AuthLDAPURL variables to search the possible cities
> where users might reside.
>
> The part I don't understand is why it complains about binding
> to the ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
>
> Thank you for the continued help, very much appreciated.
> James
>
> > -----Original Message-----
> > From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
> > Sent: Wednesday, December 22, 2004 9:18 AM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] OpenLDAP to Active Directory
> Authentication
> >
> >
> > perhaps you want to try the following:
> > go to a windows box in the domain of the ad. there is a tool
> > called ldp.exe
> > in the windows 2k resource kit, use this to connect to the ad
> > via ldap. bind
> > to the ad, then you can search in the ad just as apache would
> > do. if you
> > continue to have problems, perhaps you could send a detailed
> > description
> > about your setup.
> > ralf
> >
> > ----- Original Message -----
> > From: "James Massara" <james.massara@digitalinsight.com>
> > To: <users@httpd.apache.org>
> > Sent: Tuesday, December 21, 2004 8:57 PM
> > Subject: RE: [users@httpd] OpenLDAP to Active Directory
> Authentication
> >
> >
> > > The bind works when I do:
> > >
> > > AuthLDAPURL
> > >
> >
> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
> > > Name?s
> > > ub?(objectClass=user)
> > >
> > > But not when I do:
> > >
> > > AuthLDAPURL
> > >
> >
> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
> > > (objec
> > > tClass=user)
> > >
> > > That's why the following error seems misleading:
> > >
> > > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> > > [mod_auth_ldap.c] -
> > > Error: Operations error
> > > ldap_search_s: Operations error (1)
> > > additional info: 00000000: LdapErr: DSID-0C0905FF,
> > comment: In
> > > order
> > > to perform this operation a successful bind must be
> completed on the
> > > connection., data 0, vece
> > >
> > > I would try what you suggested but I don't see how I can bind as
> > > user@company.com with the module.
> > >
> > >> -----Original Message-----
> > >> From: Covington, Chris [mailto:ccovington@plusone.com]
> > >> Sent: Tuesday, December 21, 2004 11:40 AM
> > >> To: users@httpd.apache.org
> > >> Subject: Re: [users@httpd] OpenLDAP to Active Directory
> > >> Authentication
> > >>
> > >>
> > >> > Has anyone experienced/fixed the problem described below?
> > >>
> > >> I haven't had direct experience with Apache/LDAP but have
> > you tried
> > >> binding with the UPN login? IE user@company.com? (or
> > >> user\@company.com)
> > >>
> > >> Chris
> > >>
> > >>
> >
> ---------------------------------------------------------------------
> > >> The official User-To-User support forum of the Apache HTTP Server
> > >> Project. See
> <URL:http://httpd.apache.org/userslist.html> for more
> > >> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >> For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project. See <URL:http://httpd.apache.org/userslist.html>
> for more
> > > info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project. See
> > <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: OpenLDAP to Active Directory Authentication [ In reply to ]
Hi,

I experienced the same problem as the one described here, and it turned
out to be the LDAP referrals being sent by Active Directory.

If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to
a container within Active Directory, and everything works fine.

However, if you bind to the root of your domain, i.e. just
dc=ad,dc=company,dc=com, then Active Directory, in addition to the
search results you expected, will also return referrals to the other
directory partitions.

It seems that the referrals that Active Directory returns are causing
the authentication to be rejected.

There are two possible solutions that I know of:

1. Create an organisational unit called something like "All Users" and
make sure all your user accounts are inside this container - that way
you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path.

2. Disabling referral chasing got the Netscape LDAP SDK to bind to the
root of an Active Directory domain - no idea if the same will be true of
OpenLDAP.

Hope this information helps someone.

