httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tony Rice (trice)" <tr...@cisco.com>
Subject RE: [users@httpd] group authorization via LDAP
Date Fri, 02 Oct 2009 19:35:11 GMT
One other wrinkle to add to this.  I can get "require ldap-group" to
work, but only if all the Auth config lines are in the .htaccess file.
If it's in the httpd.conf file and only require lines are in the
.htaccess file require ldap-group produces the errors below (though
"require valid-user" and "require ldap-filter" work fine either way).

-Tony


> -----Original Message-----
> From: Tony Rice (trice)
> Sent: Friday, October 02, 2009 1:52 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] group authorization via LDAP
> 
> I'm able to do LDAP based group authorization when specify the group
> info as a filter in the LDAP URL but I'd like to configure a more
> generic LDAP string in the apache config and allow users to control
> access by group membership using .htaccess files.  I'm able to
> authenticate based on userid/password but can seem to get the config
> quite right to authorize based on group membership.
> 
> These memberships are in the memberOf attribute on User records  In
the
> LDAP tree, users are in OU=Company Users, groups are in OU=GroupStuff
> and OU=Standard under OU=Company Groups.
> 
> The log files complain that an attribute can't be found for the group
> value specified.  Any ideas?
> 
> 
> My ldap config looks like this:
> AuthName "Active Directory"
> AuthType Basic
> AuthBasicProvider ldap
> AuthLDAPBindDN "CN=mybinduser,OU=Generics,OU=Company
> Users,DC=dev,DC=company,DC=com"
> AuthLDAPBindPassword secret
> AuthLDAPRemoteUserAttribute cn
> 
> AuthLDAPUrl "ldap://dev.company.com:389/OU=Company
> Users,DC=dev,DC=company,DC=com?cn?sub?"
> AuthzLDAPAuthoritative on
> AuthLDAPGroupAttribute memberOf
> 
> .htaccess file looks like this:
> require valid-user
> require ldap-group CN=mygroup,OU=GroupStuff,OU=Company
> Groups,DC=dev,DC=company,DC=com
> 
> 
> Logs look like this:
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(875): [6756]
> auth_ldap url parse: `ldap://dev.company.com:389/OU=Company
> Users,DC=dev,DC=company,DC=com?cn?sub?'
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(884): [6756]
> auth_ldap url parse: Host: dev.company.com:389
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(886): [6756]
> auth_ldap url parse: Port: 389
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(888): [6756]
> auth_ldap url parse: DN: OU= Company Users,DC=dev,DC=company,DC=com
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(890): [6756]
> auth_ldap url parse: attrib: cn
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(892): [6756]
> auth_ldap url parse: scope: subtree
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(897): [6756]
> auth_ldap url parse: filter: (null)
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(977): LDAP:
> auth_ldap not using SSL connections
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(377): [client
> 64.102.41.173] [6756] auth_ldap authenticate: using URL
> ldap://dev.company.com:389/OU= Company
> Users,DC=dev,DC=company,DC=com?cn?sub?
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(474): [client
> 64.102.41.173] [6756] auth_ldap authenticate: accepting trice
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(715): [client
> 64.102.41.173] [6756] auth_ldap authorise: require group: testing for
> group membership in "CN=mygroup,OU=GroupStuff,OU=Company
> Groups,DC=dev,DC=company,DC=com"
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(721): [client
> 64.102.41.173] [6756] auth_ldap authorise: require group: testing for
> memberOf: CN=trice,OU=Employees,OU=Company
> Users,DC=dev,DC=company,DC=com (CN=mygroup,OU=GroupStuff,OU=Company
> Groups,DC=dev,DC=company,DC=com)
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(737): [client
> 64.102.41.173] [6756] auth_ldap authorise: require group
> "CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com":
> authorisation failed [Comparison no such attribute (adding to
> cache)][No
> such attribute]
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(852): [client
> 64.102.41.173] [6756] auth_ldap authorise: authorisation denied
> 
> My LDAP entry (using the URL above) looks like this:
> dn:CN=trice,OU=Employees,OU=Company Users,DC=dev,DC=company,DC=com
> 
>                objectClass: top
>                             person
>                             organizationalPerson
>                             user
>                         cn: trice
> <you don't care what my address, mailbox number, etc. is so ... snip>
>                   memberOf: CN=mygroup,OU=GroupStuff,OU=Company
> Groups,DC=dev,DC=company,DC=com
>                             CN=admins,OU=Standard,OU=Company
> Groups,DC=dev,DC= company,DC=com
>                 department: 8675309
>                    company: Company, Inc.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message