httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] Problem with ldap authentication against domino server
Date Thu, 06 Jan 2011 14:52:01 GMT

----- "Sebastian Reitenbach" <sebastia@l00-bugdead-prods.de> wrote:

> Hi,
> 
> I have LDAP authentication working against openldap. But I have to 
> authenticate against an Lotus Domino Server.
> 
> below the contents of my .htaccess file:

Why, Oh, Why are you putting it in .htaccess?

> AuthType Basic
> AuthBasicProvider ldap
> AuthName "LDAP"
> #AuthLDAPURL "ldap://openldapserver:389/ou=people,dc=intern"
> AuthLDAPURL "ldap://dominoserver:389/?uid"
> AuthzLDAPAuthoritative on
> #require valid-user
> require ldap-user user
> #require ldap-group cn=admin
> #require ldap-attribute gidnumber=1011
> Satisfy any
> 
> Order deny,allow
> Deny from all
> 
> When I comment the require ldap-user line, and uncomment the require
> valid-
> user line, then I can successfully log in with my credentials.
> 
> When I try to restrict the login to a given user or group, then the 
> authentication does't work.
> 
> 
> here it works using the openldap server:
> ==> /var/log/apache2/error_log <==
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2013]
> auth_ldap 
> url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host: 
> openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib:
> (null), scope: 
> base, filter: (null), connection mode: not using SSL
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2014]
> auth_ldap 
> url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host: 
> openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib:
> (null), scope: 
> base, filter: (null), connection mode: not using SSL
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(379): [client
> 127.0.0.1] 
> [2014] auth_ldap authenticate: using URL 
> ldap://openldapserver:389/ou=people,dc=intern
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(484): [client
> 127.0.0.1] 
> [2014] auth_ldap authenticate: accepting user
> [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(659): [client
> 127.0.0.1] 
> [2014] auth_ldap authorise: require user: authorisation successful
> 
> 
> 
> here it doesn't work, using the domino server:
> ==> /var/log/apache2/error_log <==
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(982): [2015]
> auth_ldap 
> url parse: `ldap://dominoserver:389/?uid', Host: dominoserver:389,
> Port: 389, 
> DN: , attrib: uid, scope: base, filter: (null), connection mode: not
> using SSL
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(379): [client
> 127.0.0.1] 
> [2015] auth_ldap authenticate: using URL ldap://dominoserver:389/?uid
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(484): [client
> 127.0.0.1] 
> [2015] auth_ldap authenticate: accepting user
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(665): [client
> 127.0.0.1] 
> [2015] auth_ldap authorise: require user: authorisation failed
> [Comparison 
> complete][Insufficient access]
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(685): [client
> 127.0.0.1] 
> [2015] auth_ldap authorise: require user: authorisation failed
> [Comparison 
> complete][Insufficient access]
> [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(874): [client
> 127.0.0.1] 
> [2015] auth_ldap authorise: authorisation denied
> 
> Well, it states about the insufficient access, but I wonder what kind
> of 
> access migth be missing?
> 
> I can run
> ldapsearch -x -h dominoserver -b "" -D "CN=Test User,O=MyCompany" -W
> 
> And I successfully get stuff back from the Domino Server, the Test
> User has 
> uid=user.
> However, what I noticed is I have to specify the empty baseDN -b "",
> without 
> it, I don't get any search results back. I don't have to do it against
> the 
> OpenLDAP server, don't know whether this could be the cause of my
> problem?
> 
> Sebastian
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message