Mod_Authnz_Ldap 'light on' for debug...
Greetings All,
Trying to ('trouble')shoot an authorisation issue with Mod_Authnz_Ldap,
and find builtin 'assistance' somewhat sparse.
I finally got the 4 needed modules loaded (bigger config samples would
be _very_ useful), a network traffic sniffer says the LDAP server is
giving back the right info, but all I get in the logs (debug mode) is:
[debug] mod_authnz_ldap.c(365): [client ip] [1002] auth_ldap
authenticate: using URL ldap://10.202.65.190/o=nwinc?cn
[debug] mod_authnz_ldap.c(437): [client ip] [1002] auth_ldap
authenticate: accepting admin
[debug] mod_authnz_ldap.c(793): [client ip] [1002] auth_ldap
authorise: authorisation denied
Any chance of padding that sequence out please?
Regards,
Norm
Re: Mod_Authnz_Ldap 'light on' for debug...
NormW wrote:
Trying to ('trouble')shoot an authorisation issue with Mod_Authnz_Ldap,
and find builtin 'assistance' somewhat sparse.
I finally got the 4 needed modules loaded (bigger config samples would
be _very_ useful),
In theory only two modules are needed - mod_ldap and mod_authnz_ldap.
What are the other two?
a network traffic sniffer says the LDAP server is
giving back the right info, but all I get in the logs (debug mode) is:
[debug] mod_authnz_ldap.c(365): [client ip] [1002] auth_ldap
authenticate: using URL ldap://10.202.65.190/o=nwinc?cn
[debug] mod_authnz_ldap.c(437): [client ip] [1002] auth_ldap
authenticate: accepting admin
[debug] mod_authnz_ldap.c(793): [client ip] [1002] auth_ldap
authorise: authorisation denied
Any chance of padding that sequence out please?
The sequence is already debug traced in detail at the debug level. It
would help us more if you posted more detail on exactly what you're
trying to do (authentication, authorisation, or both) and what config
you have used so far.
This is an example of the trace generated by a successful authentication
and authorisation:
[Sun Feb 06 15:41:02 2005] [debug] mod_authnz_ldap.c(364): [client
127.0.0.1] [26793] auth_ldap authenticate: using URL ldaps:
//gatekeeper.xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(436): [client
127.0.0.1] [26793] auth_ldap authenticate: accepting minfri
n
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(673): [client
127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for group membership in cn=xxx,ou=Groups,ou=xxx
Randburg,dc=fma,dc=co,dc=za
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(678): [client
127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for member: uid=minfrin,ou=People,ou=xxx Randburg,dc=xxx,dc=co,dc=za
(cn=xxx,ou=Groups,ou=xxx Randburg,dc=xxx,dc=co,dc=za)
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(686): [client
127.0.0.1] [26793] auth_ldap authorise: require group: auth
orisation successful (attribute member) [Comparison true (adding to
cache)][Compare True]
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(364): [client
127.0.0.1] [26793] auth_ldap authenticate: using URL ldaps:
//gatekeeper.xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(436): [client
127.0.0.1] [26793] auth_ldap authenticate: accepting minfri
n
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(673): [client
127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for group membership in cn=xxx,ou=Groups,ou=xxx
Randburg,dc=fma,dc=co,dc=za
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(678): [client
127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for member: uid=minfrin,ou=People,ou=xxx Randburg,dc=xxx,dc=co,dc=za
(cn=xxx,ou=Groups,ou=xxx Randburg,dc=xxx,dc=co,dc=za)
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(686): [client
127.0.0.1] [26793] auth_ldap authorise: require group: auth
orisation successful (attribute member) [Comparison true
(cached)][Compare True]
[Sun Feb 06 15:41:05 2005] [error] [client 127.0.0.1] File does not
exist: /usr/local/apache2/htdocs/favicon.ico
Regards,
Graham
--
smime.p7s
Description: S/MIME Cryptographic Signature
[PATCH] Some steps towards an OOTB build on Cygwin.