Regards,

John


> > -----Original Message-----
> > From: James Massara
> > Sent: Wednesday, December 22, 2004 10:45 AM
> > To: 'users@httpd.apache.org'
> > Subject: RE: [users@httpd] OpenLDAP to Active Directory
> Authentication
> >
> >
> > The search works fine from the Windows ldp tool. It also
> works fine
> > from the OpenLDAP ldapsearch tool:
> >
> > ldapsearch -h ad.company.com -D
> > 'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b
> > 'DC=ad,DC=company,DC=com' -x -W
> > "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
> >
> > Details of my setup:
> >
> > Operating System Gentoo Linux (kernel v2.6.8) OpenLDAP
> v2.1.30 Apache
> > HTTPD v2.0.52 using the bundled mod_auth_ldap
> >
> > My .htaccess file settings are:
> >
> > AuthName "DI Admin Platform"
> > AuthType Basic
> > AuthLDAPURL
> > ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
> > ub?(&(objectCl
> > ass=user)(!(objectClass=computer)))
> > AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
> > AuthLDAPBindPassword mypasswd
> >
> > This using this setup generates the following error:
> >
> > [Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968]
> > auth_ldap authenticate: user testuser authentication failed; URI
> > /aptest/
> > [ldap_search_ext_s() for user failed][Operations error]
> > ldap_search_ext_s: Operations error (1)
> > additional info: 00000000: LdapErr: DSID-0C0905FF,
> > comment: In order to perform this operation a successful
> bind must be
> > completed on the connection., data 0, vece
> >
> > However, if I change the AuthLDAPURL to this:
> >
> > AuthLDAPURL
> > ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
> > untName?sub?(&
> > (objectClass=user)(!(objectClass=computer)))
> >
> > It works just fine. This solution doesn't work for me, though,
> > because the MIS team is moving users out of cn=users and into
> > ou=users,ou=city_of_office. And I can't specify multiply
> AuthLDAPURL
> > variables to search the possible cities where users might reside.
> >
> > The part I don't understand is why it complains about
> binding to the
> > ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
> >
> > Thank you for the continued help, very much appreciated.
> > James
> >
> > > -----Original Message-----
> > > From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
> > > Sent: Wednesday, December 22, 2004 9:18 AM
> > > To: users@httpd.apache.org
> > > Subject: Re: [users@httpd] OpenLDAP to Active Directory
> > Authentication
> > >
> > >
> > > perhaps you want to try the following:
> > > go to a windows box in the domain of the ad. there is a
> tool called
> > > ldp.exe in the windows 2k resource kit, use this to
> connect to the
> > > ad via ldap. bind to the ad, then you can search in the
> ad just as
> > > apache would do. if you continue to have problems,
> perhaps you could
> > > send a detailed description about your setup.
> > > ralf
> > >
> > > ----- Original Message -----
> > > From: "James Massara" <james.massara@digitalinsight.com>
> > > To: <users@httpd.apache.org>
> > > Sent: Tuesday, December 21, 2004 8:57 PM
> > > Subject: RE: [users@httpd] OpenLDAP to Active Directory
> > Authentication
> > >
> > >
> > > > The bind works when I do:
> > > >
> > > > AuthLDAPURL
> > > >
> > >
> >
> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
> > > > Name?s
> > > > ub?(objectClass=user)
> > > >
> > > > But not when I do:
> > > >
> > > > AuthLDAPURL
> > > >
> > >
> >
> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
> > > > (objec
> > > > tClass=user)
> > > >
> > > > That's why the following error seems misleading:
> > > >
> > > > [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
> > > > [mod_auth_ldap.c] -
> > > > Error: Operations error
> > > > ldap_search_s: Operations error (1)
> > > > additional info: 00000000: LdapErr: DSID-0C0905FF,
> > > comment: In
> > > > order
> > > > to perform this operation a successful bind must be
> > completed on the
> > > > connection., data 0, vece
> > > >
> > > > I would try what you suggested but I don't see how I
> can bind as
> > > > user@company.com with the module.
> > > >
> > > >> -----Original Message-----
> > > >> From: Covington, Chris [mailto:ccovington@plusone.com]
> > > >> Sent: Tuesday, December 21, 2004 11:40 AM
> > > >> To: users@httpd.apache.org
> > > >> Subject: Re: [users@httpd] OpenLDAP to Active Directory
> > > >> Authentication
> > > >>
> > > >>
> > > >> > Has anyone experienced/fixed the problem described below?
> > > >>
> > > >> I haven't had direct experience with Apache/LDAP but have
> > > you tried
> > > >> binding with the UPN login? IE user@company.com? (or
> > > >> user\@company.com)
> > > >>
> > > >> Chris
> > > >>
> > > >>
> > >
> >
> ---------------------------------------------------------------------
> > > >> The official User-To-User support forum of the Apache
> HTTP Server
> > > >> Project. See
> > <URL:http://httpd.apache.org/userslist.html> for more
> > > >> info. To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> > > >> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> > > >> For additional commands, e-mail: users-help@httpd.apache.org
> > > >>
> > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > The official User-To-User support forum of the Apache
> HTTP Server
> > > > Project. See <URL:http://httpd.apache.org/userslist.html>
> > for more
> > > > info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > >
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project. See <URL:http://httpd.apache.org/userslist.html>
> for more
> > > info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: OpenLDAP to Active Directory Authentication [ In reply to ]
Solution #1 is not an option for us (or so says our AD admin), but
solution #2 might be. How did you disable the referral chasing? We are,
in fact, using an Active Directory for authentication, sorry if I wasn't
clear about that.

