Good morning Graham, ...and thanks for the reply. Kind of working from 2.0.x 'logic' but found I also needed:
Mod_Auth_Basic, and Mod_Authz_User; this to use the 'normal' "require valid-user".
I tend to 'maximum' .conf files so that all settings are visible, but a friend sent me a working one and that did the trick! All I eventually did was add a flag (an Authorative one but not sure anymore which), put the module load order the same as the working one and got mine going also. Once the 'wasted time' drifts into mental oblivion (happens faster these days) will see if the load order had any effect, so for now forget I mentioned that bit. One of my next goals will be to try and work out the authentication/authorisation process in 2.1 and write a book about it as it seems complicated enough to warrant it. Perhaps some diagrams will help too.
Thanks also for the log sample below... so will go back and check why I didn't get all that. I think it might have been the hours spent and the boxes just bein' ornery.
If there be a useful followup, "I'll be back...". Regards, Norm
Graham Leggett wrote:
NormW wrote:
Trying to ('trouble')shoot an authorisation issue with Mod_Authnz_Ldap, and find builtin 'assistance' somewhat sparse.
I finally got the 4 needed modules loaded (bigger config samples would be _very_ useful),
In theory only two modules are needed - mod_ldap and mod_authnz_ldap. What are the other two?
a network traffic sniffer says the LDAP server is giving back the right info, but all I get in the logs (debug mode) is:
[debug] mod_authnz_ldap.c(365): [client <ip>] [1002] auth_ldap authenticate: using URL ldap://10.202.65.190/o=nwinc?cn
[debug] mod_authnz_ldap.c(437): [client <ip>] [1002] auth_ldap authenticate: accepting admin
[debug] mod_authnz_ldap.c(793): [client <ip>] [1002] auth_ldap authorise: authorisation denied
Any chance of padding that sequence out please?
The sequence is already debug traced in detail at the debug level. It would help us more if you posted more detail on exactly what you're trying to do (authentication, authorisation, or both) and what config you have used so far.
This is an example of the trace generated by a successful authentication and authorisation:
[Sun Feb 06 15:41:02 2005] [debug] mod_authnz_ldap.c(364): [client 127.0.0.1] [26793] auth_ldap authenticate: using URL ldaps:
//gatekeeper.xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(436): [client 127.0.0.1] [26793] auth_ldap authenticate: accepting minfri
n
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(673): [client 127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for group membership in "cn=xxx,ou=Groups,ou=xxx Randburg,dc=fma,dc=co,dc=za"
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(678): [client 127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for member: uid=minfrin,ou=People,ou=xxx Randburg,dc=xxx,dc=co,dc=za (cn=xxx,ou=Groups,ou=xxx Randburg,dc=xxx,dc=co,dc=za)
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(686): [client 127.0.0.1] [26793] auth_ldap authorise: require group: auth
orisation successful (attribute member) [Comparison true (adding to cache)][Compare True]
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(364): [client 127.0.0.1] [26793] auth_ldap authenticate: using URL ldaps:
//gatekeeper.xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(436): [client 127.0.0.1] [26793] auth_ldap authenticate: accepting minfri
n
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(673): [client 127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for group membership in "cn=xxx,ou=Groups,ou=xxx Randburg,dc=fma,dc=co,dc=za"
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(678): [client 127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for member: uid=minfrin,ou=People,ou=xxx Randburg,dc=xxx,dc=co,dc=za (cn=xxx,ou=Groups,ou=xxx Randburg,dc=xxx,dc=co,dc=za)
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(686): [client 127.0.0.1] [26793] auth_ldap authorise: require group: auth
orisation successful (attribute member) [Comparison true (cached)][Compare True]
[Sun Feb 06 15:41:05 2005] [error] [client 127.0.0.1] File does not exist: /usr/local/apache2/htdocs/favicon.ico
Regards, Graham --
