5

I've got Apache 2.4 running on Windows Server 2012.

I've got mod_authnz_ldap working except if users put a blank username. This results in a 500 internal server error.

this is the entry in httpd.conf for the "staff" area...

<Location "/staff">
    AuthType Basic
    AuthName "Staff Area"
    LDAPReferrals Off
    AuthBasicProvider ldap
    AuthUserFile /dev/null
    AuthLDAPBindDN Administrator@school.com.au
    AuthLDAPBindPassword MyPassword
    AuthLDAPURL "ldap://server-dc1:389/ou=DomainUsers,dc=school,dc=com,dc=au?sAMAccountName?sub"
    Require ldap-group cn=staff,ou=staff,ou=DomainUsers,dc=school,dc=com,dc=au
</Location>

Anything obvious that I'm missing? Does anyone else use mod_authnz_ldap? Does your server not like blank usernames?

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
jpgorton
  • 241
  • 2
  • 6
  • The last two lines in my error.log are... [Mon Jan 20 11:41:43.965316 2014] [authnz_ldap:debug] [pid 2084:tid 956] mod_authnz_ldap.c(500): [client 10.129.201.3:51427] AH01691: auth_ldap authenticate: using URL ldap://server-dc1:389/ou=DomainUsers,dc=school,dc=com,dc=au?sAMAccountName?sub [Mon Jan 20 11:41:43.965316 2014] [authnz_ldap:info] [pid 2084:tid 956] [client 10.129.201.3:51427] AH01695: auth_ldap authenticate: user authentication failed; URI /staff/ [ldap_search_ext_s() for user failed][Filter Error] – jpgorton Jan 20 '14 at 01:04

1 Answers1

5

I just had to add...

AuthLDAPBindAuthoritative off

I'm not 100% sure why this is. Perhaps something to do with mod_authnz_ldap passing the auth on to somewhere else? but it works.

Hope this helps someone.

jpgorton
  • 241
  • 2
  • 6
  • I encountered this same issue, except I was using the AuthLDAPInitialBindAsUser feature, and this is fix also worked for me. [Here is another post about the same error](https://unix.stackexchange.com/questions/483530/mod-authnz-ldap-using-authldapinitialbindasuser-encountering-obscure-internal). I think it is an Apache bug, but at least this works around the issue. – Connor McKay Jul 17 '20 at 18:19