I guess I'm still a bit confused about how this works, as well... my
understanding is that the binding itself is done with the bind DN and
password, which includes the container. And then a search is done off of
the AuthLDAPURL. Did you just mean the search results, rather than the
bind, or am I getting my terminology confused.

Thanks for the info,
.josh

John wrote:

>Hi,
>
>I experienced the same problem as the one described here, and it turned
>out to be the LDAP referrals being sent by Active Directory.
>
>If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to
>a container within Active Directory, and everything works fine.
>
>However, if you bind to the root of your domain, i.e. just
>dc=ad,dc=company,dc=com, then Active Directory, in addition to the
>search results you expected, will also return referrals to the other
>directory partitions.
>
>It seems that the referrals that Active Directory returns are causing
>the authentication to be rejected.
>
>There are two possible solutions that I know of:
>
>1. Create an organisational unit called something like "All Users" and
>make sure all your user accounts are inside this container - that way
>you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path.
>
>2. Disabling referral chasing got the Netscape LDAP SDK to bind to the
>root of an Active Directory domain - no idea if the same will be true of
>OpenLDAP.
>
>Hope this information helps someone.
>
>Regards,
>
>John
>
>
>
>
>>>-----Original Message-----
>>>From: James Massara
>>>Sent: Wednesday, December 22, 2004 10:45 AM
>>>To: 'users@httpd.apache.org'
>>>Subject: RE: [users@httpd] OpenLDAP to Active Directory
>>>
>>>
>>Authentication
>>
>>
>>>The search works fine from the Windows ldp tool. It also
>>>
>>>
>>works fine
>>
>>
>>>from the OpenLDAP ldapsearch tool:
>>>
>>>ldapsearch -h ad.company.com -D
>>>'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b
>>>'DC=ad,DC=company,DC=com' -x -W
>>>"(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
>>>
>>>Details of my setup:
>>>
>>>Operating System Gentoo Linux (kernel v2.6.8) OpenLDAP
>>>
>>>
>>v2.1.30 Apache
>>
>>
>>>HTTPD v2.0.52 using the bundled mod_auth_ldap
>>>
>>>My .htaccess file settings are:
>>>
>>>AuthName "DI Admin Platform"
>>>AuthType Basic
>>>AuthLDAPURL
>>>ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
>>>ub?(&(objectCl
>>>ass=user)(!(objectClass=computer)))
>>>AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
>>>AuthLDAPBindPassword mypasswd
>>>
>>>This using this setup generates the following error:
>>>
>>>[Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968]
>>>auth_ldap authenticate: user testuser authentication failed; URI
>>>/aptest/
>>>[ldap_search_ext_s() for user failed][Operations error]
>>>ldap_search_ext_s: Operations error (1)
>>> additional info: 00000000: LdapErr: DSID-0C0905FF,
>>>comment: In order to perform this operation a successful
>>>
>>>
>>bind must be
>>
>>
>>>completed on the connection., data 0, vece
>>>
>>>However, if I change the AuthLDAPURL to this:
>>>
>>>AuthLDAPURL
>>>ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
>>>untName?sub?(&
>>>(objectClass=user)(!(objectClass=computer)))
>>>
>>>It works just fine. This solution doesn't work for me, though,
>>>because the MIS team is moving users out of cn=users and into
>>>ou=users,ou=city_of_office. And I can't specify multiply
>>>
>>>
>>AuthLDAPURL
>>
>>
>>>variables to search the possible cities where users might reside.
>>>
>>>The part I don't understand is why it complains about
>>>
>>>
>>binding to the
>>
>>
>>>ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
>>>
>>>Thank you for the continued help, very much appreciated.
>>>James
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
>>>>Sent: Wednesday, December 22, 2004 9:18 AM
>>>>To: users@httpd.apache.org
>>>>Subject: Re: [users@httpd] OpenLDAP to Active Directory
>>>>
>>>>
