www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Cabrera <...@toolazydogs.com>
Subject Re: Looking for an LDAP mod authz example
Date Mon, 30 Jun 2014 13:46:45 GMT

> On Jun 30, 2014, at 12:20 AM, Tony Stevenson <tony@pc-tony.com> wrote:
>> On 30 Jun 2014, at 01:30, Alan D. Cabrera <adc@toolazydogs.com> wrote:
>>> On Jun 29, 2014, at 1:25 PM, Sam Ruby <rubys@intertwingly.net> wrote:
>>>> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <adc@toolazydogs.com>
>>>> Can someone provide an example conf file for an httpd server to restrict
access to directories to only ASF committers and ASF members via LDAP?  Thanks!
>>> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>>> Search for "AuthName"
>> Perfect, thanks!
>> I tried to get my setup running on my laptop by replacing 
>> ldaps://minotaur.apache.org:636
>> with my tunnel:
>> ldaps://ldap-tunnel.apache.org:6636
> I presume you have this in the local hosts file, and is in fact an SSH forwarded port?

Yes, and I know that it works because my python unit tests which exercise the port by using
ldap calls to collect information work perfectly fine.

>> and 
>> LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/asf-ldap-client.pem
>> <LocationMatch ^/ezmlm/v1/asf>
>>       Order allow,deny
>>       Allow from all 
>>       AuthType Basic
>>       AuthBasicProvider ldap
>>       AuthName "ASF Members"
>>       AuthLDAPurl "ldaps://ldap-tunnel.apache.org:6636/ou=people,dc=apache,dc=org?uid"
>>       AuthLDAPGroupAttribute memberUid
>>       AuthLDAPGroupAttributeIsDN off
>>    AuthLDAPBindAuthoritative off
>>    LDAPReferrals Off
>>       Require ldap-group cn=member,ou=groups,dc=apache,dc=org
>> </LocationMatch>
>> and I can't seem to log in:
>> [Sun Jun 29 16:43:29.512348 2014] [auth_basic:error] [pid 23730:tid 4396036096] [client
::1:50036] AH01618: user adc not found: /ezmlm/v1/asf/lists/dev@mrql.apache.org/moderators
>> Has anyone else been able to get "local" setups to work?
> Yes, I use it every day for modifying LDAP. 
> First of all, can you use the simple ldap command line tools, such as ldapsearch?  Have
you got the correct perms on the LDAP Cert?  If you get the command line stuff sorted httpd
should just fall into place. 
> Though, if you have never setup LDAP connections before, while it is not terribly difficult,
perhaps you should test your configs on your ASF VM first, then once you have a known working
setup there you can transfer it to your local setup to prove you can get local access working.

I also have no problem with my port; unit tests and command line queries work perfectly fine.
 The problem is getting my httpd auth configurations to work.

Finally, let us no longer talk about my VM, panopticon-vm.apache.org.  That's a separate issue
and not to be confused with getting httpd to authenticate from my laptop.

Thanks!  :)


  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message