httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Nine" <todd.n...@gmail.com>
Subject Re: [users@httpd] help with mod_authz_ldap
Date Tue, 20 Mar 2007 14:43:23 GMT
Hi Gaël,
 I'm a bit of an LDAP noob from the administrative side, I've only connected
and queried information from Java Applications.  I've installed OpenLDAP on
CentOS 4.3, I'm connecting to LDAP from a Fedora 6 box with Apache 2.2.  I
have it partially working thanks to your response!  I missed the
"AuthzLDAPAuthoritative
directive be set to off" for require valid-user.  I have the following
configuration and it now works for all employee access, but I want to limit
it to only developers.  The posix group "developers" path is below
cn=development,ou=Groups,dc=arocksoftware,dc=comThe member attribute in the
development group is "memberUid" for the user id of all members

I tried change the config below to the following parameters, and it won't
authenticate with the require group on.  If I comment out the group
directive and just go with require valid user, it works.  Can I get any help
on what's wrong with my group query string?

Thanks,
Todd


Working Starting point
<Location />
   DAV svn
   SVNParentPath /srv/svnrepos

   # Limit write permission to list of valid users.
   # Require SSL connection for password protection.
   # SSLRequireSSL

   #Admin binding
   AuthLDAPBindDN {admin dn removed}
   AuthLDAPBindPassword {admin password removed}
   AuthzLDAPAuthoritative off

   #Default Search String
   AuthLDAPURL
ldap://ldap:389/ou=Employees,ou=People,dc=arocksoftware,dc=com?uid

   #require a member of the dev group
   AuthLDAPGroupAttribute memberUid
   require ldap-group cn=development,ou=Groups,dc=arocksoftware,dc=com
   #Require valid-user

</Location>




On 3/20/07, Gaël Lams <lamsgael@gmail.com> wrote:
>
> On 3/20/07, Todd Nine <todd.nine@gmail.com> wrote:
> > Hi all,
> >   I'm having a bit of trouble getting mod_authz_ldap to work.  I have my
> OU
> > layout and my posix groups layout included.  I'm simply trying to
> > authenticate the user "tnine" against the group
> >  cn=development,ou=Groups,dc=arocksoftware,dc=com
> >
> >
> >  I receive the following error, so I'm obviously not getting authorized
> >
> > auth_ldap authenticate: user tnine authentication failed; URI
> /vcproject/
> > [ldap_search_ext_s() for user failed][No such object]
> >
> >
> >  I have the following settings in my authorization directive.  But I
> have
> > several questions.  Any help would be greatly appreciated.
> >
> > 1. I'm using a posixGroup, is that not possible?
> > 2. I have set the log level to debug, but I only get the above line in
> the
> > error_log.  I'd like to see the query string its issuing, is that
> possible?
> > 3. I thought that by setting the AuthLDAPGroupAttribute it would find my
> > username and authenticate me, is that not correct?
>
> I personally always look on the ldap back-end side to see the query
> string being issued. Which ldap directory are you using
>
> Before working with a group, do you have the ldap authentication
> working for a single user?
>
> "require valid-user" directive requires that mod_authz_user be loaded
> and that the AuthzLDAPAuthoritative directive be set to off but you
> have it set to off
> (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser).
>
> AuthLDAPGroupAttribute specifies which LDAP attributes are used to
> check for group membership.
> The require directives are used during the authorization phase: are
> you sure you're right in specifying both require valid-user and
> require ldap-group? As said a few lines below, require valid-user
> require an additional authorization modules (mod_authz_user). Why
> don't use only require ldap-group? This whay you could let
> "AuthzLDAPAuthoritative On"?
>
> Regards,
>
> Gaël
>

Mime
View raw message