httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <t...@pc-tony.com>
Subject Re: [users@httpd] LDAP authentication question
Date Tue, 23 Dec 2008 22:34:47 GMT
Arkadiy,

Take a look at this
http://httpd.apache.org/docs/trunk/mod/mod_authn_core.html

You can create multiple authentication mechanisms, one for each sub-tree 
perhaps, and then alias them.


Cheers,
Tony




On 23/12/2008 19:49, Arkadiy Goykhberg wrote:
> Our LDAP Active Directory tree looks like this:
>
> DC=mycompany,DC=COM
>
> -OU=Accounts
>
> -OU=Usernames
>
> -OU=Finance&Administration
>
> -OU=Generic accounts
>
> -OU=Security
>
> -....
>
> -DC=sng,DC=mycompany,DC=com
>
> -OU=Singapore Users
>
> -DC=uk,DC=mycompany,DC=com
>
> -OU=Accounts
>
> -OU=Users
>
> If I use the following configuration, everything works, except I am not
> able to
>
> authenticate UK and SNG users because the base of the search does not
> include
>
> UK ans SNG domains.
>
> AuthBasicProvider ldap
>
> AuthLDAPURL
>
> "ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
> <http://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>"
>
> AuthLDAPBindDN "CN=ldap connector,OU=Generic
>
> accounts,OU=Accounts,DC=mycompany,DC=com"
>
> AuthLDAPBindPassword ******
>
> AuthType Basic
>
> AuthName "mycompany Domain"
>
> Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames,
> OU=Accounts, DC=mycompany,DC=com
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(373): [client
>
> 192.168.2.75] [3718] auth_ldap authenticate: using URL
>
> ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
> <http://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(454): [client
>
> 192.168.2.75] [3718] auth_ldap authenticate: accepting testuser
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(691): [client
>
> 192.168.2.75] [3718] auth_ldap authorise: require group: testing for group
>
> membership in "CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
>
> DC=mycompany,DC=com"
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(697): [client
>
> 192.168.2.75] [3718] auth_ldap authorise: require group: testing for member:
>
> CN=Test
> User,OU=Finance&Administration,OU=Usernames,OU=Accounts,DC=mycompany,DC=com
>
> (CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
> DC=mycompany,DC=com)
>
> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(706): [client
>
> 192.168.2.75] [3718] auth_ldap authorise: require group: authorisation
>
> successful (attribute member) [Comparison true (adding to
> cache)][Compare True]
>
> However, if I use the following configuration (point to the base of AD
> tree), mod_authnz_ldap.c produces a seg
>
> fault.
>
> AuthBasicProvider ldap
>
> AuthLDAPURL
>
> "ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
> <http://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>"
>
>
> AuthLDAPBindDN "CN=ldap connector,OU=Generic
>
> accounts,OU=Accounts,DC=mycompany,DC=com"
>
> AuthLDAPBindPassword ******
>
> AuthType Basic
>
> AuthName "mycompany Domain"
>
> Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames,
> OU=Accounts, DC=mycompany,DC=com
>
> [Wed Nov 26 20:24:31 2008] [debug] mod_authnz_ldap.c(373): [client
>
> 192.168.2.75] [3110] auth_ldap authenticate: using URL
>
> ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
> <http://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>
>
> [Wed Nov 26 20:24:42 2008] [notice] child pid 3110 exit signal Segmentation
>
> fault (11)
>
> # rpm -qi httpd
>
> Name : httpd Relocations: (not relocatable)
>
> Version : 2.2.3 Vendor: CentOS
>
> Release : 11.el5_2.centos.4 Build Date: Wed 12 Nov 2008
>
> 10:44:43 AM EST
>
> Install Date: Fri 14 Nov 2008 07:42:56 AM EST Build Host:
>
> builder16.centos.org <http://builder16.centos.org>
>
> Group : System Environment/Daemons Source RPM:
>
> httpd-2.2.3-11.el5_2.centos.4.src.rpm
>
> Size : 2899288 License: Apache Software License
>
> Signature : DSA/SHA1, Wed 12 Nov 2008 05:54:31 PM EST, Key
> IDa8a447dce8562897
>
> URL : http://httpd.apache.org/
>
> Summary : Apache HTTP Server
>
> Description : The Apache HTTP Server is a powerful, efficient, and
> extensible
>
> web server.
>
> Is there a way to make mod_authnz_ldap to search across 3 LDAP branches
> where the user information is stored?
>

-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message