httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] require valid-user with ldap
Date Thu, 27 Nov 2014 13:45:58 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Marc,

On 11/27/14 2:42 AM, Tobias Adolph wrote:
> do you have an other authorization modules (like mod_shib for 
> shibboleth-authentication)?
> 
> We had an issue concerning require valid-user, too. I guess that if
> several authorization handlers are active "require valid-user" 
> directives asks each of them for approval. At least mod_shib shows 
> this behaviour. The fact that if you give the specific user (which 
> determines the specific authorization authority) or a 
> require-directive specific to an authorization module supports
> this assumption.

I have LDAP working without file-based fallback, but I'm using
"Require ldap-group" instead of "Require [somethingelse]".

Our configuration is so old I can't remember if I actually fought
httpd's configuration and settled for ldap-group or if I just never
tried anything else (like Require valid-user).

- -chris

> Am 24.11.2014 um 12:13 schrieb Marc Patermann:
>> Hi,
>> 
>> I using the following .htaccess
>> 
>> AuthBasicProvider ldap file AuthType Basic
>> AuthzLDAPAuthoritative off Authname "..." AuthUserFile
>> /srv/www/.htusers-mf AuthLDAPURL 
>> "ldap://ldapserver/ou=humans,ou=foo,c=de?mail??(mail=*@ofd-*.foo.de)"
>>
>>
<Limit
>> 
PROPFIND OPTIONS GET>
>> #Require ldap-group 
>> ou=Benutzer-Opst,ou=gruppen,ou=humans,ou=foo,c=de #Require user 
>> k1-st-01 Require valid-user </Limit> ...
>> 
>> The "require valid-user" does not work for ldap users. I get the 
>> following message in error_log:
>> 
>> /var/log/apache2/error_log:[Thu Nov 21 09:40:48 2014] [error] 
>> [client 10.49.64.85] access to /documents/ failed, reason: user 
>> 'user@foo.de' does not meet 'require'ments for user/valid-user
>> to be allowed access
>> 
>> Apache is version 2.2.10
>> 
>> If I set it to "require ldap-user user@foo.de" or "require 
>> ldap-group ..." it is all fine, so the ldap part does it's 
>> thing.
>> 
>> 
>> Marc
>> 
>> ---------------------------------------------------------------------
>>
>>
To
>> 
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUdysVAAoJEBzwKT+lPKRYC3sQAJlnnU7z1KK4i1UaaBNGO16k
iNleVv8OXNg5OZo04/O8ZNtF9OBXIWiqqsN8hP4Oepfcvs1e2JgZpshHUN9KUkUS
o+8FwbAIpbgFPgFZkd7XsEb4aZAZQEW0OAylbIb8ur0C4/Q3bEOazf/a3BUJB6x8
00OVSQBzN46/o9PReYh7mB0sOXCMVHZbZy3LJ2iOJvWJonm6iGuPwifT7JdakVYr
yZP1zbuR86GPhTd6IjoV3qxS0+gMThu5ziIJ1IkGbUpkekBxrOt0Ra0bmN3NNHxU
SJdsa4FCMergjUvlfDWqgPwBC0atD9nU6lEOS11+uvloHQofd7Y3CNu7q6m5c+S6
xnweNUMEctBhQpQgNzuMgByHB8j6/lqQjezOt6aZ/dhGVWQZ3h6Eeo0bA73B0sLp
AXh31udkfj4QLrSJGNXSOOfQqZ8jLxvmaAmXvDXovUVPkD8+WbAojOSTGgUAyX4W
QoaC/UPE8FTuVheFzYI3CZDwuk7o6Pa1b9ojPF6vheC9xCp4U8FED7KCp0PnnOpm
h58Wn6Tie7CPF8xzleGAF1axRBEJZDTq0IDoCnihCxyaT+AlFU6XAcv+WHf5bLFC
H8lwg1luY6wgslyIUfhM5LsFeuU9RPYJfsTyZrR+iEEuq7u+rESQrXctXTsCSVKT
mSaQ2dYgw+r8AASOYR3O
=Vj2e
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message