httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John D'Ausilio" <jdausi...@gmail.com>
Subject LDAP and subgroups
Date Tue, 04 Mar 2008 19:28:25 GMT
I've got a system that authenticates and authorizes against m$ active
directory. Everything was working fine with authnz_ldap until the
admins decided that they needed to add a subgroup to one of the groups
I use (and expect me to find people in it).

I did a build today from svn of the 2.3-HEAD to play around with the
new subgroup stuff. Got it all configured but I'm having some problems
that I believe may be a bug. Don't see anything in asf bugzilla, but
figured I'd bounce it here first ..

My login (jdausilio) is a member of a group (objectclass=group) named
foo. The group foo is a member of another group called bar. Apache is
configured to require membership in group bar, with subgroups
included:
 AuthType basic
 AuthBasicProvider ldap
 AuthName "bar group required"
 AuthLDAPBindDN "CN=someCN,OU=someOU,OU=IT,OU=AD_Users,DC=AD,DC=XXX,DC=com"
 AuthLDAPBindPassword aPassWord
 AuthLDAPGroupAttribute "member"
 AuthLDAPSubGroupClass "group"
 AuthLDAPSubGroupAttribute "member"
 AuthLDAPMaxSubGroupDepth 10
 AuthLDAPURL "ldap://ad.xxx.com:3268/DC=AD,DC=XXX,DC=com?sAMAccountName??(&(objectCategory=person)(objectClass=user))"
 Require ldap-group
CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com

The log (level=debug) appears to say that I've been authenticated
*and* authorized! (sorry about the wrapping)

mod_authnz_ldap.c(375): [client 10.5.131.52] [31275] auth_ldap
authenticate: using URL
ldap://ad.xxx.com:3268/DC=AD,DC=XXX,DC=com?sAMAccountName??(&(objectCategory=person)(objectClass=user))
mod_authnz_ldap.c(472): [client 10.5.131.52] [31275] auth_ldap
authenticate: accepting jdausilio
mod_authnz_ldap.c(741): [client 10.5.131.52] [31275] auth_ldap
authorize: require group: testing for group membership in
"CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com"
mod_authnz_ldap.c(747): [client 10.5.131.52] [31275] auth_ldap
authorize: require group: testing for member: CN=D'Ausilio\\,
John,OU=eDevlopment,OU=IT,OU=AD_Users,DC=AD,DC=XXX,DC=com
(CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com)
mod_authnz_ldap.c(763): [client 10.5.131.52] [31275] auth_ldap
authorise: require group
"CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com":
failed [Comparison false (cached)][5 - Compare False], checking
sub-groups
util_ldap.c(1241): [client 10.5.131.52] [31275] util_ldap: Making
local copy of SGL for group
(CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com)(objectClass=group)
util_ldap.c(1378): [client 10.5.131.52] [31275] util_ldap: Found user
jdausilio in a subgroup (CN=foo,OU=Distribution
Lists,DC=AD,DC=XXX,DC=com) at level 1 of 10.
mod_authnz_ldap.c(774): [client 10.5.131.52] [31275] auth_ldap
authorise: require group (sub-group): authorisation successful
(attribute member) [Comparison true (cached)][6 - Compare True]
[client 10.5.131.52] user jdausilio: authorization failure for "/index.html":

It appears to me that it should be letting me in, but it's not. Before
filing a bug .. is this all sane?

jd

Mime
View raw message