httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40926] New: - require ldap-group doesn't seem to work as exposed in the doc.
Date Wed, 08 Nov 2006 16:49:09 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40926>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40926

           Summary: require ldap-group doesn't seem to work as exposed in
                    the doc.
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: regression
          Priority: P3
         Component: mod_authz_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: christophe.gravier@univ-st-etienne.fr


Upgrading from 2.0.55 to 2.2.3, I read the doc about new authentification and
authorization layers.

As I have some web areas protected regarding memebership to a ldap group, I
wanted to upgrad my configuration for those areas to be reachable again.

I successfully configured a protection for a list of ldap users ("require
ldap-user" directive). I also be able to let any user of the directory in, using
the old "require user" and setting "AuthzLDAPAuthoritative" to off.

As I think I get the new architecture well, I went through the configuration of
ldap group based authentification, using "require ldap-group" directive.

Nevertheless, this is not working. I followed the doc. No message in error.log
though (of course, I got some messages if I enter a bad password for example,
but nothing if my login/pass are ok).

It seems that I am authenticated but not authorized (Obviously Apache can't
check my group membership against the directory).

I thought I was misunderstanding something so I asked on the user mailing list.
After some days, nobody ever succeeded in using "require ldap-group" directive
(at least nobody answered). So I chose to fill a bug report, as proposed on user
suport page of the web site.

My configuration is the following:
<Location "/DevDSI_trac">
       SetEnv TRAC_ENV "/var/trac/DevDSI"
       AuthType Basic
       AuthName "DevDSI trac"
       AuthBasicProvider ldap
       AuthLDAPURL
ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)
       require ldap-group cn=satin,ou=groups,o=istase,c=fr
</Location> 

I am in object with dn "cn=satin,ou=groups,o=istase,c=fr", which is a
groupeOfUniqueNames declared as follow:

dn: cn=satin,ou=groups,o=istase,c=fr
objectClass: groupOfUniqueNames
uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
uniqueMember: etc.... 

Consequently default AuthLDAP group config is fine for me, and I don't need to
change:
- AuthLDAPGroupAttribute as is it uniqueMember in my case, part of {member,
uniqueMember}
- AuthLDAPGroupAttributeIsDN as it is by default to "on" (uniqueMemebr and
member attribute for group are supposed to be DN by default, and it is my case
on my directory.

My loaded modules are:
ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
alias.load, auth_basic.load, authn_file.load, authnz_ldap.load, authz_host.load,
authz_owner.load, authz_user.load, autoindex.load, cgi.load, dav.load,
dav_svn.load, dir.load, env.load, ldap.load, mime.load, negotiation.load,
php4.conf, php4.load, status.load

I am running Apache 2.2.3 on a debian etch (testing) up to date.

Feel free to contact me if you need additional informations.

Regards.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message