>>>Authentication
>>>
>>>
>>>>perhaps you want to try the following:
>>>>go to a windows box in the domain of the ad. there is a
>>>>
>>>>
>>tool called
>>
>>
>>>>ldp.exe in the windows 2k resource kit, use this to
>>>>
>>>>
>>connect to the
>>
>>
>>>>ad via ldap. bind to the ad, then you can search in the
>>>>
>>>>
>>ad just as
>>
>>
>>>>apache would do. if you continue to have problems,
>>>>
>>>>
>>perhaps you could
>>
>>
>>>>send a detailed description about your setup.
>>>>ralf
>>>>
>>>>----- Original Message -----
>>>>From: "James Massara" <james.massara@digitalinsight.com>
>>>>To: <users@httpd.apache.org>
>>>>Sent: Tuesday, December 21, 2004 8:57 PM
>>>>Subject: RE: [users@httpd] OpenLDAP to Active Directory
>>>>
>>>>
>>>Authentication
>>>
>>>
>>>>
>>>>
>>>>>The bind works when I do:
>>>>>
>>>>>AuthLDAPURL
>>>>>
>>>>>
>>>>>
>>ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
>>
>>
>>>>>Name?s
>>>>>ub?(objectClass=user)
>>>>>
>>>>>But not when I do:
>>>>>
>>>>>AuthLDAPURL
>>>>>
>>>>>
>>>>>
>>ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
>>
>>
>>>>>(objec
>>>>>tClass=user)
>>>>>
>>>>>That's why the following error seems misleading:
>>>>>
>>>>>[Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
>>>>>[mod_auth_ldap.c] -
>>>>>Error: Operations error
>>>>>ldap_search_s: Operations error (1)
>>>>> additional info: 00000000: LdapErr: DSID-0C0905FF,
>>>>>
>>>>>
>>>>comment: In
>>>>
>>>>
>>>>>order
>>>>>to perform this operation a successful bind must be
>>>>>
>>>>>
>>>completed on the
>>>
>>>
>>>>>connection., data 0, vece
>>>>>
>>>>>I would try what you suggested but I don't see how I
>>>>>
>>>>>
>>can bind as
>>
>>
>>>>>user@company.com with the module.
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: Covington, Chris [mailto:ccovington@plusone.com]
>>>>>>Sent: Tuesday, December 21, 2004 11:40 AM
>>>>>>To: users@httpd.apache.org
>>>>>>Subject: Re: [users@httpd] OpenLDAP to Active Directory
>>>>>>Authentication
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Has anyone experienced/fixed the problem described below?
>>>>>>>
>>>>>>>
>>>>>>I haven't had direct experience with Apache/LDAP but have
>>>>>>
>>>>>>
>>>>you tried
>>>>
>>>>
>>>>>>binding with the UPN login? IE user@company.com? (or
>>>>>>user\@company.com)
>>>>>>
>>>>>>Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>---------------------------------------------------------------------
>>
>>
>>>>>>The official User-To-User support forum of the Apache
>>>>>>
>>>>>>
>>HTTP Server
>>
>>
>>>>>>Project. See
>>>>>>
>>>>>>
>>><URL:http://httpd.apache.org/userslist.html> for more
>>>
>>>
>>>>>>info. To unsubscribe, e-mail:
>>>>>>
>>>>>>
>>users-unsubscribe@httpd.apache.org
>>
>>
>>>>>> " from the digest:
>>>>>>
>>>>>>
>>users-digest-unsubscribe@httpd.apache.org
>>
>>
>>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>---------------------------------------------------------------------
>>
>>
>>>>>The official User-To-User support forum of the Apache
>>>>>
>>>>>
>>HTTP Server
>>
>>
>>>>>Project. See <URL:http://httpd.apache.org/userslist.html>
>>>>>
>>>>>
>>>for more
>>>
>>>
>>>>>info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>---------------------------------------------------------------------
>>
>>
>>>>The official User-To-User support forum of the Apache HTTP Server
>>>>Project. See <URL:http://httpd.apache.org/userslist.html>
>>>>
>>>>
>>for more
>>
>>
>>>>info.
>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>>---------------------------------------------------------------------
>>
>>
>>>The official User-To-User support forum of the Apache HTTP Server
>>>Project.
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: OpenLDAP to Active Directory Authentication [ In reply to ]
As a followup... what's the proper way to do AuthAthoritative
directives? In particular as a workaround for the problem outlined below.

