Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 44244 invoked from network); 11 Aug 2009 15:57:43 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Aug 2009 15:57:43 -0000 Received: (qmail 82459 invoked by uid 500); 11 Aug 2009 15:57:49 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 82375 invoked by uid 500); 11 Aug 2009 15:57:49 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 82363 invoked by uid 99); 11 Aug 2009 15:57:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Aug 2009 15:57:49 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Aug 2009 15:57:46 +0000 Received: by brutus.apache.org (Postfix, from userid 33) id 1A355234C045; Tue, 11 Aug 2009 08:57:24 -0700 (PDT) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 47676] New: mod_authnz_ldap successful authorization passed through to mod_authz_groupfile X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_authz_ldap X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: holger.dippel@umassd.edu X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Tue, 11 Aug 2009 08:57:24 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=47676 Summary: mod_authnz_ldap successful authorization passed through to mod_authz_groupfile Product: Apache httpd-2 Version: 2.2.12 Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: mod_authz_ldap AssignedTo: bugs@httpd.apache.org ReportedBy: holger.dippel@umassd.edu --- Comment #0 from Holger Dippel 2009-08-11 08:57:22 PDT --- I am attempting to use a combination of CAS, LDAP, and local group files for authentication and authorization. mod_auth_cas (from JSIG) is loaded dynamically, mod_ldap, mod_authnz_ldap, mod_authz_groupfile are compiled into our custom build of Apache. The .htaccess file looks like this: AuthType CAS AuthName "Auth Test" AuthGroupFile /path/to/groupfile/.groups AuthLDAPUrl ldap://...?uid?sub AuthzLDAPAuthoritative off Require ldap-user userone Require group testing The .groups file looks like this: testing: usertwo CAS authentication is successful for both users, but userone is denied access with a 401 Authorization Required. The error log says: "Authorization of user userone to access ... failed, reason: user doesn't appear in group file (/path/to/groupfile/.groups)" usertwo is granted access without any problems based on the group file authorization. I've tried adding filters to the AuthLDAPUrl directive, and different Require ldap-... directives, with and with out a Satisfy Any, but this behavior is consistently the same. The mod_authnz_ldap documentation seems to indicate under the AuthzLDAPAuthoritative directive that authorization is only passed to a lower-level module (mod_authz_groupfile in this case) if it fails with LDAP. The actual behavior is that it is always passed on. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org