httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christophe Gravier <>
Subject Re: [users@httpd] Require ldap-group directive issue in Apache 2.2
Date Tue, 07 Nov 2006 10:24:11 GMT

Nobody is using ldap based authentication and authorization, based on 
group ?

I mean I am testing it for some days and I can't figure out the problem. 
I really think I'm compliant with the 2.2 doc (for example require 
ldap-user is working and I don't much difference with require ldap-group 

Does anybody succeeded in building such a configuration ?
If nobody did, I'll fill a bug report ... (Which is not necessary if 
someone ever succeed ;-)).

Thank you in advance,

Best Regards,

Christophe Gravier a écrit :
> Hello,
> Regarding new Apache 2.2 authentification and authorization layers, 
> especially ldap-group ( 
> ), 
> I wanted to build authentification and authorization based on ldap 
> group membership.
> I build my directive the same way as those man pages, that means:
> <Location "/DevDSI_trac">
>        SetEnv TRAC_ENV "/var/trac/DevDSI"
>        AuthType Basic
>        AuthName "DevDSI trac"
>        AuthBasicProvider ldap
>        AuthLDAPURL 
> ldap://,o=istase,c=fr?uid?sub?(objectClass=*)

>        require ldap-group cn=satin,ou=groups,o=istase,c=fr
> </Location>
> This is not working. I did check that ldap-group contains no typo.
> AuthLDAPURL is ok since I can make it my identification working with 
> "require ldap-user" directive.
> I also make it working by setting AuthzLDAPAuthoritative  to off for 
> "require valid-user" directive (but this is not ldap group based 
> authorization of course).
> Moreover, my group is declared as follow in my openldap directory:
> dn: cn=satin,ou=groups,o=istase,c=fr
> objectClass: groupOfUniqueNames
> uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
> uniqueMember: etc....
> So, when I try to log in the web area, I receive a "401 Authorization 
> required". There's no trace in error log (I got a trace if I enter a 
> bad password though).
> This means I successfully go through auth type and authentication 
> layers but not through authorization (but no error message in 
> error.log !).
> My loaded modules are:
> ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
> alias.load, auth_basic.load, authn_file.load, authnz_ldap.load, 
> authz_host.load, authz_owner.load, authz_user.load, autoindex.load, 
> cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load, 
> mime.load, negotiation.load, php4.conf, php4.load, status.load
> I think I understand the new architecture well because I clearly made 
> "ldap-user" and "valid-user without ldap authoritative" working. But 
> there's something for ldap-group I can't figure out for a couple of 
> days; that's why I decided to ask on this mailing list.
> Does anyone have an idea please on my configuration ? I can post info 
> if needed ....
> Or at least, does anyone have a configuration working with ldap based 
> on groups ?
> Thank you in advance,
> Regards.

Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant
ISTASE - Ingénieur d'études

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message