As far as I can tell, a work around would be to let the first
AuthLDAPURL in the first container fail, and then try with the other
container.

Is this possible? Or, is AuthAthoritative just for switching to a
*different* authentication mechanism, and cannot be used with the same
mechanism? If so, can someone supply an example?

Thanks!
.josh

Josh Burley wrote:

> Solution #1 is not an option for us (or so says our AD admin), but
> solution #2 might be. How did you disable the referral chasing? We
> are, in fact, using an Active Directory for authentication, sorry if I
> wasn't clear about that.
>
> I guess I'm still a bit confused about how this works, as well... my
> understanding is that the binding itself is done with the bind DN and
> password, which includes the container. And then a search is done off
> of the AuthLDAPURL. Did you just mean the search results, rather than
> the bind, or am I getting my terminology confused.
>
> Thanks for the info,
> .josh
>
> John wrote:
>
>> Hi,
>>
>> I experienced the same problem as the one described here, and it turned
>> out to be the LDAP referrals being sent by Active Directory.
>>
>> If you bind to cn=Users,dc=ad,dc=company,dc=com, then you are binding to
>> a container within Active Directory, and everything works fine.
>>
>> However, if you bind to the root of your domain, i.e. just
>> dc=ad,dc=company,dc=com, then Active Directory, in addition to the
>> search results you expected, will also return referrals to the other
>> directory partitions.
>>
>> It seems that the referrals that Active Directory returns are causing
>> the authentication to be rejected.
>>
>> There are two possible solutions that I know of:
>>
>> 1. Create an organisational unit called something like "All Users" and
>> make sure all your user accounts are inside this container - that way
>> you can use ou=all users,dc=ad,dc=company,dc=com as your LDAP path.
>>
>> 2. Disabling referral chasing got the Netscape LDAP SDK to bind to the
>> root of an Active Directory domain - no idea if the same will be true of
>> OpenLDAP.
>>
>> Hope this information helps someone.
>>
>> Regards,
>>
>> John
>>
>>
>>
>>
>>>> -----Original Message-----
>>>> From: James Massara
>>>> Sent: Wednesday, December 22, 2004 10:45 AM
>>>> To: 'users@httpd.apache.org'
>>>> Subject: RE: [users@httpd] OpenLDAP to Active Directory
>>>
>>> Authentication
>>>
>>>
>>>> The search works fine from the Windows ldp tool. It also
>>>
>>> works fine
>>>
>>>> from the OpenLDAP ldapsearch tool:
>>>>
>>>> ldapsearch -h ad.company.com -D
>>>> 'cn=jmassara,ou=users,dc=ad,dc=company,dc=com' -b
>>>> 'DC=ad,DC=company,DC=com' -x -W
>>>> "(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
>>>>
>>>> Details of my setup:
>>>>
>>>> Operating System Gentoo Linux (kernel v2.6.8) OpenLDAP
>>>
