httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From NormW <no...@bocnet.com.au>
Subject Re: Mod_Authnz_Ldap 'light on' for debug...
Date Sun, 06 Feb 2005 20:33:43 GMT
Good morning Graham,
...and thanks for the reply.
Kind of working from 2.0.x 'logic' but found I also needed:

Mod_Auth_Basic, and
Mod_Authz_User; this to use the 'normal' "require valid-user".

I tend to 'maximum' .conf files so that all settings are visible, but a 
friend sent me a working one and that did the trick! All I eventually 
did was add a flag (an Authorative one but not sure anymore which), put 
the module load order the same as the working one and got mine going 
also. Once the 'wasted time' drifts into mental oblivion (happens faster 
these days) will see if the load order had any effect, so for now forget 
I mentioned that bit. One of my next goals will be to try and work out 
the authentication/authorisation process in 2.1 and write a book about 
it as it seems complicated enough to warrant it. Perhaps some diagrams 
will help too.

Thanks also for the log sample below... so will go back and check why I 
didn't get all that. I think it might have been the hours spent and the 
boxes just bein' ornery.

If there be a useful followup, "I'll be back...".
Regards,
Norm


Graham Leggett wrote:
> NormW wrote:
> 
>> Trying to ('trouble')shoot an authorisation issue with 
>> Mod_Authnz_Ldap, and find builtin 'assistance' somewhat sparse.
>>
>> I finally got the 4 needed modules loaded (bigger config samples would 
>> be _very_ useful),
> 
> 
> In theory only two modules are needed - mod_ldap and mod_authnz_ldap. 
> What are the other two?
> 
>> a network traffic sniffer says the LDAP server is giving back the 
>> right info, but all I get in the logs (debug mode) is:
>>
>> [debug] mod_authnz_ldap.c(365): [client <ip>] [1002] auth_ldap 
>> authenticate: using URL ldap://10.202.65.190/o=nwinc?cn
>>
>> [debug] mod_authnz_ldap.c(437): [client <ip>] [1002] auth_ldap 
>> authenticate: accepting admin
>>
>> [debug] mod_authnz_ldap.c(793): [client <ip>] [1002] auth_ldap 
>> authorise: authorisation denied
>>
>> Any chance of padding that sequence out please?
> 
> 
> The sequence is already debug traced in detail at the debug level. It 
> would help us more if you posted more detail on exactly what you're 
> trying to do (authentication, authorisation, or both) and what config 
> you have used so far.
> 
> This is an example of the trace generated by a successful authentication 
> and authorisation:
> 
> [Sun Feb 06 15:41:02 2005] [debug] mod_authnz_ldap.c(364): [client 
> 127.0.0.1] [26793] auth_ldap authenticate: using URL ldaps:
> //gatekeeper.xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
> [Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(436): [client 
> 127.0.0.1] [26793] auth_ldap authenticate: accepting minfri
> n
> [Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(673): [client 
> 127.0.0.1] [26793] auth_ldap authorise: require group: test
> ing for group membership in "cn=xxx,ou=Groups,ou=xxx 
> Randburg,dc=fma,dc=co,dc=za"
> [Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(678): [client 
> 127.0.0.1] [26793] auth_ldap authorise: require group: test
> ing for member: uid=minfrin,ou=People,ou=xxx Randburg,dc=xxx,dc=co,dc=za 
> (cn=xxx,ou=Groups,ou=xxx Randburg,dc=xxx,dc=co,dc=za)
> [Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(686): [client 
> 127.0.0.1] [26793] auth_ldap authorise: require group: auth
> orisation successful (attribute member) [Comparison true (adding to 
> cache)][Compare True]
> [Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(364): [client 
> 127.0.0.1] [26793] auth_ldap authenticate: using URL ldaps:
> //gatekeeper.xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
> [Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(436): [client 
> 127.0.0.1] [26793] auth_ldap authenticate: accepting minfri
> n
> [Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(673): [client 
> 127.0.0.1] [26793] auth_ldap authorise: require group: test
> ing for group membership in "cn=xxx,ou=Groups,ou=xxx 
> Randburg,dc=fma,dc=co,dc=za"
> [Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(678): [client 
> 127.0.0.1] [26793] auth_ldap authorise: require group: test
> ing for member: uid=minfrin,ou=People,ou=xxx Randburg,dc=xxx,dc=co,dc=za 
> (cn=xxx,ou=Groups,ou=xxx Randburg,dc=xxx,dc=co,dc=za)
> [Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(686): [client 
> 127.0.0.1] [26793] auth_ldap authorise: require group: auth
> orisation successful (attribute member) [Comparison true 
> (cached)][Compare True]
> [Sun Feb 06 15:41:05 2005] [error] [client 127.0.0.1] File does not 
> exist: /usr/local/apache2/htdocs/favicon.ico
> 
> Regards,
> Graham
> -- 


Mime
View raw message