httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Shearer <j...@shearer-family.org>
Subject Re: [users@httpd] apache 2.2 and ldap group authentication
Date Tue, 02 Jun 2009 14:31:54 GMT
Thanks Peter for all of your suggestions.  I have followed them all with 
the exception of your security recommendations.  I have avoided this 
matter in an attempt to minimize the complexity of the problem so my 
small mind can see what is happening.

As you suggested Peter, I have read logs, rfcs and a great book by Matt 
Butcher called Mastering OpenLDAP.  Ah but my thick skull is still suck.

Over the last 3 days I have played with a number of configurations and 
executed numerous varieties of searchs.  But to no good.  If you look 
down to the caption "My Best Result,"  It seems OpenLDAP has made it to 
the point where it is searching the 2 cn(s).  But the filter error 
prevents it from finding the uniqueMember.  If you search for 
"bdb_search: 11 does not match filter" and move up 5 or six lines you 
will see what makes me believe this.

I would appreciate help again.


ou=groups content
=============================================================
server2.local # ldapsearch -v -x -w secret -D 
'cn=Manager,dc=my,dc=domain,dc=com' -b 
'ou=groups,dc=my,dc=domain,dc=com' -LLL

        <
ldap_initialize( <DEFAULT> )
filter: (objectclass=*)
requesting: All userApplication attributes
dn: ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: my.domain groups
objectClass: organizationalUnit

dn: cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: People who are employees of Super Team
uniqueMember: uid=jeffshearer,dc=my,dc=domain,dc=com
uniqueMember: uid=maeshearer,dc=my,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: SuperTeam

dn: cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: People who are employees of Super Group
uniqueMember: uid=jacksonshearer,dc=my,dc=domain,dc=com
uniqueMember: uid=larryfordham,dc=my,dc=domain,dc=com
uniqueMember: uid=spamimoron,dc=my,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: SuperGroup


Peter's suggestion
============================================================================

<Directory /files/superteam.docs>
   AuthType basic
   AuthName "Super Team Members Only"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPBindDN "cn=Manager,dc=my,dc=domain,dc=com"
   AuthLDAPBindPassword "secret"
   AuthLDAPGroupAttribute uniqueMember
   #AuthLDAPGroupAttribute uid
   AuthLDAPGroupAttributeIsDN on
   #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com -s sub 
(&(objectclass=groupOfUniq
ueNames)(cn=SuperTeam))"
   #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com (cn=SuperTeam)"
   AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com?uniqueMember?sub?(objectClass=grou
pOfUniqueNames)"
   #AuthLDAPURL "ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com"
   Require ldap-group "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"
   AllowOverride None
   Order allow,deny
   Allow from all
   Options +Includes
   XbitHack on
   </Directory>

Jun  2 10:34:00 server2 slapd[41001]: => bdb_search
Jun  2 10:34:00 server2 slapd[41001]: 
bdb_dn2entry("ou=groups,dc=my,dc=domain,dc=com")
Jun  2 10:34:00 server2 slapd[41001]: => access_allowed: search access 
to "ou=groups,dc=my,dc=domain,dc=com" "entry"

