httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] group authorization via LDAP
Date Fri, 02 Oct 2009 19:37:36 GMT
> AuthLDAPGroupAttribute memberOf
>
> require ldap-group CN=mygroup,OU=GroupStuff,OU=Company
> Groups,DC=dev,DC=company,DC=com
>
> My LDAP entry (using the URL above) looks like this:
> dn:CN=trice,OU=Employees,OU=Company Users,DC=dev,DC=company,DC=com
>
>               objectClass: top
>                            person
>                            organizationalPerson
>                            user
>                        cn: trice
> <you don't care what my address, mailbox number, etc. is so ... snip>
>                  memberOf: CN=mygroup,OU=GroupStuff,OU=Company
> Groups,DC=dev,DC=company,DC=com
>                            CN=admins,OU=Standard,OU=Company
> Groups,DC=dev,DC= company,DC=com
>                department: 8675309
>                   company: Company, Inc.


Your config looks for entries like this in ldap:

cn: =mygroup,OU=Grou....
  memberOf: trice
  memberOf: bob
  ...

Your LDAP setup should use require ldap-filter to find a memberOf
under the _user_ that signifies membership in a group, or find how the
groups entry lists users (not memberOf, but something like member or
uniqueMember).  ldap-filter starts at the user and looks for stuff,
ldap-group starts at the group and looks for an entry listing your
user.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message