>>> v2.1.30 Apache
>>>
>>>> HTTPD v2.0.52 using the bundled mod_auth_ldap
>>>>
>>>> My .htaccess file settings are:
>>>>
>>>> AuthName "DI Admin Platform"
>>>> AuthType Basic
>>>> AuthLDAPURL
>>>> ldap://ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?s
>>>> ub?(&(objectCl
>>>> ass=user)(!(objectClass=computer)))
>>>> AuthLDAPBindDN cn=jmassara,ou=users,ou=city,dc=ad,dc=company,dc=com
>>>> AuthLDAPBindPassword mypasswd
>>>>
>>>> This using this setup generates the following error:
>>>>
>>>> [Wed Dec 22 12:15:46 2004] [warn] [client 10.201.255.254] [1400968]
>>>> auth_ldap authenticate: user testuser authentication failed; URI
>>>> /aptest/
>>>> [ldap_search_ext_s() for user failed][Operations error]
>>>> ldap_search_ext_s: Operations error (1)
>>>> additional info: 00000000: LdapErr: DSID-0C0905FF,
>>>> comment: In order to perform this operation a successful
>>>
>>> bind must be
>>>
>>>> completed on the connection., data 0, vece
>>>>
>>>> However, if I change the AuthLDAPURL to this:
>>>>
>>>> AuthLDAPURL
>>>> ldap://ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAcco
>>>> untName?sub?(&
>>>> (objectClass=user)(!(objectClass=computer)))
>>>>
>>>> It works just fine. This solution doesn't work for me, though,
>>>> because the MIS team is moving users out of cn=users and into
>>>> ou=users,ou=city_of_office. And I can't specify multiply
>>>
>>> AuthLDAPURL
>>>
>>>> variables to search the possible cities where users might reside.
>>>>
>>>> The part I don't understand is why it complains about
>>>
>>> binding to the
>>>
>>>> ADS _unless_ I specify cn=users in the AuthLDAPURL variable.
>>>>
>>>> Thank you for the continued help, very much appreciated.
>>>> James
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Ralf Glauberman [mailto:rglauberman@michaeli-gymnasium.de]
>>>>> Sent: Wednesday, December 22, 2004 9:18 AM
>>>>> To: users@httpd.apache.org
>>>>> Subject: Re: [users@httpd] OpenLDAP to Active Directory
>>>>>
>>>>
>>>> Authentication
>>>>
>>>>
>>>>> perhaps you want to try the following:
>>>>> go to a windows box in the domain of the ad. there is a
>>>>
>>> tool called
>>>
>>>>> ldp.exe in the windows 2k resource kit, use this to
>>>>
>>> connect to the
>>>
>>>>> ad via ldap. bind to the ad, then you can search in the
>>>>
>>> ad just as
>>>
>>>>> apache would do. if you continue to have problems,
>>>>
>>> perhaps you could
>>>
>>>>> send a detailed description about your setup.
>>>>> ralf
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "James Massara" <james.massara@digitalinsight.com>
>>>>> To: <users@httpd.apache.org>
>>>>> Sent: Tuesday, December 21, 2004 8:57 PM
>>>>> Subject: RE: [users@httpd] OpenLDAP to Active Directory
>>>>>
>>>>
>>>> Authentication
>>>>
>>>>
>>>>>
>>>>>
>>>>>> The bind works when I do:
>>>>>>
>>>>>> AuthLDAPURL