requested
Jun  2 10:34:00 server2 slapd[41001]: <= root access granted
Jun  2 10:34:00 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 10:34:00 server2 slapd[41001]: search_candidates: 
base="ou=groups,dc=my,dc=domain,dc=com" (0x00000003) scope=2
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]: 	EQUALITY
Jun  2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)
Jun  2 10:34:00 server2 slapd[41001]: => key_read
Jun  2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [01872a84]
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_index_read: failed (-30989)
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: => 
bdb_dn2idl("ou=groups,dc=my,dc=domain,dc=com")
Jun  2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: 
@ou=groups,dc=my,dc=domain,dc=com
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_dn2idl: id=3 first=3 last=12
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]: 	AND
Jun  2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]: 	OR
Jun  2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa1
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]: 	EQUALITY
Jun  2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)
Jun  2 10:34:00 server2 slapd[41001]: => key_read
Jun  2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [b49d1940]
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_index_read: failed (-30989)
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]: 	AND
Jun  2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]: 	EQUALITY
Jun  2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)
Jun  2 10:34:00 server2 slapd[41001]: => key_read
Jun  2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [32028718]
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_index_read 2 candidates
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=2, 
first=11, last=12
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=2 
first=11 last=12
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0 
first=11 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=11 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0 
first=3 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=3 last=0
Jun  2 10:34:00 server2 slapd[41001]: bdb_search_candidates: id=0 
first=3 last=0
Jun  2 10:34:00 server2 slapd[41001]: bdb_search: no candidates
Jun  2 10:34:00 server2 slapd[41001]: send_ldap_result: conn=186 op=1 p=3
Jun  2 10:34:00 server2 slapd[41001]: send_ldap_result: err=0 matched="" 
text="value does not conform to assertion syntax"
Jun  2 10:34:00 server2 slapd[41001]: send_ldap_response: msgid=2 
tag=101 err=0
Jun  2 10:34:00 server2 slapd[41001]: conn=186 op=1 SEARCH RESULT 
tag=101 err=0 nentries=0 text=value does not conform to

assertion syntax
Jun  2 10:34:00 server2 slapd[41001]: daemon: activity on 1 descriptor
Jun  2 10:34:00 server2 slapd[41001]: daemon: waked
Jun  2 10:34:00 server2 slapd[41001]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Jun  2 10:34:00 server2 slapd[41001]: daemon: select: listen=7 
active_threads=0 tvp=NULL


My Best Result
===============================================================
  <Directory /files/superteam.docs>
   AuthType basic
   AuthName "Super Team Members Only"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPBindDN "cn=Manager,dc=my,dc=domain,dc=com"
   AuthLDAPBindPassword "secret"
   AuthLDAPGroupAttribute uniqueMember
   #AuthLDAPGroupAttribute uid
   AuthLDAPGroupAttributeIsDN on
   #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com -s sub 
(&(objectclass=groupOfUniq
ueNames)(cn=SuperTeam))"
   #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com (cn=SuperTeam)"
   #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com?uniqueMember?sub?(objectClass=gro
upOfUniqueNames)"
   AuthLDAPURL "ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com"
   Require ldap-group "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"
   AllowOverride None
   Order allow,deny
   Allow from all
   Options +Includes
   XbitHack on
   </Directory>



Jun  2 09:40:35 server2 slapd[41001]: conn=183 op=1 do_search
Jun  2 09:40:35 server2 slapd[41001]: >>> dnPrettyNormal: 
<ou=groups,dc=my,dc=domain,dc=com>
Jun  2 09:40:35 server2 slapd[41001]: <<< dnPrettyNormal: 
<ou=groups,dc=my,dc=domain,dc=com>,

<ou=groups,dc=my,dc=domain,dc=com>
Jun  2 09:40:35 server2 slapd[41001]: SRCH 
"ou=groups,dc=my,dc=domain,dc=com" 2 3
Jun  2 09:40:35 server2 slapd[41001]:     0 0 0
Jun  2 09:40:35 server2 slapd[41001]: begin get_filter
Jun  2 09:40:35 server2 slapd[41001]: AND
Jun  2 09:40:35 server2 slapd[41001]: begin get_filter_list
Jun  2 09:40:35 server2 slapd[41001]: begin get_filter
Jun  2 09:40:35 server2 slapd[41001]: PRESENT
Jun  2 09:40:35 server2 slapd[41001]: end get_filter 0
Jun  2 09:40:35 server2 slapd[41001]: begin get_filter
Jun  2 09:40:35 server2 slapd[41001]: EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: end get_filter 0
Jun  2 09:40:35 server2 slapd[41001]: end get_filter_list
Jun  2 09:40:35 server2 slapd[41001]: end get_filter 0
Jun  2 09:40:35 server2 slapd[41001]:     filter: 
(&(objectClass=*)(uid=jeffshearer))
Jun  2 09:40:35 server2 slapd[41001]:     attrs:
Jun  2 09:40:35 server2 slapd[41001]:
Jun  2 09:40:35 server2 slapd[41001]: conn=183 op=1 SRCH 
base="ou=groups,dc=my,dc=domain,dc=com" scope=2 deref=3

