httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christophe Gravier <christophe.grav...@univ-st-etienne.fr>
Subject [users@httpd] Require ldap-group directive issue in Apache 2.2
Date Mon, 06 Nov 2006 12:41:14 GMT
Hello,

Regarding new Apache 2.2 authentification and authorization layers, 
especially ldap-group ( 
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I 
wanted to build authentification and authorization based on ldap group 
membership.

I build my directive the same way as those man pages, that means:

<Location "/DevDSI_trac">
        SetEnv TRAC_ENV "/var/trac/DevDSI"
        AuthType Basic
        AuthName "DevDSI trac"
        AuthBasicProvider ldap
        AuthLDAPURL 
ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)
        require ldap-group cn=satin,ou=groups,o=istase,c=fr
</Location>

This is not working. I did check that ldap-group contains no typo.
AuthLDAPURL is ok since I can make it my identification working with 
"require ldap-user" directive.
I also make it working by setting AuthzLDAPAuthoritative  to off for 
"require valid-user" directive (but this is not ldap group based 
authorization of course).

Moreover, my group is declared as follow in my openldap directory:
dn: cn=satin,ou=groups,o=istase,c=fr
objectClass: groupOfUniqueNames
uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
uniqueMember: etc....

So, when I try to log in the web area, I receive a "401 Authorization 
required". There's no trace in error log (I got a trace if I enter a bad 
password though).
This means I successfully go through auth type and authentication layers 
but not through authorization (but no error message in error.log !).

My loaded modules are:
ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
alias.load, auth_basic.load, authn_file.load, authnz_ldap.load, 
authz_host.load, authz_owner.load, authz_user.load, autoindex.load, 
cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load, 
mime.load, negotiation.load, php4.conf, php4.load, status.load

I think I understand the new architecture well because I clearly made 
"ldap-user" and "valid-user without ldap authoritative" working. But 
there's something for ldap-group I can't figure out for a couple of 
days; that's why I decided to ask on this mailing list.

Does anyone have an idea please on my configuration ? I can post info if 
needed ....
Or at least, does anyone have a configuration working with ldap based on 
groups ?

Thank you in advance,

Regards.

-- 
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message