httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tony Rice (trice)" <>
Subject RE: [users@httpd] group authorization via LDAP
Date Fri, 02 Oct 2009 17:51:42 GMT
I'm able to do LDAP based group authorization when specify the group
info as a filter in the LDAP URL but I'd like to configure a more
generic LDAP string in the apache config and allow users to control
access by group membership using .htaccess files.  I'm able to
authenticate based on userid/password but can seem to get the config
quite right to authorize based on group membership.  

These memberships are in the memberOf attribute on User records  In the
LDAP tree, users are in OU=Company Users, groups are in OU=GroupStuff
and OU=Standard under OU=Company Groups.

The log files complain that an attribute can't be found for the group
value specified.  Any ideas?

My ldap config looks like this:
AuthName "Active Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "CN=mybinduser,OU=Generics,OU=Company
AuthLDAPBindPassword secret
AuthLDAPRemoteUserAttribute cn

AuthLDAPUrl "ldap://
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberOf

.htaccess file looks like this:
require valid-user
require ldap-group CN=mygroup,OU=GroupStuff,OU=Company

Logs look like this:
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(875): [6756]
auth_ldap url parse: `ldap://
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(884): [6756]
auth_ldap url parse: Host:
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(886): [6756]
auth_ldap url parse: Port: 389
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(888): [6756]
auth_ldap url parse: DN: OU= Company Users,DC=dev,DC=company,DC=com
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(890): [6756]
auth_ldap url parse: attrib: cn
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(892): [6756]
auth_ldap url parse: scope: subtree
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(897): [6756]
auth_ldap url parse: filter: (null)
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(977): LDAP:
auth_ldap not using SSL connections
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(377): [client] [6756] auth_ldap authenticate: using URL
ldap:// Company
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(474): [client] [6756] auth_ldap authenticate: accepting trice
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(715): [client] [6756] auth_ldap authorise: require group: testing for
group membership in "CN=mygroup,OU=GroupStuff,OU=Company
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(721): [client] [6756] auth_ldap authorise: require group: testing for
memberOf: CN=trice,OU=Employees,OU=Company
Users,DC=dev,DC=company,DC=com (CN=mygroup,OU=GroupStuff,OU=Company
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(737): [client] [6756] auth_ldap authorise: require group
"CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com":
authorisation failed [Comparison no such attribute (adding to cache)][No
such attribute]
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(852): [client] [6756] auth_ldap authorise: authorisation denied

My LDAP entry (using the URL above) looks like this:
dn:CN=trice,OU=Employees,OU=Company Users,DC=dev,DC=company,DC=com

               objectClass: top
                        cn: trice
<you don't care what my address, mailbox number, etc. is so ... snip>
                  memberOf: CN=mygroup,OU=GroupStuff,OU=Company
Groups,DC=dev,DC= company,DC=com
                department: 8675309
                   company: Company, Inc.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message