filter="(&(objectClass=*)(uid=jeffshearer))"
Jun  2 09:40:35 server2 slapd[41001]: => bdb_search
Jun  2 09:40:35 server2 slapd[41001]: 
bdb_dn2entry("ou=groups,dc=my,dc=domain,dc=com")
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "ou=groups,dc=my,dc=domain,dc=com" "entry"

requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 09:40:35 server2 slapd[41001]: search_candidates: 
base="ou=groups,dc=my,dc=domain,dc=com" (0x00000003) scope=2
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]: 	EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)
Jun  2 09:40:35 server2 slapd[41001]: => key_read
Jun  2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key: [01872a84]
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_index_read: failed (-30989)
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 09:40:35 server2 slapd[41001]: => 
bdb_dn2idl("ou=groups,dc=my,dc=domain,dc=com")
Jun  2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key: 
@ou=groups,dc=my,dc=domain,dc=com
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_dn2idl: id=3 first=3 last=12
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]: 	AND
Jun  2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]: 	OR
Jun  2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa1
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]: 	EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)
Jun  2 09:40:35 server2 slapd[41001]: => key_read
Jun  2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key: [b49d1940]
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_index_read: failed (-30989)
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]: 	AND
Jun  2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]: 	PRESENT
Jun  2 09:40:35 server2 slapd[41001]: => bdb_presence_candidates 
(objectClass)
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]: 	EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates (uid)
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: (uid) 
not indexed
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=3 
first=3 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=3 
first=3 last=12
Jun  2 09:40:35 server2 slapd[41001]: bdb_search_candidates: id=3 
first=3 last=12
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     AND
Jun  2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     PRESENT
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "ou=groups,dc=my,dc=domain,dc=com" "objectClass"

requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "ou=groups,dc=my,dc=domain,dc=com" "uid" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: bdb_search: 3 does not match filter
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     AND
Jun  2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     PRESENT
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"

"objectClass" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"

"uid" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: bdb_search: 11 does not match filter
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     AND
Jun  2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     PRESENT
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com"

"objectClass" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com"

"uid" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: bdb_search: 12 does not match filter
Jun  2 09:40:35 server2 slapd[41001]: send_ldap_result: conn=183 op=1 p=3
Jun  2 09:40:35 server2 slapd[41001]: send_ldap_result: err=0 matched="" 
text=""
Jun  2 09:40:35 server2 slapd[41001]: send_ldap_response: msgid=2 
tag=101 err=0
Jun  2 09:40:35 server2 slapd[41001]: conn=183 op=1 SEARCH RESULT 
tag=101 err=0 nentries=0 text=
Jun  2 09:40:35 server2 slapd[41001]: daemon: activity on 1 descriptor
Jun  2 09:40:35 server2 slapd[41001]: daemon: waked
Jun  2 09:40:35 server2 slapd[41001]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Jun  2 09:40:35 server2 slapd[41001]: daemon: select: listen=7 
active_threads=0 tvp=NULL


