httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christophe Gravier <christophe.grav...@univ-st-etienne.fr>
Subject Re: [users@httpd] Require ldap-group directive issue in Apache 2.2
Date Tue, 07 Nov 2006 10:24:11 GMT
Hello,

Nobody is using ldap based authentication and authorization, based on 
group ?

I mean I am testing it for some days and I can't figure out the problem. 
I really think I'm compliant with the 2.2 doc (for example require 
ldap-user is working and I don't much difference with require ldap-group 
...)

Does anybody succeeded in building such a configuration ?
If nobody did, I'll fill a bug report ... (Which is not necessary if 
someone ever succeed ;-)).

Thank you in advance,

Best Regards,

Christophe Gravier a écrit :
> Hello,
>
> Regarding new Apache 2.2 authentification and authorization layers, 
> especially ldap-group ( 
> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), 
> I wanted to build authentification and authorization based on ldap 
> group membership.
>
> I build my directive the same way as those man pages, that means:
>
> <Location "/DevDSI_trac">
>        SetEnv TRAC_ENV "/var/trac/DevDSI"
>        AuthType Basic
>        AuthName "DevDSI trac"
>        AuthBasicProvider ldap
>        AuthLDAPURL 
> ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)

>
>        require ldap-group cn=satin,ou=groups,o=istase,c=fr
> </Location>
>
> This is not working. I did check that ldap-group contains no typo.
> AuthLDAPURL is ok since I can make it my identification working with 
> "require ldap-user" directive.
> I also make it working by setting AuthzLDAPAuthoritative  to off for 
> "require valid-user" directive (but this is not ldap group based 
> authorization of course).
>
> Moreover, my group is declared as follow in my openldap directory:
> dn: cn=satin,ou=groups,o=istase,c=fr
> objectClass: groupOfUniqueNames
> uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
> uniqueMember: etc....
>
> So, when I try to log in the web area, I receive a "401 Authorization 
> required". There's no trace in error log (I got a trace if I enter a 
> bad password though).
> This means I successfully go through auth type and authentication 
> layers but not through authorization (but no error message in 
> error.log !).
>
> My loaded modules are:
> ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
> alias.load, auth_basic.load, authn_file.load, authnz_ldap.load, 
> authz_host.load, authz_owner.load, authz_user.load, autoindex.load, 
> cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load, 
> mime.load, negotiation.load, php4.conf, php4.load, status.load
>
> I think I understand the new architecture well because I clearly made 
> "ldap-user" and "valid-user without ldap authoritative" working. But 
> there's something for ldap-group I can't figure out for a couple of 
> days; that's why I decided to ask on this mailing list.
>
> Does anyone have an idea please on my configuration ? I can post info 
> if needed ....
> Or at least, does anyone have a configuration working with ldap based 
> on groups ?
>
> Thank you in advance,
>
> Regards.
>


-- 
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message