I have got authentication working on my Apache 2.4 webserver, if I require a
specific user. However, I would like to require one or more specific groups. I
have tried the example given in the documentation:
Require ldap-group
with no group name specified.
I get this result in my log files:
[Wed Jan 12 13:13:52.676003 2022] [authnz_ldap:debug] [pid 23541]
mod_authnz_ldap.c(899): [client 10.14.0.18:36914] AH01713: auth_ldap authorize:
require group: testing for group membership in ""
[Wed Jan 12 13:13:52.841650 2022] [authnz_ldap:debug] [pid 23541]
mod_authnz_ldap.c(926): [client 10.14.0.18:36914] AH01719: auth_ldap authorize:
require group "": didn't match with attr Comparison complete [memberOf][53 -
Server is unwilling to perform]
[Wed Jan 12 13:13:52.841690 2022] [authnz_ldap:debug] [pid 23541]
mod_authnz_ldap.c(943): [client 10.14.0.18:36914] AH01716: auth_ldap authorise:
require group "": failed [Comparison complete][53 - Server is unwilling to
perform], checking sub-groups
[Wed Jan 12 13:13:52.842761 2022] [authnz_ldap:debug] [pid 23541]
mod_authnz_ldap.c(966): [client 10.14.0.18:36914] AH01718: auth_ldap authorise:
require group (sub-group) "": didn't match with attr DN failed group
verification. [memberOf][53 - Server is unwilling to perform]
I have tried the following in the configuration:
Require ldap-group cn=accounts
Require ldap-group accounts
with AuthLDAPGroupAttributeIsDN set to both "on" and "off". Neither work:
[Wed Jan 12 14:02:47.588735 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(907): [client 10.14.0.18:38342] AH01714: auth_ldap authorize:
require group: testing for memberOf:
uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
(cn=accounts)
[Wed Jan 12 14:02:47.753521 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(926): [client 10.14.0.18:38342] AH01719: auth_ldap authorize:
require group "cn=accounts": didn't match with attr Comparison complete
[memberOf][32 - No such object]
[Wed Jan 12 14:02:47.753562 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(943): [client 10.14.0.18:38342] AH01716: auth_ldap authorise:
require group "cn=accounts": failed [Comparison complete][32 - No such object],
checking sub-groups
[Wed Jan 12 14:02:47.754391 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(966): [client 10.14.0.18:38342] AH01718: auth_ldap authorise:
require group (sub-group) "cn=accounts": didn't match with attr DN failed group
verification. [memberOf][32 - No such object]
[Wed Jan 12 14:02:47.754422 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(899): [client 10.14.0.18:38342] AH01713: auth_ldap authorize:
require group: testing for group membership in "accounts"
[Wed Jan 12 14:02:47.754426 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(907): [client 10.14.0.18:38342] AH01714: auth_ldap authorize:
require group: testing for memberOf:
uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com (accounts)
[Wed Jan 12 14:02:47.764320 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(926): [client 10.14.0.18:38342] AH01719: auth_ldap authorize:
require group "accounts": didn't match with attr Comparison complete
[memberOf][32 - No such object]
[Wed Jan 12 14:02:47.764358 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(943): [client 10.14.0.18:38342] AH01716: auth_ldap authorise:
require group "accounts": failed [Comparison complete][32 - No such object],
checking sub-groups
[Wed Jan 12 14:02:47.765169 2022] [authnz_ldap:debug] [pid 7443]
mod_authnz_ldap.c(966): [client 10.14.0.18:38342] AH01718: auth_ldap authorise:
require group (sub-group) "accounts": didn't match with attr DN failed group
verification. [memberOf][32 - No such object]
I would appreciate any help to get this working. I am running on a fully
updated CentOS 7 VM.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
