Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Apache LDAP authentication does not work for one user

Status
Not open for further replies.

garion42

IS-IT--Management
Jun 15, 2005
29
DE
We have Apache/2.2.21 running on Solaris 10 (Intel) and are authenticating users against a Windows active directory. We have allowed access for several groups (ldap-group) and individual users (ldap-user) and in most cases it works. However, it one paricular case when we try to access the web server, we get the error message

user logservice not found: /

We use can same user to log into the domain using a terminal server session.

From my pespective, this all says the user exists, the password is correct and the account is not locked. My assumption is that there is some permission that users need in order to authenticate in this fashion or the account Apache uses to bind is not authorized to read the data from this particular user.

I do not have access to the event logs, because the AD server is managed by a different department, so I have no idea how the AD reacts when the connection is made. Naturally the other department insists the user is configured correctly. The lines for the individual users in httpd.conf is identical for this user and for others that work:

Require ldap-user logservice
Require ldap-user serb122
Require ldap-user rair120

I would be extremely grateful for any suggestions of where to look.
 
I'd start at looking in the Apache logs (access_log and error_log) for some clues, then I'd be running snoop (or Wireshark if your Apache server is on Blindows) to see what's actually being sent across to the server for that user (compare that with another working user) ..... Also check that the failing user is in the accepted group for access to the Apache resource its trying to access.


Good luck

Laurie
 
Thanks for the reply. I set the Apache LogLevel to debug, but I did not see anything that to indicate where the problem was. It looked like the connection was being made to the server, although the server was saying the user did not exist.

Snoop is a good idea, for the next time. I don't need it any more as we figured it out!

Turns out the new user was *not* configured "exactly the same way" as the others. This user was created for the sole purpose of read-only access to log files and not for normal work. So when it was created, it added to a completely different branch than normal users. The user I was using to bind to LDAP did not have access to that particular branch. It's annoying that I did not get some kind of permission denied error, but I am glad we figured it old.

Thanks again for the assistance!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top