httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47676] New: mod_authnz_ldap successful authorization passed through to mod_authz_groupfile
Date Tue, 11 Aug 2009 15:57:24 GMT

           Summary: mod_authnz_ldap successful authorization passed
                    through to mod_authz_groupfile
           Product: Apache httpd-2
           Version: 2.2.12
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap

--- Comment #0 from Holger Dippel <> 2009-08-11 08:57:22 PDT
I am attempting to use a combination of CAS, LDAP, and local group files for
authentication and authorization.

mod_auth_cas (from JSIG) is loaded dynamically, mod_ldap, mod_authnz_ldap,
mod_authz_groupfile are compiled into our custom build of Apache.

The .htaccess file looks like this:

AuthType CAS
AuthName "Auth Test"
AuthGroupFile /path/to/groupfile/.groups
AuthLDAPUrl ldap://...?uid?sub
AuthzLDAPAuthoritative off
Require ldap-user userone
Require group testing

The .groups file looks like this:

testing: usertwo

CAS authentication is successful for both users, but userone is denied access
with a 401 Authorization Required. The error log says:

"Authorization of user userone to access ... failed, reason: user doesn't
appear in group file (/path/to/groupfile/.groups)"

usertwo is granted access without any problems based on the group file

I've tried adding filters to the AuthLDAPUrl directive, and different Require
ldap-... directives, with and with out a Satisfy Any, but this behavior is
consistently the same.

The mod_authnz_ldap documentation seems to indicate under the
AuthzLDAPAuthoritative directive that authorization is only passed to a
lower-level module (mod_authz_groupfile in this case) if it fails with LDAP.

The actual behavior is that it is always passed on.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message