Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 7871 invoked from network); 4 Sep 2009 15:46:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 4 Sep 2009 15:46:18 -0000 Received: (qmail 22866 invoked by uid 500); 4 Sep 2009 15:46:14 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 22813 invoked by uid 500); 4 Sep 2009 15:46:14 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 22804 invoked by uid 99); 4 Sep 2009 15:46:14 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Sep 2009 15:46:14 +0000 X-ASF-Spam-Status: No, hits=3.7 required=10.0 tests=HTML_MESSAGE,SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [206.190.39.106] (HELO web50811.mail.re2.yahoo.com) (206.190.39.106) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 04 Sep 2009 15:46:03 +0000 Received: (qmail 30065 invoked by uid 60001); 4 Sep 2009 15:45:42 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1252079142; bh=Zuuup8xdoe9Gk7OpPusOkxyKNUoMr+79ZcuvzdINwD4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=0LxsyCd5I5s/9D0DV4uR04Fj9UDkxfB8q4sGZCOffO0f0wdKcZF2niYHY4OQAxHhJgFTs/M/NpE9bpKSDe9yvYXAhh5nx55+Pgl4yreUC5RmibXRDTeefr8NdoVhSwj75ImLUh5A4OFeyYWmL/avczCr1eifk3HMGHLoPo5CRRA= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=DSr+TMGYNkrw8uo+EfTloSRuN7QjVHoy8NgsuqEiAfovNFY+Tc4Qb82YIVyfDZMKns5n/fTYBOau/labOBYODqgjlLMXpIge5vfguNNcJKLgUW9tY6Mg8JASEHI1qjt00zD99cR4PRIZm3bbJdTgEVvZzAokxVDRtiMY4jiV3XA=; Message-ID: <110179.29906.qm@web50811.mail.re2.yahoo.com> X-YMail-OSG: xkOKc4EVM1llkZxRwM3iGxEhiCGD6PVInC0w3Y13x4dieIoBfuMXdAxmOBkF425Pc0jn5zhmgU6QAQttDAP5rFUmkvKGVR1vG1pntjJ4K5yAlEfPP7gkBk.acL2jNLWp26fUrjybj7bEvltYVXRNLecoUl_KUU14TE_V.98I1.uSNYdq8VV8Ess234KgPZ8J7bLjjWEiwvv3KxZXbCErZ1kgTkpcAkoSMf43nNcyNFTL8Dn9y0tw.d1eIf1tLGbb9ACkphZTm3hZUSFacVjIEQ6lO_Cj6Bpa4TC4JRU39hdWc6ahiISlG179EJ5GgxByhvPgWFMK6e91ydaatR3raHRnpAG8skyVYi1byZYMu_acLofHKoXba4NrLvglY.dunc2xuGCGM2fsqqBlY.A- Received: from [170.40.160.35] by web50811.mail.re2.yahoo.com via HTTP; Fri, 04 Sep 2009 08:45:42 PDT X-Mailer: YahooMailRC/1358.27 YahooMailWebService/0.7.347.2 Date: Fri, 4 Sep 2009 08:45:42 -0700 (PDT) From: Doug White To: users@httpd.apache.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-491214336-1252079142=:29906" X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Help in authenitcating across multiple LDAPs --0-491214336-1252079142=:29906 Content-Type: text/plain; charset=us-ascii The problem I'm having is authenticating using groups to authorize access. I'm using LoadModule authn_alias_module modules/mod_authn_alias.so as to identify multiple authentication providers. The below works fine when Require valid-user is used instead of ldap-group. You might note I'm using svn but I'm simply hitting the Apache Server with a browser. I haven't found an example where authorization is group. Found pelenty of examples where Require valid-user which, of course, is of no value to me. Please someone repond to this despirate post. AuthLDAPBindDN "CN=ldapuser,OU=StandardUsers,OU=My Company,OU=Users,OU=EIT Central,DC=ad,DC=mycompany,DC=com" AuthLDAPBindPassword mypassword AuthLDAPURL ldap://ldap.ad.mycompany.com:389/DC=ad,DC=mycompany,DC=com?sAMAccountName?sub AuthLDAPBindDN "CN=ldapuser,OU=StandardUsers,OU=My Company,OU=Users,OU=EIT Central,DC=ad,DC=mycompany,DC=com" AuthLDAPBindPassword mypassword AuthLDAPURL ldap://ldap.other.mycompany.com:389/DC=other,DC=mycompany,DC=com?sAMAccountName?sub # Location for the Subversion repository DAV svn SVNPath c:/svn_repository # Order deny,allow Allow from all AuthBasicProvider ldap-01 ldap-02 AuthType Basic AuthName 'Subversion Repository' AuthzLDAPAuthoritative off Require ldap-group CN=G-MyGroup,OU=Groups,OU=LAN Services,DC=ad,DC=mycompany,DC=com SVNAutoversioning on ModMimeUsePathInfo on --0-491214336-1252079142=:29906 Content-Type: text/html; charset=us-ascii
The problem I'm having is authenticating using groups to authorize access. 

I'm using LoadModule authn_alias_module modules/mod_authn_alias.so as to identify multiple authentication providers.  The below works fine when Require valid-user is used instead of ldap-group.  You might note I'm using svn but I'm simply hitting the Apache Server with a browser.  I haven't found an example where authorization is group.  Found pelenty of examples where Require valid-user which, of course, is of no value to me.

Please someone repond to this despirate post.

<AuthnProviderAlias ldap ldap-01>
    AuthLDAPBindDN "CN=ldapuser,OU=StandardUsers,OU=My Company,OU=Users,OU=EIT Central,DC=ad,DC=mycompany,DC=com"
    AuthLDAPBindPassword mypassword
    AuthLDAPURL ldap://ldap.ad.mycompany.com:389/DC=ad,DC=mycompany,DC=com?sAMAccountName?sub
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-02>
    AuthLDAPBindDN "CN=ldapuser,OU=StandardUsers,OU=My Company,OU=Users,OU=EIT Central,DC=ad,DC=mycompany,DC=com"
    AuthLDAPBindPassword mypassword
    AuthLDAPURL ldap://ldap.other.mycompany.com:389/DC=other,DC=mycompany,DC=com?sAMAccountName?sub
</AuthnProviderAlias>

# Location for the Subversion repository
<Location /repository>
    DAV svn
    SVNPath c:/svn_repository
    #
    Order deny,allow
    Allow from all

    AuthBasicProvider ldap-01 ldap-02
    AuthType Basic
    AuthName 'Subversion Repository'
    AuthzLDAPAuthoritative off
    Require ldap-group CN=G-MyGroup,OU=Groups,OU=LAN Services,DC=ad,DC=mycompany,DC=com
    SVNAutoversioning on
    ModMimeUsePathInfo on
</Location>
--0-491214336-1252079142=:29906--