4

I'm trying to use LDAP authentication for a Subversion repository, accessed via Apache HTTP Server. Whatever I try, Apache generates the following error message:

authentication failed; URI /repos/branches/my-branch [ldap_search_ext_s() for user failed][Operations Error]

I've used the AD explorer from Sysinternals to connect to my AD server, and can see data in there, so I presume it's a problem with my LDAP URL search string. I've tried several variations, but always get the above error. Here's what I have in my httpd.conf. Any suggestions or ideas to diagnose this would be appreciated.

<Location /repos>
    DAV svn
    SVNPath C:\repos
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthBasicProvider ldap
    AuthName "IT Subversion repository"
    AuthLDAPURL "ldap://x.y.z.com:389/DC=y,DC=z,DC=com?sAMAccountName?sub?(objectClass=user)" NONE    
    Require valid-user
</Location>
Improve this question
4
  • Shouldn't the error.log provide a more verbose error message? Commented Jul 5, 2010 at 8:41
  • All I'm getting in the error.log is shown above i.e. [Mon Jul 05 09:08:03 2010] [warn] [client 127.0.0.1] [9556] auth_ldap authenticate: user xxxxxxxx authentication failed; URI /repos/branches/my-branch [ldap_search_ext_s() for user failed][Operations Error] Commented Jul 5, 2010 at 8:49
  • This page talks about an Ldap REFERRALS option, which must be switched off michele.pupazzo.org/diary/?p=227 Unfortunately I don't know how to switch this off for Apache 2.2 on Windows. There appears to be an LDAPReferrals directive, which can be set in the httpd.conf file, but this is not implemented for mod_ldap 2.2, only 2.3, which is still in alpha version httpd.apache.org/docs/trunk/mod/mod_ldap.html#ldapreferrals Commented Jul 6, 2010 at 10:41
  • for anythone reading this, there is some extra relevant content on rayvd.wordpress.com/2011/08/01/rhels-apache-and-ldap-referrals Commented Jan 23, 2015 at 22:36

7 Answers 7

Reset to default
4

My problem was sold by changing port from 389 to 3268. Port 389 looks only for Local Direcotry but 3268 looks for Global Directory. Confusing is that in LDAP browser (JXplorer for example) works both ports properly.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

It appears that you're using Active Directory, which does not allow anonymous binding. Try adding the following:

# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account.
AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"

# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword some_secret_password
Improve this answer

Comments

1

I had something simular, although stranger. At first it when testing, but after some Apache restarts and configuration fine-tuning it stopped working.

After a long search on the internet, it appears I had to change the port from 389 to 3268. This solved my "[ldap_search_ext_s() for user failed][Operations Error]" errors for some reason. I still don't understand why, or why it worked at first, but it did for me.

Improve this answer

Comments

1

Had the same problem, you need to specify in /etc/ldap/ldap.conf:

REFERRALS off

Solved my problem.

Improve this answer

Comments

0

I had this problem recently you need to add 3 additional parameters

AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"
AuthLDAPBindPassword some_secret_password

Like jgnagy suggested, also it also helped me when i added

Satisfy Any
Improve this answer

Comments

0

LDAPReferrals just plain didn't exist in earlier versions, so there's nothing to turn off, really...

I guess if you managed to match a newer LDAP/Apache which has LDAP Referral as an option, and were trying to use and older AD, you'd have to turn it off.

For anybody else finding this, you should try these in order: telnet YOUR_AD_SERVER 389

Either you get a Connect and something like Escape character is ~, or you've got the wrong name/IP for your AD, or your firewalls are blocking access from your computer to AD on port 389.

Next, install the openldap command line tools, openldap-clients, and see if you can use ldapsearch (read the man page) to perform a search directly to your AD server, without Apache in the middle.

Improve this answer

Comments

0

You might want to try running your search through ldapsearch in command line as it provides more information when facing an error:

ldapsearch -x -b "base_dn" -H "ldap_url" [search term]

In my case when I faced the same error, I needed to make a user binding in order to get access to the directory and carry out a search.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.