This is an initial posting of a patch for comments. I will Bugzilla it in a few days if no one has requested any changes. This patch handles a few independently-reviewable changes that do not entirely fix the build on Cygwin, but do make important progress in that direction. * build/install.sh: Automagically append .exe - this is needed because libtool will not pass unknown options to an install program, so we are unable to use -e .exe in this case. * build/instdso.sh: On Cygwin we can't rename DLLs either, and we _need_ the .la files installed to allow DSOs built by other software packages to link against installed DSOs - e.g. mod_dav_svn - mod_dav. So, disable the latter part of instdso.sh, just like on OS/2. * modules/dav/fs/config6.m4: Cygwin is a DLL platform too. Add it to the list alongside OS/2. Max. --- ./build/install.sh.packet2 2005-02-04 20:21:18.0 + +++ ./build/install.sh 2005-02-06 13:43:21.239926400 + @@ -102,6 +102,14 @@ src=$src$ext dst=$dst$ext +# Automagically append .exe - this is needed because libtool will not pass +# unknown options to an install program, so we are unable to use -e .exe +# in this case. +if [ -f $src.exe ]; then + src=$src.exe + dst=$dst.exe +fi + # Make a temp file name in the proper directory. dstdir=`dirname $dst` dsttmp=$dstdir/#inst.$$# --- ./build/instdso.sh.packet2 2005-02-04 20:21:18.0 + +++ ./build/instdso.sh 2005-02-06 13:47:07.294977600 + @@ -61,6 +61,15 @@ exit 0 fi +case $SYS in + CYGWIN*) + # On Cygwin we can't rename DLLs either, and we _need_ the .la files + # installed to allow DSOs built by other software packages to link against + # installed DSOs - e.g. mod_dav_svn - mod_dav. + exit 0 + ;; +esac + DLNAME=`grep ^dlname $TARGETDIR/$DSOARCHIVE_BASENAME | sed -e s/dlname='\([^']*\)'/\1/` LIBRARY_NAMES=`grep library_names $TARGETDIR/$DSOARCHIVE_BASENAME | sed -e s/dlname='\([^']*\)'/\1/` LIBRARY_NAMES=`echo $LIBRARY_NAMES | sed -e s/ *$DLNAME//g` --- ./modules/dav/fs/config6.m4.packet2 2004-11-24 19:31:09.0 + +++ ./modules/dav/fs/config6.m4 2005-02-06 13:47:25.611315200 + @@ -11,8 +11,8 @@ fi case $host in - *os2*) -# OS/2 DLLs must resolve all symbols at build time + *os2*|*cygwin*) +# DLLs must resolve all symbols at build time # and we need some from main DAV module dav_fs_objects=$dav_fs_objects ../main/mod_dav.la ;;
Re: [VOTE] Release httpd-2.0.53
Justin Erenkrantz wrote: Tarballs for 2.0.53 are available and at: http://www.apache.org/~jerenkrantz/httpd-2.0.53/ Once we receive 3 +1s (and no -1s, hopefully!), I'll move it over to the mirrors. I then hope to be able to do the announcement and email some time on Monday. With httpd-test on Darwin, I get: t/modules/include.t 841 1.19% 51 (1 subtest UNEXPECTEDLY SUCCEEDED), 8 tests and 23 subtests skipped. nd says this is to be expected. =) Thanks! -- justin +1, tested on FreeBSD 5.3-stable with worker and prefork mpms. It properly picked up bdb 4.3 too. -Paul
Re: [VOTE] Release httpd-2.0.53
* Justin Erenkrantz wrote: Tarballs for 2.0.53 are available and at: http://www.apache.org/~jerenkrantz/httpd-2.0.53/ Once we receive 3 +1s (and no -1s, hopefully!), I'll move it over to the mirrors. I then hope to be able to do the announcement and email some time on Monday. prefork/ssl/svn tested and running in production mode on the gentoo boxes here. +1. nd -- Winnetous Erbe: http://pub.perlig.de/books.html#apache2
Re: [VOTE] Release httpd-2.0.53
Justin Erenkrantz wrote: Tarballs for 2.0.53 are available and at: http://www.apache.org/~jerenkrantz/httpd-2.0.53/ +1 on RHEL3 Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: Mod_Authnz_Ldap 'light on' for debug...
Good morning Graham,
...and thanks for the reply.
Kind of working from 2.0.x 'logic' but found I also needed:
Mod_Auth_Basic, and
Mod_Authz_User; this to use the 'normal' require valid-user.
I tend to 'maximum' .conf files so that all settings are visible, but a
friend sent me a working one and that did the trick! All I eventually
did was add a flag (an Authorative one but not sure anymore which), put
the module load order the same as the working one and got mine going
also. Once the 'wasted time' drifts into mental oblivion (happens faster
these days) will see if the load order had any effect, so for now forget
I mentioned that bit. One of my next goals will be to try and work out
the authentication/authorisation process in 2.1 and write a book about
it as it seems complicated enough to warrant it. Perhaps some diagrams
will help too.
