[Freeipa-users] Re: mod_authz_ldap authentication against ipa

[Rob Crittenden]

Ivan Levchenko wrote:
> On Tue, Oct 14, 2008 at 12:47 AM, Ivan Levchenko <levchenko.i at gmail.com> wrote:
>> HI,
>>
>> I'm trying to setup apache authentication via mod_authz_ldap, but it
>> i'm having some problems with it.
>> i've setup apache as per
>> http://directory.fedoraproject.org/wiki/Howto:Apache, changed the
>> AuthzLDAPUserBase directive to
>> cn=users,cn=accounts,dc=example,dc=com, but its not authenticating...
>>
>> after reading the docs for mod_authz_ldap, it says:
>> The password is verified by binding to the directory as the user whose
>> distinguished name was found in the previous step, with the password
>> from the login dialog.
>>
>> I've tried to connect to the ldap server using a reguler user created
>> via the web interface and i was not able to.
>>
>> am i doing something wrong, or is it not possible to authenticate
>> against ldap and i should only use kerberos?
>>
>> thanks in advance.
>> --
>>
>> Best Regards,
>>
>> Ivan Levchenko
>> levchenko.i at gmail.com
>>
> 
> another thing...
> 
> trying to use authentication when doing a regular ldapsearch:
> 
> ldapsearch -v -x -W -h master.example.com -D
> "uid=ivan,cn=users,cn=accounts,dc=example,dc=com" -b
> "cn=users,cn=accounts,dc=example,dc=com" uid=ivan
> ldap_initialize( ldap://master.example.com )
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> 
> ... a bit lost why it isn't authenticating....

This should work. It appears that your password is wrong (or missing).

Can you verify that you have an LDAP password attribute set on this entry?

ldapsearch -x -W -D "cn=directory manager" -b "dc=example,dc=com" 
uid=ivan userPassword

You might also try changing your password to see if that helps. We have 
a plugin that is supposed to keep the kerberos principal password and 
the basic auth password the same.

As Simo mentioned, you can alternatively use mod_auth_kerb for kerberos 
auth.

rob