>>>>>>
>>>>>>
>>>>>
>>> ldap://corp.ad.company.com/cn=users,dc=ad,dc=company,dc=com?sAMAccount
>>>
>>>
>>>>>> Name?s
>>>>>> ub?(objectClass=user)
>>>>>>
>>>>>> But not when I do:
>>>>>>
>>>>>> AuthLDAPURL
>>>>>>
>>>>>>
>>>>>
>>> ldap://corp.ad.company.com/dc=ad,dc=company,dc=com?sAMAccountName?sub?
>>>
>>>
>>>>>> (objec
>>>>>> tClass=user)
>>>>>>
>>>>>> That's why the following error seems misleading:
>>>>>>
>>>>>> [Wed Dec 15 11:18:10 2004] [error] [client 127.0.0.1]
>>>>>> [mod_auth_ldap.c] -
>>>>>> Error: Operations error
>>>>>> ldap_search_s: Operations error (1)
>>>>>> additional info: 00000000: LdapErr: DSID-0C0905FF,
>>>>>>
>>>>>
>>>>> comment: In
>>>>>
>>>>>
>>>>>> order
>>>>>> to perform this operation a successful bind must be
>>>>>>
>>>>>
>>>> completed on the
>>>>
>>>>
>>>>>> connection., data 0, vece
>>>>>>
>>>>>> I would try what you suggested but I don't see how I
>>>>>
>>> can bind as
>>>
>>>>>> user@company.com with the module.
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Covington, Chris [mailto:ccovington@plusone.com]
>>>>>>> Sent: Tuesday, December 21, 2004 11:40 AM
>>>>>>> To: users@httpd.apache.org
>>>>>>> Subject: Re: [users@httpd] OpenLDAP to Active Directory
>>>>>>> Authentication
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Has anyone experienced/fixed the problem described below?
>>>>>>>>
>>>>>>>
>>>>>>> I haven't had direct experience with Apache/LDAP but have
>>>>>>>
>>>>>>
>>>>> you tried
>>>>>
>>>>>
>>>>>>> binding with the UPN login? IE user@company.com? (or
>>>>>>> user\@company.com)
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>> ---------------------------------------------------------------------
>>>
>>>
>>>>>>> The official User-To-User support forum of the Apache
>>>>>>
>>> HTTP Server
>>>
>>>>>>> Project. See
>>>>>>>
>>>>>>
>>>> <URL:http://httpd.apache.org/userslist.html> for more
>>>>
>>>>
>>>>>>> info. To unsubscribe, e-mail:
>>>>>>
>>> users-unsubscribe@httpd.apache.org
>>>
>>>
>>>>>>> " from the digest:
>>>>>>
>>> users-digest-unsubscribe@httpd.apache.org
>>>
>>>
>>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>> ---------------------------------------------------------------------
>>>
>>>
>>>>>> The official User-To-User support forum of the Apache
>>>>>
>>> HTTP Server
>>>
>>>>>> Project. See <URL:http://httpd.apache.org/userslist.html>
>>>>>>
>>>>>
>>>> for more
>>>>
>>>>
>>>>>> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>> ---------------------------------------------------------------------
>>>
>>>
>>>>> The official User-To-User support forum of the Apache HTTP Server
>>>>> Project. See <URL:http://httpd.apache.org/userslist.html>
>>>>
>>> for more
>>>
>>>>> info.
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>>
>>>
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org