Peter Schober wrote:
> * Peter Schober <peter.schober@univie.ac.at> [2009-05-27 12:33]:
>>> I have tried a number of configurations for group authenticaiton, all 
>>> without success.  Following is the current iteration of my apache 
>>> configuration for the superteam.docs directory:
>>>
>>> <Directory /files/superteam.docs>
>>>    AuthType basic
>>>    AuthName "Super Team Members Only"
>>>    AuthBasicProvider ldap
>>>    AuthzLDAPAuthoritative on
>>>    AuthLDAPBindDN "cn=Manager,dc=my,dc=mydomain,dc=com"
>>>    AuthLDAPBindPassword "secret"
>>>    AuthLDAPGroupAttribute uniqueMember
>>>    AuthLDAPGroupAttributeIsDN off
>>>    AuthLDAPURL 
>>> "ldap://192.168.0.92:389/ou=groups,dc=my,dc=mydomain,dc=com?cn=SuperTeam?"
>>>    Require ldap-group cn=SuperTeam,ou=groups
>>>    AllowOverride None
>>>    Order allow,deny
>>>    Allow from all
>>>    Options +Includes
>>>    XbitHack on
>>>    </Directory>
>> First, AuthLDAPGroupAttributeIsDN should be on, since obviously your
>> (unique)member values *are* DNs.
>> (Btw, unless you require the addtional distinguishing values
>> uniqueMember allows for -- and from your example you certainly don't
>> --  you can just as well use the 'member' attribute. Both 'member' and
>> 'uniquemember' need their values to be unique.)
>>
>> Second, your "Require ldap-group" is somehow truncated, it should be
>> the full DN of that group (is there some documentation that implies
>> you can just leave away the baseDN or something?)
> 
> Third, the AuthLDAPURL doesn't seem to be right (see RFC 4516 for the
> specs and examples). After the DN (which "identifies the base object
> of the LDAP search or the target of a non-search operation.") come the
> attributes you request, if you want all you'd still need to supply the
> '?' with no parameter, otherwise the only one you're interested here
> is (unique)member.
> Then comes the scope (limit the search to the base of the object given
> as the DN of the URL; to one level below the base object, or to a
> subtree search, starting from and including the base object), and only
> then comes the filter (which you give as cn=SuperTeam).
> 
> And with that filter (which is not interpretefd as a filter, because
> it's in the wrong part, which you would see in your slapd.log) you'd
> only ever find the group cn=SuperTeam, which is not wrong, but
> superfluos, since you're 'require'ing the desired group below anyway
> with an apache directive (once the syntax is corrected, see my point
> two).
> 
> I don't think just leaving all the parts after the DN away (so their
> defaults get to be used) will help, since the scope defaults to base,
> and you'll need at least 'one' or 'sub', unless you specify the exact
> name of the required group in the DN of that AuthLDAPURL (which I
> douldn't do, since you'd have to mess with AuthLDAPURL for every
> directory; same with the group name in the filter, see above).
> 
> So I guess a correct LDAP URL for your setup should be something like this:
> 
> AuthLDAPURL ldap://192.168.0.92:389/ou=groups,dc=my,dc=mydomain,dc=com?uniquemember?sub?(objectclass=groupOfUniqueNames)
> 
> (The port defaults to 389 so that could be left out as well, I
> suppose.)
> 
> You could then reuse this AuthLDAPURL for all resources on your
> server, adjusting only the "require ldap-group" directive for the
> resource at hand.
> 
> And two rather generic hints wrt security:
> 
> Note that unless your directory server is on the same box or you
> consider your network to be secure, you should not connect to your
> slapd without securing at least the transport. For that you'd need to
> configure your slapd to allow for TLS/SSL connections and supply
> STARTTLS at the end of the LDAP URL (seperated by whitespace).
> Instead of the STARTTLS parameter you could use ldaps:// for the
> scheme, but note that there is no formal specification for LDAPS (in
> contrast to LDAP+STARTTLS, see RFC 4513). So this is deprecated and
> should not be used.
> Also you really should not ever use the rootdn (I guess that is what
> your cn=manager object really is) for anything else but directory
> administration. Instead create another DN in your DIT and give this DN
> the required permission (ACLs) to search and read group objects.
> There are no limits to what the rootdn can do, ACLs are not even
> evaluated for the rootdn (it's the rootdn, after all ;) so you can't
> limit the power of this DN -- and it's password is in your httpd.conf
> in the clear!
> 
> cheers,
> -peter
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message