Thanks also for the log sample below... so will go back and check why I
didn't get all that. I think it might have been the hours spent and the
boxes just bein' ornery.
If there be a useful followup, I'll be back
Regards,
Norm
Graham Leggett wrote:
NormW wrote:
Trying to ('trouble')shoot an authorisation issue with
Mod_Authnz_Ldap, and find builtin 'assistance' somewhat sparse.
I finally got the 4 needed modules loaded (bigger config samples would
be _very_ useful),
In theory only two modules are needed - mod_ldap and mod_authnz_ldap.
What are the other two?
a network traffic sniffer says the LDAP server is giving back the
right info, but all I get in the logs (debug mode) is:
[debug] mod_authnz_ldap.c(365): [client ip] [1002] auth_ldap
authenticate: using URL ldap://10.202.65.190/o=nwinc?cn
[debug] mod_authnz_ldap.c(437): [client ip] [1002] auth_ldap
authenticate: accepting admin
[debug] mod_authnz_ldap.c(793): [client ip] [1002] auth_ldap
authorise: authorisation denied
Any chance of padding that sequence out please?
The sequence is already debug traced in detail at the debug level. It
would help us more if you posted more detail on exactly what you're
trying to do (authentication, authorisation, or both) and what config
you have used so far.
This is an example of the trace generated by a successful authentication
and authorisation:
[Sun Feb 06 15:41:02 2005] [debug] mod_authnz_ldap.c(364): [client
127.0.0.1] [26793] auth_ldap authenticate: using URL ldaps:
//gatekeeper.xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(436): [client
127.0.0.1] [26793] auth_ldap authenticate: accepting minfri
n
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(673): [client
127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for group membership in cn=xxx,ou=Groups,ou=xxx
Randburg,dc=fma,dc=co,dc=za
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(678): [client
127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for member: uid=minfrin,ou=People,ou=xxx Randburg,dc=xxx,dc=co,dc=za
(cn=xxx,ou=Groups,ou=xxx Randburg,dc=xxx,dc=co,dc=za)
[Sun Feb 06 15:41:04 2005] [debug] mod_authnz_ldap.c(686): [client
127.0.0.1] [26793] auth_ldap authorise: require group: auth
orisation successful (attribute member) [Comparison true (adding to
cache)][Compare True]
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(364): [client
127.0.0.1] [26793] auth_ldap authenticate: using URL ldaps:
//gatekeeper.xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(436): [client
127.0.0.1] [26793] auth_ldap authenticate: accepting minfri
n
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(673): [client
127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for group membership in cn=xxx,ou=Groups,ou=xxx
Randburg,dc=fma,dc=co,dc=za
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(678): [client
127.0.0.1] [26793] auth_ldap authorise: require group: test
ing for member: uid=minfrin,ou=People,ou=xxx Randburg,dc=xxx,dc=co,dc=za
(cn=xxx,ou=Groups,ou=xxx Randburg,dc=xxx,dc=co,dc=za)
[Sun Feb 06 15:41:05 2005] [debug] mod_authnz_ldap.c(686): [client
127.0.0.1] [26793] auth_ldap authorise: require group: auth
orisation successful (attribute member) [Comparison true
(cached)][Compare True]
[Sun Feb 06 15:41:05 2005] [error] [client 127.0.0.1] File does not
exist: /usr/local/apache2/htdocs/favicon.ico
Regards,
Graham
--
Re: [VOTE] Release httpd-2.0.53
söndag 06 februari 2005 21.23 skrev Graham Leggett: Justin Erenkrantz wrote: Tarballs for 2.0.53 are available and at: http://www.apache.org/~jerenkrantz/httpd-2.0.53/ Hi. I'd say +1, but I think I have no rights to vote. It seems to work just fine on several Mandrakelinux 10.0 production boxes and also on Cooker. Cheers. -- Regards // Oden Eriksson
Re: [VOTE] Release httpd-2.0.53
On Sun, Feb 06, 2005 at 09:39:47PM +0100, Oden Eriksson wrote: I'd say +1, but I think I have no rights to vote. It seems to work just fine on several Mandrakelinux 10.0 production boxes and also on Cooker. Even if you aren't a committer, you can always cast a vote. Everyone's input is valuable. Yes, if you aren't a committer, your vote doesn't count towards the 3 +1s required for a release, but that shouldn't stop you from voting. It looks like we've received enough +1s that I'm going to move 2.0.53 into the mirrors now. Sometime tomorrow, I will update the website and send the announcement. Thanks! -- justin
